New York-based reproductive healthcare provider, Planned Parenthood of Montana, has given additional information about the RansomHub ransomware attack that was initially reported at the beginning of September. During the initial security breach report, the investigation just started and it was not confirmed if the attacker stole any patient information. Now, there is confirmation from Planned … Read more
Multiple class-action lawsuits had been filed against Gryphon Healthcare based in Houston, TX, a revenue cycle management and medical billing solutions provider to healthcare companies. The lawsuits are associated with a data breach in August 2024 involving unauthorized access to almost 400,000 individuals’ protected health information (PHI). The breached data contained names, contact data, Social … Read more
In late October, the National Institute for Standards and Technology (NIST) and the Department of Health and Human Services (HHS)hosted a conference called “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024”. Participants received information about the present state of cybersecurity in healthcare and the role of the HIPAA Security Rule in helping HIPAA-covered entities … Read more
Multi-specialty pediatric group Boston Children’s Health Physicians (BCHP) based in Valhalla, NY provides services to newborns and children in New York and Connecticut. BCHP has reported that its IT vendor encountered a cyberattack. The IT vendor informed BCHP on September 6, 2024, that strange activity was noticed in the IT vendor’s network. On September 10, … Read more
Network of behavioral health facilities, AXIS Health System based in Colorado, has published a notification on its website about encountering a cyber incident. Not much information is provided about the nature of the attack except the initiation of incident response protocols. Investigation is ongoing to know the nature and extent of the breach. In case … Read more
Airtable is HIPAA compliant inasmuch as one Airtable subscription plan includes limited services that support HIPAA compliance. The vendor also offers a Business Associate Agreement to covered entities and business associates who can adapt their use of the business management platform to accommodate the limited services. Airtable is a customizable business management platform that connects … Read more
HIPAA allows state preemption means that covered entities are required to comply with a provision of state law – rather than the equivalent HIPAA provision – if the provision of state law has more stringent privacy requirements than HIPAA, provides individuals with more rights than HIPAA, or falls into one of the categories included in … Read more
Ponemon Institute conducted a new survey for Proofpoint, which revealed that almost all U.S. healthcare organizations faced a cyberattack in the past year. Of the 648 IT and IT Security experts surveyed, 92% reported at least one cyberattack in the last 12 months, compared to 88% of survey respondents in 2023. The report found that … Read more
HIPAA is a federal law that had the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto employers and plan members – and that this would impact federal tax revenues – Congress added further Titles to the Act to neutralize the cost of the … Read more
A new update to the National Institute of Standards and Technology (NIST) password security guidelines now recommends longer passwords over the previous focus on using a mix of uppercase and lowercase letters, numbers, and special characters. While using multiple character types makes the password more complex, it often results in predictable patterns, which weakens security. … Read more
Because of a massive data breach, Change Healthcare is facing dozens of lawsuits filed by plaintiffs across multiple districts. The cyberattack in question resulted in the theft of 6 TB of sensitive data, including personal and protected health information (PHI) of millions of individuals throughout the United States. The lawsuits allege that Change Healthcare failed … Read more
Texas Attorney General Ken Paxton has initiated a lawsuit against the Department of Health and Human Services (HHS), its Secretary Xavier Becerra, and Director Melanie Fontes Rainer of the Office for Civil Rights (OCR). The lawsuit challenges the long-standing HIPAA Privacy Rule and the 2024 HHS final rule concerning reproductive healthcare privacy. Paxton contends that … Read more
Lehigh Valley Health Network (LVHN) agreed to pay $65 million to settle a class action lawsuit over a data breach in 2023. This settlement of a HIPAA violation will compensate plaintiffs whose sensitive data, including nude photos, was stolen and later posted on the dark web. The breach, caused by a Blackcat ransomware attack, exposed … Read more
The Ransom Hub ransomware group continues to target the healthcare sector, with its latest victim being Planned Parenthood, a reproductive healthcare provider based in New York. The group added Planned Parenthood to its data leak site, claiming responsibility for stealing 93 GB of sensitive information. CEO Martha Fuller of Planned Parenthood of Montana reported the … Read more
