An international law enforcement operation succeeded in seizing the dark web sites of the BlackSuit ransomware group. The takedown covers BlackSuit’s negotiation and data leak websites, after a court order approved the seizure. The dark websites now display banners informing visitors that U.S. Homeland Security Investigations has seized the web properties as part of Operation … Read more
A phishing attack impacted several cancer care organizations of the Integrated Oncology Network (ION). All impacted entities released identical breach notices concerning the attack. According to the breach notices, the sophisticated phishing attack allowed unauthorized individuals to access a few employee email and SharePoint accounts. ION took immediate action to protect the impacted accounts and … Read more
There is a new ransomware group that is attacking several industries, particularly technology, healthcare, and event services. Based on the latest Trend Micro report, the Bert ransomware group, tracked as Water Pombero, first attacked entities in the United States and Asia, though victims across Europe were also identified. It is believed to have originated from … Read more
Michigan-based McLaren Health Care began informing 743,131 individuals about the compromise of some of their protected health information (PHI) during a ransomware attack in August 2024. McLaren Health Care had earlier reported the ransomware attack, but the analysis of the compromised files took a longer time; therefore, the delay in sending personal breach notification letters. … Read more
Ransomware continues to present a considerable threat to U.S. healthcare providers, though many ransomware groups no longer encrypt data and only conduct extortion attacks. Cybersecurity company Sophos’ new report shows that only 50% of ransomware attacks in 2025 included file encryption. The threat of exposing stolen information is usually enough to compel victims to give … Read more
In early June 2025, the House of Representatives and Senate introduced two bipartisan bills seeking to improve the healthcare and public health (HPH) sector cybersecurity through better coordination at the government level so that, in the event of cyberattacks on HPH sector entities, government agencies could respond immediately and efficiently. There have been significantly more … Read more
Non-profit provider of drug and alcohol addiction services, Drug and Alcohol Treatment Services, Inc. (DATS), based in Scranton, PA, is facing multiple class action lawsuits because of a ransomware attack in October 2024. DATS discovered the unauthorized access to its computer system on October 6, 2024. Based on the forensic investigation, an unauthorized third party … Read more
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have updated an earlier published joint cybersecurity alert regarding the Play ransomware group, also called Playcrypt. Playcrypt appeared in June 2022 and has executed ransomware attacks on companies in various industries, such as HIPAA-compliant healthcare organizations and other critical infrastructure entities. … Read more
The Cyber Division of the Federal Bureau of Investigation (FBI) has released an alert to U.S. law firms regarding targeted attacks conducted by the Silent Ransom Group. From Spring 2023, the Silent Ransom group has been constantly targeting U.S. law offices, though it also executed attacks in several industries, such as healthcare. The Silent Ransom … Read more
Employee benefits administrator, Kelly & Associates Insurance Group, based in Sparks, Maryland, dba Kelly Benefits, has published edited figures on the number of people impacted by a cyberattack on December 2024. On April 9, 2025, Kelly Benefits at first reported the data breach as an event related to unauthorized access to the information of 32,234 … Read more
Netgain Technology has made the decision to resolve a consumer data breach lawsuit filed because of a ransomware attack and data breach in 2020. Netgain will create a $1.9 million settlement fund to pay class member claims. Netgain is a cloud hosting and managed IT service company based in Minnesota, and many of its clients … Read more
HIPAA incident response planning consists of conducting a risk assessment to determine what threats exist to the confidentiality, integrity, and availability of Protected Health Information, and establishing policies and procedures to respond to any HIPAA security incidents that evade detection by existing security mechanisms. HIPAA incident response planning is a requirement of the HIPAA Security … Read more
Masimo, a producer of patient monitoring devices, submitted a Form 8-K to the U.S. Securities and Exchange Commission (SEC) to notify investors concerning a cyberattack that has impacted its production facilities. Masimo stated some of its production facilities were running at under normal levels from the time of the attack, which is impacting the company’s … Read more
HIPAA policy management is the practice of developing, reviewing, and updating HIPAA policies, and ensuring that current versions of each policy are accessible to all members of the workforce on demand. When done effectively, good HIPAA policy management is a vital tool for supporting HIPAA compliance across the organization. Organizations that qualify as HIPAA covered … Read more
The court has given final approval of a $2.4 million settlement of a class action lawsuit against Somnia Inc. in association with a cyberattack and data breach in 2022. Somnia operates anesthesiology services at over 100 surgery centers throughout the country. In 2022, Somnia encountered a cyberattack that enabled hackers to access its system that … Read more
Workplace gossip is a HIPAA violation if it involves telling a story about an individual whose individually identifiable health information or any personal details stored in the same data set as their health information is protected by the HIPAA Privacy Rule. Is workplace gossip a HIPAA violation when it is only natural that colleagues will … Read more
The HIPAA training requirements vary according to the nature of an organization’s activities, reasonably anticipated threats to Protected Health Information, and workforce knowledge. Due to these variables, one of the challenges of complying with the HIPAA training requirements is determining which requirements apply to which organizations. Although there are specific HIPAA training standards in the … Read more
The HIPAA provides advantages such as enhancing patient privacy and data security, fostering interoperability and streamlined healthcare processes, promoting standardized electronic transactions, and facilitating research; however, it also comes with disadvantages including complex compliance requirements, potential administrative burdens, inhibiting certain research activities, and imposing additional costs on healthcare entities. HIPAA’s Privacy Rule establishes strict guidelines … Read more
A malware campaign using ResolverRAT is targeting healthcare companies and pharmaceutical firms. ResolverRAT is a new stealthy remote access trojan that is being downloaded through phishing emails pretending to be notifications about copyright violations or other legalities that can cause a false impression of urgency. The phishing emails contain a web link that redirects the … Read more
Whether or not you should decline a HIPAA authorization request is event specific and can depend on the purpose of the HIPAA authorization request, the content of the authorization form, and the amount of information you have been given about who your information will be shared with. If you do not have sufficient information to … Read more
Calling an emergency contact is not a HIPAA violation if the disclosure of information is limited to what is necessary for the situation, such as notifying the contact of a patient’s condition or location in an emergency, and if the information shared aligns with the permissible disclosures allowed under the HIPAA Privacy Rule for protecting … Read more
How healthcare providers should respond to a HIPAA incident depends on the type of incident, how it was caused, what the impact is, and whether additional measures could be implemented that mitigate the risk of a recurrence – or mitigate the risk of an unimpactful HIPAA incident deteriorating into something more serious. In theory, the … Read more
DaVita had an 8K filing with the U.S. Securities and Exchange Commission (SEC) on April 14, 2025. Based on the information submitted, the kidney dialysis provider suffered a ransomware attack that led to the encryption of portions of its system. The attack happened on April 12, 2025 and affected a number of its operations. In … Read more
HIPAA violations by nurses can happen for many different reasons and, although HIPAA violations by nurses are often accidental or a consequence of wanting to “get the job done”, if a nurse violates HIPAA, the violation should be reported to prevent minor violations with minimal consequences deteriorating into a culture of non-compliance. In addition, HIPAA … Read more
Microsoft has fixed a vulnerability identified in the Windows Common Log File System (CLFS). A threat actor known as Storm-2460 is actively exploiting the vulnerability using PipeMagic malware. The attacker uses the malware to exploit the vulnerability to alter privileges to spread the ransomware in the victim’s network. Windows CLFS is a recording system for … Read more
When incorporating HIPAA compliance onto your resume, establish a dedicated section, such as “Certifications” or “Professional Training,” to underscore your expertise. Clearly label it with a precise heading like “HIPAA Compliance Certification” to emphasize your qualification. Provide essential certification details, including course name, institution, and completion date. Briefly outline the core subjects covered—ranging from patient … Read more
Patient rights under HIPAA encompass the right to access and obtain copies of their health information, the right to request corrections to their records, the right to receive privacy notices, the right to control the sharing of their health information, the right to file complaints about privacy violations, the right to know who has accessed … Read more
Spark DSO, LLC and CDHA Management, LLC, also known as Chord Specialty Dental Partners, recently informed the U.S. Department of Health and Human Services’ Office for Civil Rights about encountering a data breach where unauthorized access affected the protected health information (PHI) of up to 173,430 people. The dental service organization based in Tennessee offers … Read more