An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian … Read more
Whether or not you should decline a HIPAA authorization request is event specific and can depend on the purpose of the HIPAA authorization request, the content of the authorization form, and the amount of information you have been given about who your information will be shared with. If you do not have sufficient information to … Read more
McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and … Read more
The HIPAA regulations characterize a deliberate violation by a covered entity or business associate as a conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. If a deliberate violation is identified and not corrected within 30 days, HHS’ Office for Civil Rights can impose the maximum possible … Read more
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies. The FBI and CISA initially alerted about the Royal … Read more
HIPAA does not apply to spouses and common law partners in a way that means they have to safeguard Protected Health Information shared with them by a healthcare professional. However, the HIPAA Privacy Rule stipulates when it is permissible for a healthcare professional to disclose a patient’s health information to a spouse, partner, or other … Read more
United of Omaha Life Insurance Company located in Nebraska submitted a phishing attack report that indicated the compromise of the protected health information (PHI) of 107,894 people. The insurer discovered the breach on April 23, 2024 after identifying suspicious activity in an employee’s email account. United of Omaha noticed that a third party accessed the … Read more
Zapier is not HIPAA compliant and cannot be used to connect apps that create, receive, store, or transmit Protected Health Information (PHI) because many of the apps themselves do not support HIPAA compliance. Removing the apps from the platform would limit Zapier’s automation capabilities and the benefit of automation to healthcare organizations. Zapier is … Read more
The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office … Read more
It is not a HIPAA violation to send to collections because the HIPAA Privacy Rule permits disclosures of this nature provided the amount of information sent to collections complies with the minimum necessary standard and provided the disclosure of Protected Health Information is covered by a Business Associate Agreement if collections are conducted by an … Read more
The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor … Read more
HIPAA applies to animals when information about an animal is stored in the same designated record set as Protected Health Information (PHI), and the information could be used to identify the human subject of the PHI. Examples include when a patient’s medical notes include information about their support dog or an emotional support animal. In … Read more
UnitedHealth Group (UHG) has given an update about the response costs associated with the February 2024 ransomware attack involving Change Healthcare. The overall response cost is forecasted to be $2.3 billion to $2.45 billion this 2024, over $1 billion more than the figure reported earlier. UHG already paid more or less $2 billion handling the … Read more
DaVita has discovered that tracking tools used on its web pages and mobile app might have transmitted user information to third-party providers. On July 2, 2024, kidney dialysis service provider DaVita Inc. based in Denver, CO informed 67,443 patients concerning a pixel-related data breach. With the 2,800+ outpatient dialysis centers in the U.S., DaVita serves … Read more
It is not a HIPAA violation to email medical records if the reason for emailing medical records is permitted by the Privacy Rule, if the PHI disclosed in the email is limited to the minimum necessary to achieve the purpose of the disclosure, and if the email system used to email the medical records complies … Read more
HIPAA compliance refers to adhering to the requirements of the HIPAA federal law that mandates the protection and confidential handling of protected health information (PHI). This is done by implementing administrative, physical, and technical safeguards, ensuring patient rights, regularly training employees, conducting risk assessments, and responding appropriately to any detected breaches of PHI. Compliance with … Read more
The purpose of the HIPAA Privacy Rules is to protect the confidentiality of patient healthcare and payment data to prevent abuse and fraud. Published by the Department of Health and Human Services as the “Standards for Privacy of Individually Identifiable Health Information”, the HIPAA Privacy Rules stipulate the permissible uses and disclosures of protected health … Read more
HIPAA violation penalties are the consequences of a Covered Entity, Business Associate, or PHR vendor failing to comply – when applicable – with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) paved the way for the development of the Administrative … Read more
The term HIPAA refresher training can mean different things to different people. For some it may mean HIPAA-mandated Privacy Rule training after a material change to policies and procedures, the provision of training to mitigate a threat identified in a risk assessment, or part of a security and awareness training program as required by the … Read more
Accurate HIPAA violation statistics can be difficult to come by due to the way in which HHS´ Office for Civil Rights reports violations. It can also be the case that the cause of a violation is miscategorized by the entity reporting it – who may not be the entity responsible for the violation. As of … Read more
HIPAA violations by nurses can happen for many different reasons and, although HIPAA violations by nurses are often accidental or a consequence of wanting to “get the job done”, if a nurse violates HIPAA, the violation should be reported to prevent minor violations with minimal consequences deteriorating into a culture of non-compliance. In addition, HIPAA … Read more
Paubox is a HIPAA compliant solution to incompatible encryption standards when emails containing PHI are sent between covered entities – or between covered entities and business associates or patients. Paubox also addresses the inconvenience of encrypting emails and decrypting them on receipt. Most covered entities that use email to communicate Protected Health Information (PHI) with … Read more
It is possible to use ChatGPT in compliance with HIPAA, but – until such time as OpenAI makes ChatGPT HIPAA compliant – there are risks associated with implementing anonymizer software to ensure Protected Health Information is not impermissibly disclosed to ChatGPT. It its current state, ChatGPT does not support HIPAA compliance. The program does not … Read more
HIPAA was enacted by the United States Congress in 1996 and signed into law by President Bill Clinton on August 21, 1996. Anyone who has worked in the healthcare industry will have heard of HIPAA and knows of its importance in safeguarding protected health information (PHI). However, most will not know about the history of HIPAA, … Read more
The HIPAA law we are familiar with today evolved from proposals to reform the way in which the health insurance industry worked. Following on from Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA), the proposals were intended to increase the transferability of … Read more
The purpose of HIPAA is sometimes explained as ensuring the privacy and security of individually identifiable health information. However, regulations relating to the privacy and security of individually identifiable health information were not enacted until some years later. So, what was the primary purpose of HIPAA? The Health Insurance Portability and Accountability Act of 1996 … Read more
One of the biggest challenges for achieving email archiving compliance is auditability. Whereas it is often possible to implement an archiving solution that copies and indexes emails as they enter the mail server before storing them securing, it is not so easy to find an archiving solution with user-friendly search and retrieve capabilities that produces … Read more
The most common HIPAA violations on social media are due to healthcare professionals taking photos or videos of patients and impermissibly disclosing PHI on social media platforms such as Facebook, Snapchat, and TikTok. The penalties for HIPAA violations on social media vary depending on covered entities’ sanction policies, state laws, and regulatory actions. In July … Read more
In its earliest form, HIPAA had three main objectives: In order to achieve these aims, HIPAA required a major reform of the healthcare industry. HIPAA called for the Department of Health and Human Services to develop a set of standards for the healthcare industry to adopt, which are commonly referred to as the HIPAA Rules. … Read more
HIPAA does not apply to multiple types of organizations including healthcare providers that do not qualify as covered entities, public schools that only provide medical services for students, and financial institutions that process payments on behalf of covered entities. However, although HIPAA does not apply to these organizations, other state privacy laws may apply. When … Read more
HIPAA was signed into law by President Bill Clinton on August 21, 1996, but there have been some major updates to the legislation over the past two decades. The HIPAA Privacy Rule was enacted on December 20, 2000, the HIPAA Security Rule was enacted on February 20, 2003, and the HIPAA Omnibus Rule was enacted … Read more
WhatsApp is not HIPAA compliant but can be used in healthcare environments in certain circumstances – for example to facilitate communications between healthcare providers that do not disclose Protected Health Information, or to accommodate patients’ requests to communicate via WhatsApp. When HIPAA covered entities and business associate use any messaging service to create, receive, store, … Read more
Microsoft Outlook is HIPAA compliant and can be used to send emails containing Protected Health Information provided customers subscribe to an appropriate Microsoft plan with the capabilities to support HIPAA compliance and agree to the terms of Microsoft’s Business Associate Agreement. In order to make Microsoft Outlook HIPAA compliant, system administrators must configure Outlook’s settings … Read more