At the beginning of March 2025, Microsoft gave an update about its Cybersecurity for Rural Hospitals Program. This program is created to safeguard access to medical care for the 46 million people in rural communities by assisting rural hospitals to enhance cybersecurity. Patients from rural communities must travel twice as far as urban residents to … Read more
The HIPAA Journal is the best choice for HIPAA refresher training because it delivers accredited, up-to-date, and role-specific content that reinforces essential HIPAA principles while addressing current compliance challenges. The refresher courses include continuing education units (CEUs), testing, and certification to ensure staff remain engaged, accountable, and recognized for their knowledge retention. Unlike passive training … Read more
The Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) released a joint advisory cautioning hospitals regarding a possible coordinated multi-city terrorist attack targeting hospitals in the upcoming weeks. On March 18, 2025, the AHA and Health-ISAC found a social media write-up regarding possible ISIS-K coordinated terrorist attacks on U.S. hospitals. … Read more
You can get fired for an accidental HIPAA violation depending on the nature of the HIPAA violation, the consequences of the violation, your employer’s workplace sanctions policy, and your previous record of accidental violations. . Whether accidental or not, HIPAA violations are serious events. PHI often contains very sensitive material, and it it gets into … Read more
Phone calls can be a HIPAA violation if Protected Health Information (PHI) is disclosed for an impermissible purpose, to an unauthorized person, or for a purpose or to a person that the subject of the PHI has requested PHI is not disclosed (for example, to a health plan when treatment has been paid for privately … Read more
The most common HIPAA violations on social media are due to healthcare professionals taking photos or videos of patients and impermissibly disclosing PHI on social media platforms such as Facebook, Snapchat, and TikTok. The penalties for HIPAA violations on social media vary depending on covered entities’ sanction policies, state laws, and regulatory actions. In July … Read more
The HIPAA minimum necessary rule is a requirement of the HIPAA Privacy Rule to restrict uses and disclosures of – and requests for – Protected Health Information to the minimum necessary to achieve the purpose of the use, disclosure, or request. However, the minimum necessary rule does not apply in all circumstances. When the first … Read more
Whether it is a HIPAA violation to take a picture of an X ray depends on who is taking the picture, the purpose of taking the picture, and whether the picture contains any individually identifiable health information. What happens to the picture after it has been taken may also influence whether it is a HIPAA … Read more
Ransomware attacks in 2024 had an upward pattern and will likely continue in 2025 as many more new victims were listed in ransomware groups’ data leak websites in January and February. Cybersecurity company Cyble recently reported that about 599 victims were added to data leak sites in February and 518 in January. Most of the … Read more
Telling a story about a patient can be a HIPAA violation in a number of circumstances, but generally whether telling a story counts as a HIPAA violation will depend on the nature of the story, who told the story, who the story was about and – crucially – whether the story contained any individually identifiable … Read more
Harvard Pilgrim Health Care and Point32Health, its parent company, have decided to pay $16 million to settle claims associated with a ransomware attack in 2023 that impacted roughly 3 million individuals. In 2023, hackers accessed systems that contained 2,967,396 health plan members’ protected health information (PHI). After exfiltrating data, the hackers used ransomware to encrypt … Read more
Ransomware groups are attacking healthcare companies for financial profit, accessing networks, stealing information, then employing ransomware for file encryption. Cyber threat actors also attack healthcare systems and steal information via silent attacks, where breached healthcare companies aren’t extorted and hackers stay in their systems longer. Cybersecurity company Forescout researchers have discovered a new threat group … Read more
A 2 TB database containing around 1.6 million clinical trial data was compromised online and accessible to anyone without a password. Cybersecurity researcher Jeremiah Fowler discovered the database and reported that it consists of 1,674,218 records. The compromised records include survey results in PDF format that contain sensitive personal and medical data. The compromised information … Read more
Most HIPAA Entities ensure exactly what they need to provide new members of staff in relation to HIPAA training when they join the organization. The majority of companies will conduct basic HIPAA training sessions to ensure that they are compliant with HIPAA. In some cases they may even skip this training session if the new … Read more
To make Gmail HIPAA compliant, you must sign a Business Associate Agreement (BAA) with Google Workspace, configure security settings to ensure encrypted email transmission, restrict access, and implement required administrative, technical, and physical safeguards. Ensuring that Gmail is HIPAA-compliant involves a combination of using Google Workspace with specific configurations and implementing strict safeguards. Below is … Read more
A date of birth is PHI if it is stored with individually identifiable health information that is maintained by a HIPAA covered entity or business associate, and if the date of birth could be used with other data elements in the same designated record set to identify the subject of the individually identifiable health information … Read more
Initials are considered PHI when they are maintained in a designated record set by a HIPAA covered entity with other information relating to an individual’s health condition, treatment for the condition, or payment for the treatment, and the initials could be used to identify the subject of the health, treatment, or payment information. One of … Read more
Although ransomware continually presents a threat to enterprises, ransomware just accounts for about 9.5% of threats in general. Other threats include remote access trojans (13%), malware (17%), malicious scripts (22%), and infostealers (24%). RATs are also involved in over 75% of remote access cases. Huntress discovered greater exploitation of remote monitoring and management (RMM) assets … Read more
HIPAA training for mental health professionals should be more thorough than for other health care professionals due to the number of times mental health professionals may be required to make decisions about disclosing Protected Health Information based on their professional judgement. Under §164.530(b) of the Privacy Rule, covered entities “must train all members of the … Read more
The HIPAA training requirements for new hires are that new members of the workforce must be trained on an organization’s policies and procedures with respect to Protected Health Information that are relevant to the new hire’s functions within a reasonable amount of time of the new member of the workforce starting work with the organization. … Read more
Many factors – both internal and external – can determine how long is HIPAA training good for, including regulatory changes, the introduction of new technologies, the outcome of a risk analysis, and workforce compliance. HIPAA training may also only be good for as long as an individual works for the same organization, as HIPAA policies … Read more
The content of HIPAA training for business associates’ workforces varies according to the nature of the service(s) being provided to or on behalf of a HIPAA covered entity, workforce members’ access to Protected Health Information, and whether Protected Health Information is further disclosed to a secondary business associate or subcontractor. Since the effective date of … Read more
HIPAA training for healthcare workers is training that healthcare workers undertake to safeguard the privacy and security of Protected Health Information in line with their employer’s HIPAA policies and procedures. Unfortunately, gaps in knowledge and understanding can undermine the benefits of HIPAA training for healthcare workers. Since 2009, HIPAA covered entities have been required to … Read more
The California Department of Corrections and Rehabilitation (CDCR) decided to resolve a class action lawsuit associated with negligence for not preventing a data breach in 2022. The data breach happened in January 2022 after hackers accessed CDCR systems comprising the protected health information (PHI) and personally identifiable information (PII) of people imprisoned in the State … Read more
HIPAA privacy and security training is sometimes treated as two separate units of the HIPAA training requirements inasmuch as HIPAA privacy training has to fulfil the requirements of the HIPAA Privacy Rule, while HIPAA security training has to fulfil the requirements of the HIPAA Security Rule. This is an incorrect interpretation of the HIPAA training … Read more
HIPAA training for employees is necessary for all employees of organizations that qualify as HIPAA covered entities or business associates, regardless of employees’ roles or their access to Protected Health Information. HIPAA training is also necessary for members of the workforce that do not qualify as employees (volunteers, students, directors, etc.). A common oversight with … Read more
Who needs HIPAA training is all members of a covered entity’s or business associate’s workforce – even if they have no access to Protected Health Information (PHI). This is because the General Requirements of the HIPAA Security Rule mandate that security awareness training must be designed to protect against uses and disclosures of PHI not … Read more
HIPAA training is not required by law but by regulation. The HIPAA “law” passed by Congress in 1996 instructed the Secretary for Health and Human Services to make recommendations and adopt standards for safeguarding the privacy and security of individually identifiable health information. These evolved into the HIPAA Administrative Simplification Regulations – which include the … Read more
HIPAA training needs to be completed within “a reasonable period of time” after a person joins an organization’s workforce and thereafter whenever there is a material change to policies and procedures, whenever a need for training is identified, and whenever HIPAA training is imposed as a workforce sanction. All workforce members must also participate in … Read more
At the beginning of November 2023, Mulkay Cardiology Consultants based in New Jersey reported a ransomware attack that resulted in unauthorized access to around 79,582 individuals’ protected health information (PHI). Breach victims took legal action against Mulkay Cardiology Consultants which ended in a settlement to conclude the litigation. Based on forensic investigation, a threat actor … Read more
To answer the question how do I know that my email is HIPAA compliant, it is necessary to look beyond the security capabilities of your email service and ensure the reasons you are sending emails containing Protected Health Information complies with the HIPAA Privacy Rule. Having an email service that supports HIPAA compliance does not … Read more
HIPAA training is important because if workforce members fail to comply with HIPAA policies and procedures due to a lack of knowledge, understanding, or care, it can result in operational disruptions, medical identity theft, and the loss of trust in patient-physician relationships – any of which can have adverse consequences for patients. HIPAA covered entities … Read more
Although HIPAA appears to allow many types of email marketing in healthcare, concerns exist that emailing a marketing communication about a healthcare service or product implies a treatment relationship between a patient and HIPAA covered entity. As email addresses and subject lines are not encrypted in most email transmissions, this could represent an unauthorized disclosure … Read more
HIPAA training is not required annually at present, but it is recommended when no other HIPAA training has been provided during the year due to policy changes, the outcomes of risk assessments, the introduction of new technologies, or workforce sanctions. Shortly however, proposed changes to the HIPAA Security Rule could mandate annual HIPAA training for … Read more
In order to send a HIPAA compliant email, it is necessary for the purpose of the email to be required or permitted by the HIPAA Privacy Rule, for the content of the email to comply with any restrictions that apply, and for the email to be sent via an email service configured to support HIPAA … Read more
What makes an email service HIPAA compliant is its safeguards and capabilities to ensure the confidentiality, integrity, and availability of Protected Health Information created, received, maintained, or transmitted by email. It is also necessary for the vendor of the email service to enter into a Business Associate Agreement. If an organization qualifies as a HIPAA … Read more
Generally, what makes emails HIPAA compliant is that the purpose for sending them is permitted by the HIPAA Privacy Rule and that the service used to send them supports compliance with the HIPAA Security Rule. However, there are circumstances in which emails containing PHI can be sent via non-compliant email services. A sometimes overlooked aspect … Read more
HIPAA compliance training for dental offices is the same as for any organization that qualifies as a HIPAA covered entity inasmuch as all members of the workforce must be trained on policies and procedures with respect to Protected Health Information that are applicable to their roles. Workforce members must also participate in a security awareness … Read more
Email archiving compliance consists of copying emails as they pass through the mail server and storing them separately in a read-only format to create an immutable library of tamper-proof documentation. As emails are copied, they are indexed in order that future search requests for audits, litigation, internal enquiries, etc. can be performed quickly and easily. … Read more
Generally, sending an email to patients is not a HIPAA violation provided the reason for sending an email containing PHI is permitted by the HIPAA Privacy Rule and provided the email service used for sending an email containing PHI to patients supports HIPAA compliance. However, there are occasions when exceptions exist and when state opt-in … Read more
The law firm Wolf Haldenstein Adler Freeman & Herz LLP (Wolf Haldenstein) located in New York City encountered a data breach affecting the personal data and protected health information (PHI) of 3,445,537 people. The law firm submitted a breach notice not long ago to the Maine Attorney General. A few states post data breach reports … Read more
An email subject line does have to be HIPAA compliant and should not contain Protected Health Information because some encryption standards do not encrypt email metadata. Those that do may have compliance risks, may be complex to administer, and/or may make searching for an email – or the content of an email – difficult. When … Read more
Emails between providers need to be HIPAA compliant when they contain Protected Health Information. In such cases, communications must be for a purpose permitted by the HIPAA Privacy Rule, must comply with the minimum necessary standard when applicable, and must be sent over a HIPAA compliant email service – unless an exception applies. Providers … Read more
An email address is considered PHI – or assumes the same protections as PHI – when a HIPAA covered entity stores the email address in a designated record set that contains health, treatment, or payment information, and the email address could be used to identify the subject of the health, treatment, or payment information. It … Read more
Whether you need HIPAA-compliant email depends on your “HIPAA status”, the nature of your organization’s activities, and the availability of alternative communication channels that may be more appropriate for creating, sending, receiving, and storing Protected Health Information (PHI) in compliance with HIPAA. Organizations in healthcare, health insurance, and associated industries are often told (usually by … Read more
The nonprofit blood donation organization called OneBlood based in Florida suffered a ransomware attack that is impacting its capacity to supply blood to hospitals. OneBlood provides blood to about 250 hospitals located in Alabama, Georgia, North and South Carolina, and Florida. OneBlood reported on July 31, 2024 that a ransomware attack impacted its software program. … Read more
Using PHI to confirm a patient ID is not a HIPAA violation if you have authorization to access to the PHI being used, if the confirmation of patient IDs is one of your functions within a covered entity, and if the purpose for using PHI to confirm a patient ID qualifies as a treatment, payment, … Read more
For HIPAA entities it can be tricky to determine how regularly HIPAA training should be conducted as the Privacy Rule states that it need only be a one-off sessions related to policies and procedures for those who handle PHI while the Security Rule states that security and awareness training should be provided regularly for all … Read more
In 2024, OCR received 13 data breach reports that affected over 1 million healthcare records each. The biggest healthcare data breach impacted an approximated 100,000,000 million people. The total of exposed or compromised records of U.S. residents for those 13 data breaches is 146,463,977, which is about 42% of the U.S. population. Change Healthcare Data … Read more
You can send medical records by email, but – if the organization you work for qualifies as a HIPAA regulated entity – conditions exist on who you can send emails to, how much information can be disclosed in emails, and what security measures are necessary to protect the confidentiality, integrity, and availability of Protected Health … Read more
Wufoo is not HIPAA compliant because its parent company, SurveyMonkey, does not sign Business Associate Agreements (BAAs), which are required for HIPAA compliance when handling protected health information (PHI), making it unsuitable for collecting or storing PHI in a HIPAA-regulated context. To make Wufoo or any similar tool HIPAA compliant, several steps would need to … Read more
The Conceptions Reproductive Associates of Colorado fertility clinic recently announced that it suffered a ransomware attack. The threat actor gained unauthorized access to its system and stole the data of about 80,000 present and past patients, including their associates. The fertility clinic detected the incident in the middle of April 2024 when it affected some … Read more
HIPAA applies to therapists if they qualify as a HIPAA covered entity or if they work for a practice or healthcare organization that qualifies as a HIPAA covered entity. How does HIPAA apply to therapists varies depending on the therapist’s HIPAA status and any state privacy regulations that preempt HIPAA. There is no “yes” or … Read more
Daniel Christian Hulea, 30 years old, from Romania, was sentenced to 20 years imprisonment for executing ransomware attacks on healthcare companies and educational organizations during the pandemic. The man was an affiliate of the NetWalker ransomware-as-a-service (RaaS) operation. The U.S. Department of Justice reported in January 2021 that over $450,000 in cryptocurrency was seized during … Read more
Texas Tech University Health Sciences Center, the university’s academic health institution and med school, reported a theft involving a large volume of patient data during a September ransomware attack. The cyberattack targeted the systems used by UMC Health System, Texas Tech Physicians, and Texas Tech University Health Sciences Center in El Paso. The HHS’ Office … Read more
The 18 PHI identifiers under HIPAA are names, geographic data smaller than a state, dates (except year), phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and unique codes or characteristics. The … Read more
A 45-year-old hacker named Robert Purbeck was sentenced to 10 years in prison for attacking several U.S. healthcare companies, breaching their systems, stealing sensitive information, and trying to extort from them. Purbeck is an IT expert who previously worked for Ada County in Idaho. He hacked no less than 19 companies from 2017 to 2018 … Read more