HIPAA compliant email is email containing Protected Health Information that is sent for a purpose required or permitted by the HIPAA Privacy Rule and – when necessary – that is protected by the safeguards of the HIPAA Security Rule. There can be other criteria that determine whether an email complies with HIPAA – including who … Read more
It is not necessary for Zelle to be HIPAA compliant in order for HIPAA covered entities to conduct financial transactions via the fund transfer service because payment processors are exempt from HIPAA under §1320d-8 of the Public Health and Welfare Code. Considering that Zelle is a peer-to-peer funds transfer service similar to PayPal, there are … Read more
HoneyBook is not HIPAA compliant and should not be used by HIPAA covered entities or business associates to create, collect, store, or transmit electronic Protected Health Information (ePHI). However, it is still possible for healthcare providers to use HoneyBook for some customer relationship activities. HoneyBook styles itself as “client flow management software” that can help … Read more
Ivy Pay is a HIPAA compliant payment management system that enables therapists to collect payments with little or no disruption to clients. The payment processing capabilities mean clients do not have to focus on a financial transaction at the end of a session, while the system simplifies billing and payment activities for therapists. Ivy Pay … Read more
It is not necessary to make PayPal HIPAA compliant before accepting payments from patients because payment processors such as PayPal are exempt from complying with the HIPAA regulations for payment processing activities. However, it is not possible to use any other of PayPal’s services in compliance with HIPAA. When HIPAA was passed in 1996, it … Read more
The civil penalty for unknowingly violating HIPAA falls within the range of $137 and $68,928 per violation (January 2024) depending on whether the covered entity or business associate could not have avoided the violation with a reasonable amount of care, or should have known the violation was a possibility, but failed to adopt measures to … Read more
You can get fired for an accidental HIPAA violation depending on the nature of the HIPAA violation, the consequences of the violation, your employer’s workplace sanctions policy, and your previous record of accidental violations. . Whether accidental or not, HIPAA violations are serious events. PHI often contains very sensitive material, and it it gets into … Read more
Phone calls can be a HIPAA violation if Protected Health Information (PHI) is disclosed for an impermissible purpose, to an unauthorized person, or for a purpose or to a person that the subject of the PHI has requested PHI is not disclosed (for example, to a health plan when treatment has been paid for privately … Read more
The HIPAA training requirements are that members of a covered entity’s workforce must be provided with training on the covered entity’s HIPAA policies and procedures when they first start working for the covered entity or when there is a material change to the policies and procedures. All employees of covered entities and business associates must … Read more
Workplace gossip is a HIPAA violation if it involves telling a story about an individual whose individually identifiable health information or any personal details stored in the same data set as their health information is protected by the HIPAA Privacy Rule. Is workplace gossip a HIPAA violation when it is only natural that colleagues will … Read more
Telling a story about a patient can be a HIPAA violation in a number of circumstances, but generally whether telling a story counts as a HIPAA violation will depend on the nature of the story, who told the story, who the story was about and – crucially – whether the story contained any individually identifiable … Read more
The HIPAA Omnibus Rule 2013 mandated changes to Parts 160 and 164 of the HIPAA Administrative Simplification Regulations to implement modifications to the Enforcement, Security, Breach Notification, and Privacy Rules required by the HITECH Act. In addition, the HIPAA Omnibus Rule 2013 made further changes to the Privacy Rule to address events that were hampering … Read more
This is a list of the most common HIPAA training questions and the corresponding HIPAA training answers: What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 to protect the privacy and security of patients’ health information. Who needs HIPAA training? HIPAA training is essential for … Read more
When incorporating HIPAA compliance onto your resume, establish a dedicated section, such as “Certifications” or “Professional Training,” to underscore your expertise. Clearly label it with a precise heading like “HIPAA Compliance Certification” to emphasize your qualification. Provide essential certification details, including course name, institution, and completion date. Briefly outline the core subjects covered—ranging from patient … Read more