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has charged Gulf Coast Pain Consultants, LLC with a $1.19 million civil monetary penalty for failing to block ex-employee members’ access to systems that contain electronic protected health information (ePHI) and for violating other HIPAA Security Rules. Pain management practice Gulf … Read more
Texas HB 300 expands individual privacy protections beyond HIPAA by requiring non-excluded covered entities to obtain an authorization for a number of disclosures of electric Protected Health Information that would be permitted by the HIPAA Privacy Rule. In 2001, Section 181 of the Texas Health and Safety Code was established by the passage of the … Read more
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has audited the HHS Office for Civil Rights (OCR) to evaluate if OCR has accomplished its requirement to perform audits of HIPAA-covered entities to examine HIPAA compliance. A prior HHS-OIG audit was conducted in 2013 to investigate compliance with the Health Information … Read more
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) charged a Californian mental health center a $100,000 civil monetary penalty for not providing prompt access to a patient’s healthcare records. On March 18, 2020, a Rio Hondo Community Mental Health Center patient submitted a request for a copy of her medical … Read more
New York-based reproductive healthcare provider, Planned Parenthood of Montana, has given additional information about the RansomHub ransomware attack that was initially reported at the beginning of September. During the initial security breach report, the investigation just started and it was not confirmed if the attacker stole any patient information. Now, there is confirmation from Planned … Read more
Multiple class-action lawsuits had been filed against Gryphon Healthcare based in Houston, TX, a revenue cycle management and medical billing solutions provider to healthcare companies. The lawsuits are associated with a data breach in August 2024 involving unauthorized access to almost 400,000 individuals’ protected health information (PHI). The breached data contained names, contact data, Social … Read more
In late October, the National Institute for Standards and Technology (NIST) and the Department of Health and Human Services (HHS)hosted a conference called “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024”. Participants received information about the present state of cybersecurity in healthcare and the role of the HIPAA Security Rule in helping HIPAA-covered entities … Read more
Multi-specialty pediatric group Boston Children’s Health Physicians (BCHP) based in Valhalla, NY provides services to newborns and children in New York and Connecticut. BCHP has reported that its IT vendor encountered a cyberattack. The IT vendor informed BCHP on September 6, 2024, that strange activity was noticed in the IT vendor’s network. On September 10, … Read more
Network of behavioral health facilities, AXIS Health System based in Colorado, has published a notification on its website about encountering a cyber incident. Not much information is provided about the nature of the attack except the initiation of incident response protocols. Investigation is ongoing to know the nature and extent of the breach. In case … Read more
Airtable is HIPAA compliant inasmuch as one Airtable subscription plan includes limited services that support HIPAA compliance. The vendor also offers a Business Associate Agreement to covered entities and business associates who can adapt their use of the business management platform to accommodate the limited services. Airtable is a customizable business management platform that connects … Read more
HIPAA allows state preemption means that covered entities are required to comply with a provision of state law – rather than the equivalent HIPAA provision – if the provision of state law has more stringent privacy requirements than HIPAA, provides individuals with more rights than HIPAA, or falls into one of the categories included in … Read more
Ponemon Institute conducted a new survey for Proofpoint, which revealed that almost all U.S. healthcare organizations faced a cyberattack in the past year. Of the 648 IT and IT Security experts surveyed, 92% reported at least one cyberattack in the last 12 months, compared to 88% of survey respondents in 2023. The report found that … Read more
Yes, HIPAA violations can lead to termination if an employee or healthcare professional fails to comply with the privacy and security regulations, depending on the severity of the violation. HIPAA was established to protect the confidentiality and integrity of patients’ health information, and healthcare organizations are legally obligated to ensure compliance with these standards. While … Read more
HIPAA is a federal law that had the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto employers and plan members – and that this would impact federal tax revenues – Congress added further Titles to the Act to neutralize the cost of the … Read more
A new update to the National Institute of Standards and Technology (NIST) password security guidelines now recommends longer passwords over the previous focus on using a mix of uppercase and lowercase letters, numbers, and special characters. While using multiple character types makes the password more complex, it often results in predictable patterns, which weakens security. … Read more
Because of a massive data breach, Change Healthcare is facing dozens of lawsuits filed by plaintiffs across multiple districts. The cyberattack in question resulted in the theft of 6 TB of sensitive data, including personal and protected health information (PHI) of millions of individuals throughout the United States. The lawsuits allege that Change Healthcare failed … Read more
Texas Attorney General Ken Paxton has initiated a lawsuit against the Department of Health and Human Services (HHS), its Secretary Xavier Becerra, and Director Melanie Fontes Rainer of the Office for Civil Rights (OCR). The lawsuit challenges the long-standing HIPAA Privacy Rule and the 2024 HHS final rule concerning reproductive healthcare privacy. Paxton contends that … Read more
Lehigh Valley Health Network (LVHN) agreed to pay $65 million to settle a class action lawsuit over a data breach in 2023. This settlement of a HIPAA violation will compensate plaintiffs whose sensitive data, including nude photos, was stolen and later posted on the dark web. The breach, caused by a Blackcat ransomware attack, exposed … Read more
The Ransom Hub ransomware group continues to target the healthcare sector, with its latest victim being Planned Parenthood, a reproductive healthcare provider based in New York. The group added Planned Parenthood to its data leak site, claiming responsibility for stealing 93 GB of sensitive information. CEO Martha Fuller of Planned Parenthood of Montana reported the … Read more
An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian … Read more
McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and … Read more
The HIPAA regulations characterize a deliberate violation by a covered entity or business associate as a conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. If a deliberate violation is identified and not corrected within 30 days, HHS’ Office for Civil Rights can impose the maximum possible … Read more
Yes, group chats can be HIPAA compliant if they use secure, encrypted platforms with access controls, proper authentication, and adherence to HIPAA privacy and security rules. Healthcare organizations and professionals must ensure that any group chat platform they use incorporates appropriate safeguards to protect protected health information (PHI). This involves choosing platforms that provide encryption, … Read more
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies. The FBI and CISA initially alerted about the Royal … Read more
An incidental disclosure of PHI is a secondary disclosure of PHI relating to a primary disclosure of PHI when the secondary disclosure is unavoidable at the time and in the circumstances without impacting the provision of prompt and effective healthcare. Incidental disclosures of PHI are permitted by the HIPAA Privacy Rule provided covered entities have … Read more
HIPAA does not apply to spouses and common law partners in a way that means they have to safeguard Protected Health Information shared with them by a healthcare professional. However, the HIPAA Privacy Rule stipulates when it is permissible for a healthcare professional to disclose a patient’s health information to a spouse, partner, or other … Read more
United of Omaha Life Insurance Company located in Nebraska submitted a phishing attack report that indicated the compromise of the protected health information (PHI) of 107,894 people. The insurer discovered the breach on April 23, 2024 after identifying suspicious activity in an employee’s email account. United of Omaha noticed that a third party accessed the … Read more
Zapier is not HIPAA compliant and cannot be used to connect apps that create, receive, store, or transmit Protected Health Information (PHI) because many of the apps themselves do not support HIPAA compliance. Removing the apps from the platform would limit Zapier’s automation capabilities and the benefit of automation to healthcare organizations. Zapier is … Read more
The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office … Read more
It is not a HIPAA violation to send to collections because the HIPAA Privacy Rule permits disclosures of this nature provided the amount of information sent to collections complies with the minimum necessary standard and provided the disclosure of Protected Health Information is covered by a Business Associate Agreement if collections are conducted by an … Read more
The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor … Read more
HIPAA applies to animals when information about an animal is stored in the same designated record set as Protected Health Information (PHI), and the information could be used to identify the human subject of the PHI. Examples include when a patient’s medical notes include information about their support dog or an emotional support animal. In … Read more
UnitedHealth Group (UHG) has given an update about the response costs associated with the February 2024 ransomware attack involving Change Healthcare. The overall response cost is forecasted to be $2.3 billion to $2.45 billion this 2024, over $1 billion more than the figure reported earlier. UHG already paid more or less $2 billion handling the … Read more
DaVita has discovered that tracking tools used on its web pages and mobile app might have transmitted user information to third-party providers. On July 2, 2024, kidney dialysis service provider DaVita Inc. based in Denver, CO informed 67,443 patients concerning a pixel-related data breach. With the 2,800+ outpatient dialysis centers in the U.S., DaVita serves … Read more
It is not a HIPAA violation to email medical records if the reason for emailing medical records is permitted by the Privacy Rule, if the PHI disclosed in the email is limited to the minimum necessary to achieve the purpose of the disclosure, and if the email system used to email the medical records complies … Read more
HIPAA compliance refers to adhering to the requirements of the HIPAA federal law that mandates the protection and confidential handling of protected health information (PHI). This is done by implementing administrative, physical, and technical safeguards, ensuring patient rights, regularly training employees, conducting risk assessments, and responding appropriately to any detected breaches of PHI. Compliance with … Read more
The purpose of the HIPAA Privacy Rules is to protect the confidentiality of patient healthcare and payment data to prevent abuse and fraud. Published by the Department of Health and Human Services as the “Standards for Privacy of Individually Identifiable Health Information”, the HIPAA Privacy Rules stipulate the permissible uses and disclosures of protected health … Read more
HIPAA violation penalties are the consequences of a Covered Entity, Business Associate, or PHR vendor failing to comply – when applicable – with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) paved the way for the development of the Administrative … Read more
Accurate HIPAA violation statistics can be difficult to come by due to the way in which HHS´ Office for Civil Rights reports violations. It can also be the case that the cause of a violation is miscategorized by the entity reporting it – who may not be the entity responsible for the violation. As of … Read more
Paubox is a HIPAA compliant solution to incompatible encryption standards when emails containing PHI are sent between covered entities – or between covered entities and business associates or patients. Paubox also addresses the inconvenience of encrypting emails and decrypting them on receipt. Most covered entities that use email to communicate Protected Health Information (PHI) with … Read more
It is possible to use ChatGPT in compliance with HIPAA, but – until such time as OpenAI makes ChatGPT HIPAA compliant – there are risks associated with implementing anonymizer software to ensure Protected Health Information is not impermissibly disclosed to ChatGPT. It its current state, ChatGPT does not support HIPAA compliance. The program does not … Read more
HIPAA was enacted by the United States Congress in 1996 and signed into law by President Bill Clinton on August 21, 1996. Anyone who has worked in the healthcare industry will have heard of HIPAA and knows of its importance in safeguarding protected health information (PHI). However, most will not know about the history of HIPAA, … Read more
The HIPAA law we are familiar with today evolved from proposals to reform the way in which the health insurance industry worked. Following on from Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA), the proposals were intended to increase the transferability of … Read more
Not all emails are HIPAA compliant, as compliance depends on implementing necessary safeguards such as encryption, secure access controls, proper transmission protocols, and a Business Associate Agreement (BAA) with any third-party email provider that handles Protected Health Information (PHI), ensuring that the privacy and security requirements of HIPAA are met. Ensuring email communication complies with … Read more
The purpose of HIPAA is sometimes explained as ensuring the privacy and security of individually identifiable health information. However, regulations relating to the privacy and security of individually identifiable health information were not enacted until some years later. So, what was the primary purpose of HIPAA? The Health Insurance Portability and Accountability Act of 1996 … Read more
No, is not inherently HIPAA compliant because it lacks built-in encryption for data transmission, and compliance depends on implementing additional security measures, such as encrypting connections with Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and ensuring that a Business Associate Agreement (BAA) is in place with any email service provider handling Protected Health … Read more
HIPAA-compliant bulk email communication refers to the process of sending mass emails that adhere to the privacy and security requirements of HIPAA, ensuring the protection of Protected Health Information (PHI) through secure encryption, recipient authentication, minimal disclosure, and compliance with applicable privacy rules to avoid unauthorized access or data breaches. The regulations require encryption for … Read more
In its earliest form, HIPAA had three main objectives: In order to achieve these aims, HIPAA required a major reform of the healthcare industry. HIPAA called for the Department of Health and Human Services to develop a set of standards for the healthcare industry to adopt, which are commonly referred to as the HIPAA Rules. … Read more
HIPAA does not apply to multiple types of organizations including healthcare providers that do not qualify as covered entities, public schools that only provide medical services for students, and financial institutions that process payments on behalf of covered entities. However, although HIPAA does not apply to these organizations, other state privacy laws may apply. When … Read more
HIPAA was signed into law by President Bill Clinton on August 21, 1996, but there have been some major updates to the legislation over the past two decades. The HIPAA Privacy Rule was enacted on December 20, 2000, the HIPAA Security Rule was enacted on February 20, 2003, and the HIPAA Omnibus Rule was enacted … Read more
WhatsApp is not HIPAA compliant but can be used in healthcare environments in certain circumstances – for example to facilitate communications between healthcare providers that do not disclose Protected Health Information, or to accommodate patients’ requests to communicate via WhatsApp. When HIPAA covered entities and business associate use any messaging service to create, receive, store, … Read more
Microsoft Outlook is HIPAA compliant and can be used to send emails containing Protected Health Information provided customers subscribe to an appropriate Microsoft plan with the capabilities to support HIPAA compliance and agree to the terms of Microsoft’s Business Associate Agreement. In order to make Microsoft Outlook HIPAA compliant, system administrators must configure Outlook’s settings … Read more
HIPAA does not apply to entities or individuals that do not meet the definition of a covered entity (such as healthcare providers, health plans, and healthcare clearinghouses) or a business associate handling protected health information (PHI) on behalf of a covered entity, which includes employers, life insurers, schools, and certain technology platforms when they do … Read more
Best practices for HIPAA-compliant email include using encryption, enabling multi-factor authentication, employing a HIPAA-compliant email provider, minimizing the amount of PHI shared, securing email access with strong passwords, training staff on privacy and security, using secure message portals, obtaining patient consent for email communication, avoiding sensitive data in subject lines or email bodies, password-protecting attachments, … Read more
HIPAA compliant email is email containing Protected Health Information that is sent for a purpose required or permitted by the HIPAA Privacy Rule and – when necessary – that is protected by the safeguards of the HIPAA Security Rule. There can be other criteria that determine whether an email complies with HIPAA – including who … Read more
It is not necessary for Zelle to be HIPAA compliant in order for HIPAA covered entities to conduct financial transactions via the fund transfer service because payment processors are exempt from HIPAA under §1320d-8 of the Public Health and Welfare Code. Considering that Zelle is a peer-to-peer funds transfer service similar to PayPal, there are … Read more
HoneyBook is not HIPAA compliant and should not be used by HIPAA covered entities or business associates to create, collect, store, or transmit electronic Protected Health Information (ePHI). However, it is still possible for healthcare providers to use HoneyBook for some customer relationship activities. HoneyBook styles itself as “client flow management software” that can help … Read more
Ivy Pay is a HIPAA compliant payment management system that enables therapists to collect payments with little or no disruption to clients. The payment processing capabilities mean clients do not have to focus on a financial transaction at the end of a session, while the system simplifies billing and payment activities for therapists. Ivy Pay … Read more
It is not necessary to make PayPal HIPAA compliant before accepting payments from patients because payment processors such as PayPal are exempt from complying with the HIPAA regulations for payment processing activities. However, it is not possible to use any other of PayPal’s services in compliance with HIPAA. When HIPAA was passed in 1996, it … Read more
The civil penalty for unknowingly violating HIPAA falls within the range of $137 and $68,928 per violation (January 2024) depending on whether the covered entity or business associate could not have avoided the violation with a reasonable amount of care, or should have known the violation was a possibility, but failed to adopt measures to … Read more
The HIPAA Omnibus Rule 2013 mandated changes to Parts 160 and 164 of the HIPAA Administrative Simplification Regulations to implement modifications to the Enforcement, Security, Breach Notification, and Privacy Rules required by the HITECH Act. In addition, the HIPAA Omnibus Rule 2013 made further changes to the Privacy Rule to address events that were hampering … Read more
This is a list of the most common HIPAA training questions and the corresponding HIPAA training answers: The HIPAA Journal provides HIPAA training that includes test questions, certification, and CEUs.
Most of the recent changes to HIPAA have been relatively minor, however the Department of Health and Human Services has published multiple Requests for Information (RFIs) and Notices of Proposed Rulemaking (NPRMs) in recent years which imply some significant changes are about to take place. The HIPAA Administrative Simplification Regulations (45 CFR Parts 160,162, and … Read more
How long it takes to get HIPAA certified depends on factors such as the motive for getting HIPAA certified, the certification requirements, and the amount of time available to fulfil the requirements. HIPAA certifications do not absolve individual and organizations from any obligations they have under HIPAA to protect the privacy and security of individually … Read more
HIPAA was created by many people including members of the Clinton Health Plan Task Force, Senators Kennedy and Kassebaum, Rep. Bill Archer, and Donna Shalala and her team at the Department of Health and Human Services. There is no single person answer to the question who created HIPAA. This is because HIPAA evolved from the … Read more
HIPAA was created as a result of the Clinton administration’s ambitious, but unsuccessful, attempt to pass a Health Security Act. HIPAA addressed the area of the Health Security Act related to health insurance reforms, which enabled the bill’s supporters to include measures that protect the privacy and security of individually identifiable health information. One of … Read more
There is no standard answer to what to do if accused of a HIPAA violation because what you should do depends on your responsibility for HIPAA compliance, who is accusing you of a HIPAA violation, and the violation you are being accused of. In 2021, HHS’ Office for Civil Rights received 34,077 complaints alleging violations … Read more
Under HIPAA regulations, patient confidentiality can be broken only when required by law, such as reporting communicable diseases, child abuse, or threats of harm, or when the patient provides explicit consent for the disclosure. The confidentiality of patient information is important in fostering trust in the healthcare system. Under the Health Insurance Portability and Accountability … Read more
Healthcare compliance is an essential activity for organizations in, or providing a service to, the healthcare industry. It involves adherence to laws, regulations, standards, and practices that govern healthcare providers, payers, pharmaceutical companies, and other entities involved in the delivery of health care. Components of Healthcare Compliance Federal and State Laws Healthcare compliance requires adherence … Read more
What happens after a HIPAA complaint is filed with HHS’ Office for Civil Rights is that the complaint goes through a process established by the HIPAA Enforcement Rule (2006) and fine-tuned by the HIPAA Final Omnibus Rule (2013). The process can be found in §160.300 of the HIPAA Administrative Simplification Regulations, and consists of: Initial … Read more
Although OneDrive can be configured to support HIPAA compliance, there is more to making OneDrive HIPAA compliant than adjusting a few settings and entering into a Business Associate Agreement with Microsoft. Many healthcare organizations subscribe to an Office 365 or Microsoft 365 business plan to access apps and services such as Word, Excel, and PowerPoint. … Read more
Because no software is HIPAA compliant by default, HIPAA Covered Entities and Business Associates that use or disclose PHI via the Microsoft Teams platform need to know how to make Microsoft Teams HIPAA compliant. Microsoft Teams is a sophisticated communications platform with secure chat, video, and file-sharing capabilities. Due to the many integrations and add-ons … Read more
The term HIPAA compliant telemedicine relates to the remote delivery of healthcare to patients and remote collaboration between healthcare providers while complying with the standards of the Privacy Rule and the safeguards of the Security Rule. Due to the nature of remote healthcare delivery and collaboration, it is not always easy to comply with the … Read more
The question ‘are Google Forms HIPAA compliant and suitable for use by healthcare organizations?’ is important when the Workspaces service is used to collect, store, or share Protected Health Information. Google Forms is a popular survey tool that allows users to create forms for data collection purposes and then export the data for analysis. Typically, … Read more
HIPAA applies to community outreach initiatives only if they involve the use or disclosure of protected health information (PHI) by covered entities (such as healthcare providers or health plans) or their business associates, requiring compliance with privacy and security rules to safeguard PHI. HIPAA sets legal standards to protect the privacy and security of certain … Read more
Yes, therapy notes must be HIPAA compliant if they contain Protected Health Information (PHI), which includes any information that identifies a patient and relates to their health, treatment, or mental health care, ensuring confidentiality and proper security measures are in place. PHI refers to identifiable information about a person’s health, medical history, or treatment. Since … Read more
Yes, HIPAA applies to dental records because they contain Protected Health Information (PHI), such as patient names, treatment details, and billing information, making dental practices subject to HIPAA’s Privacy, Security, and Breach Notification Rules to ensure the confidentiality, integrity, and availability of such information. Dental practices are considered covered entities under HIPAA, meaning they must … Read more
The HIPAA electronic signature rule is – at present – a proposed rule published by the Department for Health and Human Services in December 2022. If adopted, the HIPAA electronic signature rule would apply to a limited number of covered transactions. However, it could subsequently be extended to apply to other types of covered transactions … Read more
Many people will be familiar with the concept of Protected Health Information, and know that it must be safeguarded under the Health Insurance Portability and Accountability Act of 1996. But what are examples of Protected Health Information? How is it distinguished from other categories of information? The Health Insurance Portability and Accountability Act of 1996 … Read more
HIPAA violations are extremely serious in nature, but can you go to jail for a HIPAA violation? Is this a risk for all violations, or is it only certain ones that will result in jail terms? The answer, perhaps unsurprisingly, is yes you can go to jail for violating HIPAA. However, it is extremely unlikely … Read more
One of the core parts of the Health Insurance Portability and Accountability Act of 1996 is to protect patient privacy. Yet not all data is protected by HIPAA. The Act defines a subset of information – protected health information, or PHI – that it applies to. One of the key features of PHI is that … Read more
Though most HIPAA violations are avoidable, that some violations will occur is inevitable. Even the most diligent worker will occasionally make a mistake and, for example, send an email to the incorrect recipient. Incidental violations may also occur despite an individual’s best efforts. Should these violations occur, investigations will need to take place to determine … Read more
The difference between PHI (Protected Health Information) and ePHI (electronic Protected Health Information) is that PHI refers to any health information that can identify an individual, regardless of format, while ePHI specifically refers to such information that is stored or transmitted electronically. What is PHI (Protected Health Information)? PHI refers to any individually identifiable health … Read more
How you respond to a possible HIPAA violation can depend on the nature of the possible violation, how you become aware of it, and where the event occurs. For example, an alleged disclosure of more than the minimum necessary PHI in a circumstance that is unlikely to result in harm will be responded to differently … Read more
In 2011, the Office for Civil Rights commenced a series of pilot compliance audits to assess how well healthcare providers were implementing HIPAA Privacy and Security Rules. The first found of audits was completed in 2012 and highlighted many companies were failing to comply with even the most basic of HIPAA’s rules. Audited organizations registered … Read more
Due to its technical and often ambiguous language, complying with the HIPAA Security Rule can present some difficulty for dental offices. One easy solution to complying with the HIPAA Security Rule that is being widely adopted in all areas of the healthcare industry the implementation of a system of secure messaging. Secure messaging is conducted … Read more
Why was HIPAA created? HIPAA’s Origins In August 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law, the first of its kind created. Those who created HIPAA claimed that it was made to “improve the portability and accountability of health insurance coverage” for employees between jobs. Combatting waste, fraud and … Read more
To answer the question does HIPAA apply to pharmacies, it is necessary to review the definitions of HIPAA Covered Entities, healthcare providers, and health care in the General Administrative Requirements of the Administrative Simplification provisions. Most people assume that HIPAA does apply to pharmacies because pharmacies have access to health information when they fill prescriptions. … Read more
The Health Insurance Portability and Accountability Act was established in 1996 and covers many aspects of patient privacy. To help enforce the Act, the Enforcement Rule of 2006 was added that gave the Office for Civil Rights the ability to prosecute for HIPAA violations. The hope was that by issuing financial – and sometimes criminal … Read more
A large part of data privacy concerns how long data can be stored after use. This is also covered by the HIPAA, which stipulates in its rules how long data can be retained after it has been collected and used. Individual States may have their own rules and legislation regarding this issue, but for the … Read more
The Health Insurance Portability and Accountability Act (1996) covers all areas of patient privacy. Its main purpose is to ensure that all protected health information (PHI) and electronic PHI (ePHI) remains secure and confidential. However, it must not be so restrictive that when healthcare professionals need to share PHI to accomplish a treatment-related task they … Read more
Under the Breach Notification rule, all HIPAA violations must be reported within 60 days of its discovery. However, it can be confusing for CEs and BAs to determine who to report the breach to, and what details the breach notification should contain. Reporting a HIPAA Violation Anyone can report a HIPAA violation to the Department … Read more
HIPAA came into effect in 1996, with the initial goal of easing the transfer of health insurance policies and other health documents between employers. Since then, it has come to cover many aspects of health data, namely concerning Protected Health Information (PHI). Additions and alterations were made to HIPAA legislation came in 2003 via the … Read more
PHI stands for Protected Health Information, which refers to any information in a medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or treatment. The question what does PHI stand for is … Read more
First enacted in 2002, the HIPAA Privacy Rule (also known as the “Standards for Privacy of Individually Identifiable Health Information”) regulates who can access patient health data. Such data, termed Protected Health Information (PHI), must only be disclosed to necessary individuals without interrupting its processing. HIPAA applies to any party that is deemed a “covered … Read more
Confusingly, though the encryption of Protected Health Information (PHI) is defined as an “addressable” requirement under HIPAA legislation it is compulsory. The use of the term “addressable” merely means that it is up to covered entities (CEs; those who can access and modify PHI) to decide how best to encrypt the data. The encryption is, … Read more
HIPAA risk assessments, though often tedious, are a critical part of ensuring HIPAA compliance. The Security Rule, created in 2003 to ensure that electronic health data is only accessed by authorized personnel, was the first part of HIPAA that required such risk assessments. Password Requirements The Security Awareness and Training section of the Security Rule … Read more
The answer to the question does using email to send patient names and ePHI violate HIPAA Rules is that it depends on the content of the email, who it is being sent to, and what for; and whether controls are in place to ensure transmission security – when required. Questions such as does using email … Read more
HIPAA compliance software provides a range of tools to help organizations achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) and maintain compliance thereafter. However, because of the complexity of HIPAA, organizations are advised to select a software solution from a vendor who also provides support, training, and guidance. Most HIPAA Covered Entities … Read more
Optimove is not inherently HIPAA compliant as compliance depends on how the platform is configured and used, including the implementation of appropriate safeguards and signing a Business Associate Agreement (BAA) with Optimove to ensure adherence to HIPAA regulations for handling Protected Health Information (PHI). To achieve compliance with the HIPAA when using Optimove, it is … Read more
Calendly is a tool that is popularly used by many businesses for managing meeting and appointment schedules. Can Calendly be used by healthcare organizations? Does it’s use comply with HIPAA? Businesses generally spend considerable time and effort scheduling meetings and appointments and going after employees to confirm appointments. Calendly is created to do away with … Read more
Evernote is a cloud-based application that is handy for taking notes, planning projects, making to do lists, and working together in teams. Nevertheless, can healthcare professionals and doctors use Evernote with ePHI without HIPAA violation? Does Evernote support HIPAA compliance? Evernote is intended to be an accessible database for many digital data, including documents, images, … Read more
Google Keep is a web-based note taking program that makes it possible to create notes and share them through several devices. The platform is famous, but is it HIPAA compliant? Can healthcare organizations use Google Keep in association with ePHI? Google has created numerous products that may be employed in healthcare. Google has been known … Read more
Return Path is an email marketing and optimization system that allows organizations to have autopilot management of their email marketing campaigns and analytics. A lot of organizations use Return Path. Can healthcare organizations do the same? Does Return Path support HIPAA compliance? Sending Emails to Patients and Health Plan Members There are guidelines that healthcare … Read more
An employee who discovers an HIPAA violation committed by the company management or by a co-employee may want to report the incident to the Department of Health and Human Services’ Office for Civil Rights (OCR). An employee can report a HIPAA violation to OCR, but investigation will only proceed if the HIPAA violation report was … Read more
About 750,000 businesses today use Zoom as it is a popular video and web conferencing program. Are healthcare organizations allowed to use Zoom for sharing PHI? Does it support HIPAA compliance? Since Zoom is a video and web conferencing platform that is cloud-based, it makes it possible for people from various locations to join web … Read more
Google Sheets is a service for creating, viewing and sharing spreadsheets provided by Google. Is it all right for HIPAA-covered entities to use Google Sheets in conjunction with identifiable protected health information? Does it constitute violating the HIPAA rules? As per the HIPAA Rules, healthcare organizations need to protect the confidentiality, availability and integrity of … Read more
In relation to the use of new technology, the healthcare industry is quite slow compared to other industries. It is an undeniable fact that the healthcare industry seems to refuse change, even if those changes would be considerably profitable to patients. In this time of advanced technology when tablets, Smartphones and the Internet of Things … Read more
Can Google Docs be considered as HIPAA compliant? Is uploading of files with protected health information (PHI) to Google Docs allowed? This post will evaluate the HIPAA compliance of Google Docs and determine if HIPAA-covered entities or business associates can use it in conjunction with ePHI. Does Google Docs Encrypt Files? To be HIPAA compliant, … Read more
Healthcare organizations often ask about the HIPAA compliance of Google services. One Google product that particularly caused some misunderstandings is Google Hangouts. Can healthcare professionals use Google Hangouts to send and receive protected health information (PHI)? Is it HIPAA Compliant? Google Hangouts is Google’s video chat system that took the place of Huddle or Google+ … Read more
Cloud storage services are a convenient way for people to store and share data. Though people use diverse devices from varied places, they can gain access to the uploaded data files provided that they are hooked up to the internet. Does this technology support HIPAA compliance? Can healthcare organizations utilize iCloud to keep electronic protected … Read more
WebEx is an online video conferencing and collaboration platform that organizations use to facilitate communication among persons and partners from different places so that they are as if meeting all in one place. Can healthcare organizations use WebEx as well? Is it HIPAA compliant? If using resources such as WebEx, healthcare organizations can make connections … Read more
Zoho is a collection of cloud-based tools and applications developed by a Pleasanton, CA-based company since 1996. Zoho products and services include the following: Zoho Mail (email) Zoho CRM (a customer relationship management platform) Zoho Show (presentation program) Zoho Docs (document editor) Zoho Sheet (spreadsheet editor) Zoho Creator ( app builder) Zoho Chat (live chat … Read more
Can healthcare companies use HelloFax for sending documents with protected health information (PHI)? Does this fax service support HIPAA compliance? Regular fax machines are not the same as digital fax services. Healthcare companies have been utilizing this piece of equipment to transfer physical documents including those that contain PHI from one fax machine to another. … Read more
Slack is a useful communication and collaboration tool. But the HIPAA compliance of Slack before using in the healthcare industry must be clarified. . Can Slack be used by healthcare organizations for disclosing protected health information (PHI) without breaking the HIPAA? From the time Slack was introduced, it is not regarded as HIPAA compliant, although … Read more
The HIPAA Risk analysis is an essential part of HIPAA compliance, however plenty of healthcare companies and business associates fail at it. Hence they are prone to paying for pricey data breaches and big financial fines for HIPAA noncompliance. HIPAA Risk Analysis – What is it? As per 45 C.F.R. § 164.308(a)(1)(ii)(A), the HIPAA Security … Read more
In order to comply with the HIPAA password requirements, it is best to understand what they are so you can determine whether they apply to your organization. This is because if an organization uses HIPAA compliant authentication methods other than usernames and passwords to control access to ePHI the HIPAA Password requirements may not apply. … Read more
The Department of Health and Human Services’ Office for Civil Rights released its cybersecurity newsletter for August 2018 and told HIPAA-covered entities to be certain to employ physical, administrative and technical safety measures to keep the privacy, integrity, and accessibility of electronic protected health information (ePHI) protected. A similar care ought to be applied to … Read more
A patient-signed HIPAA release form should be secured before sharing the protected health information (PHI) with other people or providers, except in the event of scheduled disclosures for therapy, payment or healthcare operations allowed by the HIPAA Privacy Rule. Brief summary of the HIPAA Privacy Rule The HIPAA Privacy Rule (45 CFR §164.500-534) was enacted … Read more
Geofencing technology creates an electronic fence surrounding a specific location or area online. Going into that invisible boundary triggers the sending of push notifications to the person’s mobile phone. Retailers began using this geofencing technology some time back. Google is likewise using it to alert users based upon location. A digital marketing firm is helping … Read more
Entities working in the healthcare industry need access to protected health information (PHI), which is why they need to know what the HIPAA law considers as PHI. PHI confidentiality, integrity and availability are safeguarded by the HIPAA Security Rule, while PHI uses and disclosure are limited by the HIPAA Privacy Rule. If an entity violates … Read more
Intercom is a messaging software-as-a-service solution that is popular among businesses that chat with their clients. There is a potential use for this software in the healthcare industry when healthcare providers and patients chat with each other. Does Intercom comply with HIPAA rules when used in connection with electronic protected health information (ePHI)? Before HIPAA … Read more
SendGrid is a service that businesses use for sending email messages. It is a very quick and easy way to communicate marketing messages to clients. Even so, can healthcare organizations use SendGrid without breaking HIPAA rules? Does SendGrid comply with HIPAA requirements? The conduit exception rule does not cover businesses that offer cloud-based email marketing … Read more
A HIPAA audit checklist is a list of the HIPAA regulations and standards that apply to a covered entity’s operations which can be used to assess the covered entity’s compliance with HIPAA. Because not all regulations and standards affect covered entities’ operations in the same way, there is no one-size-fits-all HIPAA audit checklist. One of … Read more
The healthcare industry experiences many insider breaches every year which calls on covered entities and business associates to take steps to reduce the occurrence of these incidents. There are four ways of categorizing the different approaches to mitigate insider threats: Educate: It refers to teaching the workforce about the allowable uses and disclosures of PHI, … Read more
Healthcare employees need to be aware of the HIPAA rules and regulations and the possible penalties if they break these rules. This is why covered entities need to conduct HIPAA awareness training for their employees. In case a healthcare employee breaks the HIPAA rules, four outcomes are possible. The employer may opt to deal with … Read more
Uber Health, which beta launched this March, is a platform that is used for arranging cost effective transportation for patients. About 100 healthcare organizations need to try the platform before it is officially launched. However, there are questions raised on the HIPAA compliance of Uber Health. Uber Health features an online dashboard that healthcare providers … Read more
WordPress is a popular content management system that anyone can use to create websites quickly. Many businesses use WordPress but is it HIPAA compliant so that healthcare organizations can use the platform in connection with protected health information? The HIPAA compliance requirements for websites are actually a little vague. But with respect to the storage … Read more
If you’re thinking of setting up a business in the healthcare industry that will likely have access to protected health information, it’s necessary to know how to be HIPAA compliant. What does it mean to be HIPAA compliant and how do healthcare organizations achieve this status? It’s not easy to become HIPAA compliant because it … Read more
Google Calendar is one of the products and services offered in Google’s G Suite, which was launched in 2006. It is a tool that is used for time management and scheduling of appointments. Will the use of this tool by healthcare organizations, which may require adding protected health information (PHI), be considered a HIPAA rules … Read more
Google Slides is a web-based presentation editor that can be used to create slide shows, project presentations and training material. It can be used for free by any person who doesn’t have a software program with the same functionality like Microsoft PowerPoint. Is it possible for healthcare organizations to use Google Slides in connection with … Read more
Many healthcare organizations today use cloud platforms like Azure and AWS. In fact, the value of the healthcare cloud computing market was determined to be $4.65 billion in 2016 and would likely rise to over $14.76 billion by 2022. According to KeyBlanc, Amazon AWS is the leading cloud platform with a 62% market share, followed … Read more
When covered entities “knowingly” violate HIPAA Rules, what is the financial penalty and when are fines issued? It is important to know the answers to these questions as these relate to the safety and integrity of people’s healthcare information. The Health Insurance Portability and Accountability Act or HIPAA is a federal law that healthcare organization … Read more
Zendesk is a platform offering customer service software and support ticketing system. Over 200,000 companies use Zendesk for handling customer support, managing customer queries and building relationships with clients. Can healthcare organizations in the U.S. also use Zendesk products and services for patient communication and electronic protected health information (ePHI) management? Is Zendesk compliant with … Read more
Office 365 is Microsoft’s set of subscription products that includes the following programs: Word, Excel, OneNote, PowerPoint, Outlook, Access and Publisher. Can healthcare organizations use Office 365 without violating the HIPAA and HiTECH Act Rules? If HIPAA covered entities purchase Office 365 through the Volume Licensing Programs or the Dynamics CRM Online Portal, Microsoft is … Read more
Vendors who offer their services to healthcare organizations understand the importance of being recognized as HIPAA compliant. Hence, many service providers often ask if it is possible to get a HIPAA certification? Ideally, a HIPAA certification would serve as proof that a third-party vendor understands and follows all aspects of HIPAA rules. If for example … Read more
eFileCabinet is a document management system (DMS) that many businesses have been using for on-site and cloud storage. Is this platform suitable for healthcare organizations to use, too? Is it HIPAA compliant? Document management systems (DMS) help businesses and organizations maintain, manage, and safely store electronic documents in a single location. Systems like this simplify … Read more
Using the cloud as repository of ePHI has certain advantages that prompt many healthcare organizations to transition to the cloud. Here are a number of key benefits of cloud computing: Healthcare organizations can increase data center capacity by linking to a public cloud. This is possible without needing to invest in more hardware. The cloud … Read more
Many healthcare organizations are transitioning to utilizing the cloud for managing patients’ ePHI. But before any HIPAA covered entity does the same thing, it is necessary to understand important matters such as HIPAA compliance and the requirements for cloud computing. In this article, common misconceptions about HIPAA compliance and cloud computing will be discussed to … Read more
Ademero is a document management software (DMS) that businesses use to monitor and manage their documents. The software likewise helps them go paperless and transition to digital. Will using Ademero, however, not violate any HIPAA Rules? The HIPAA Security Rule incorporates required and addressable usage details. These required usage details or implementation specifications, when executed, … Read more
When HIPAA-covered entities along with their business associates stop doing business, the duty to follow HIPAA rules doesn’t stop yet. This simple fact was made very clear by the HHS’ Office for Civil Rights (OCR) when it charged FileFax Inc with penalty amounting to $100,000 for violating HIPAA rule. FileFax is a firm in Northbrook, … Read more
Box is another popular cloud storage and content management service. Anyone can create a Box account and use personally for file-sharing, uploading content and inviting others to view or edit the content. Businesses that want to use Box must sign up for a business, enterprise or elite account. Can healthcare organizations also use Box for … Read more
Before answering the question whether FaceTime is HIPAA compliant, it has to be acknowledged at the outset that no communications platform will be completely HIPAA compliant basically because the law deals with users and not technology. That being said, two things need to be considered to be able to tell if the app adheres to … Read more
According to the Protected Health Information Data Breach Report of Verizon, 58% of healthcare data breaches are caused by insiders. The problem is the difficulty of detecting insider breaches. 75% of insider threats go unnoticed. For instance, a healthcare employee at a Massachussetts hospital was accessing healthcare records without authorization for 14 years. When he … Read more
How many healthcare data breaches occurred in 2017 and how many of those violated HIPAA rules resulted in financial penalties? It’s difficult to get accurate data about HIPAA violations for several reasons. First, many data breaches are not reported. The Department of Health and Human Services’ Office for Civil Rights only publish on its breach … Read more
Can HIPAA-covered entities use G Suite without violating HIPAA Rules? G Suite was developed by Google with privacy and security protection features necessary to safeguard data. It satisfies the required standards of the HIPAA Security Rule. If necessary, Google willingly signs a business associate agreement with a HIPAA-covered entity. Does this mean G Suite is … Read more
Many covered entities get confused on the topic of HIPAA medical records retention and other record retention requirements. But the retention requirements of HIPAA are pretty straightforward and will be clarified in this article. The first thing to know is that there is no HIPAA medical records retention period. The Privacy Rule does not specify … Read more
The Centers for Medicare and Medicaid Services (CMS) sent emails to healthcare providers last November 2017 to explain the prohibited use of text messages in healthcare because of security and patient privacy concerns. SMS messages are not secure and could expose patients’ sensitive data and affect the integrity of medical records. Although there are SMS … Read more
Can healthcare organizations and its employees use Google Voice? Is it HIPAA compliant? Google Voice is a telephony service that provides voicemail and voicemail transcription to text. It can be used for sending text messages for free as well. With its useful features, many healthcare professionals would like to use it not just for work … Read more
Healthcare organizations are not prohibited by HIPAA to use cloud services. Cloud services allow organizations to lower their IT costs. But there are rules to follow before any cloud service can be used to ensure the security and confidentiality of protected health information. One of the cloud service providers out there is Microsoft Azure. So … Read more
Many HIPAA covered entities do not fully understand the HIPAA Conduit Exception Rule. As a result, there are services that are misclassified as conduit when in reality they are business associates. This is a violation of HIPAA rules and attracts financial penalties. The issuance of HIPAA Omnibus Final Rule on January 25, 2014 introduced an … Read more
HIPAA-covered entities are responsible for making sure that the transmission of protected health information by email is secured. The entity may choose any HIPAA compliant email provider as long as appropriate controls guarantee PHI confidentiality, integrity and availability. A HIPAA compliant email provider must offer end-to-end encryption of messages. It doesn’t matter if the software … Read more
The HIPAA Security Rule requires the effective management of information access. Employees who are granted access to protected health information must have proper authorization. But what happens when employees leave their work? The organization needs to make sure that PHI access privileges are terminated immediately. If procedures to terminate access to PHI are not implemented, … Read more
Bill Clinton signed the Health Insurance Portability and Accountability Act or HIPAA on August 21, 1996. The HIPAA ensured the continuity of health insurance coverage for everyone, especially the employees that were between jobs. It also accomplished the following: set standards as to the amount of pre-tax medical savings that could be saved prohibited tax-deduction … Read more
Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be … Read more
The Health Insurance Portability and Accountability Act (HIPAA) is an important piece of legislation, first introduced in 1996. But, why is HIPAA so important? How has HIPAA helped to improve the healthcare industry and the care given to patients? HIPAA was designed to address one issue in particular: Insurance coverage for individuals that are “between … Read more
Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business … Read more
Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is … Read more
In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has … Read more
There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and … Read more
Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in … Read more
Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA … Read more
HIPAA Simplified History Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, … Read more
Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule. There exists some ambiguity surrounding Skype and … Read more
The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more
In 1996, the Health Insurance Portability and Accountability Act was introduced into US law. In time since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry, with widespread influence. Despite its importance, many healthcare providers and insurers are still unaware of HIPAA rules, and as a … Read more