Patient rights under HIPAA encompass the right to access and obtain copies of their health information, the right to request corrections to their records, the right to receive privacy notices, the right to control the sharing of their health information, the right to file complaints about privacy violations, the right to know who has accessed … Read more
Most of the recent changes to HIPAA have been relatively minor, however the Department of Health and Human Services has published multiple Requests for Information (RFIs) and Notices of Proposed Rulemaking (NPRMs) in recent years which imply some significant changes are about to take place. The HIPAA Administrative Simplification Regulations (45 CFR Parts 160,162, and … Read more
HIPAA training for mental health professionals should be more thorough than for other health care professionals due to the number of times mental health professionals may be required to make decisions about disclosing PHI based on their professional judgement. Under §164.530(b) of the Privacy Rule, covered entities “must train all members of the workforce on … Read more
How long it takes to get HIPAA certified depends on factors such as the motive for getting HIPAA certified, the certification requirements, and the amount of time available to fulfil the requirements. HIPAA certifications do not absolve individual and organizations from any obligations they have under HIPAA to protect the privacy and security of individually … Read more
HIPAA was created by many people including members of the Clinton Health Plan Task Force, Senators Kennedy and Kassebaum, Rep. Bill Archer, and Donna Shalala and her team at the Department of Health and Human Services. There is no single person answer to the question who created HIPAA. This is because HIPAA evolved from the … Read more
HIPAA was created as a result of the Clinton administration’s ambitious, but unsuccessful, attempt to pass a Health Security Act. HIPAA addressed the area of the Health Security Act related to health insurance reforms, which enabled the bill’s supporters to include measures that protect the privacy and security of individually identifiable health information. One of … Read more
There is no standard answer to what to do if accused of a HIPAA violation because what you should do depends on your responsibility for HIPAA compliance, who is accusing you of a HIPAA violation, and the violation you are being accused of. In 2021, HHS’ Office for Civil Rights received 34,077 complaints alleging violations … Read more
HIPAA training is important because it educates healthcare professionals and associated administrative and IT personnel on the legal and ethical obligations of safeguarding patient health information, ensuring compliance with regulations, reducing the risk of data breaches, and fostering a culture of privacy and trust within the healthcare system. HIPAA training plays a role in educating healthcare professionals and associated personnel … Read more
HIPAA training for employees is a important educational initiative within healthcare organizations, equipping staff with the knowledge and skills necessary to uphold the stringent privacy and security standards mandated by HIPAA, thereby ensuring the confidentiality of patient information, mitigating the risk of data breaches, and maintaining compliance with legal and ethical obligations. HIPAA training has a central role in … Read more
HIPAA Training for Business Associates is an educational program designed to instruct individuals and organizations that provide services to healthcare entities (business associates) about their responsibilities and obligations under the HIPAA, ensuring they understand the rules and regulations governing the handling and safeguarding of protected health information (PHI) when working with healthcare clients, thereby promoting … Read more
The HIPAA provides advantages such as enhancing patient privacy and data security, fostering interoperability and streamlined healthcare processes, promoting standardized electronic transactions, and facilitating research; however, it also comes with disadvantages including complex compliance requirements, potential administrative burdens, inhibiting certain research activities, and imposing additional costs on healthcare entities. HIPAA’s Privacy Rule establishes strict guidelines … Read more
HIPAA privacy and security training is designed to train all staff exposed to protected health information (PHI) within the healthcare industry. This comprehensive training encompasses the essential aspects of the HIPAA to ensure that individuals across various roles, including healthcare professionals, administrative staff, and IT experts, possess the knowledge, skills, and awareness required for preserving the confidentiality, integrity, and … Read more
Healthcare compliance is an essential activity for organizations in, or providing a service to, the healthcare industry. It involves adherence to laws, regulations, standards, and practices that govern healthcare providers, payers, pharmaceutical companies, and other entities involved in the delivery of health care. Components of Healthcare Compliance Federal and State Laws Healthcare compliance requires adherence … Read more
What happens after a HIPAA complaint is filed with HHS’ Office for Civil Rights is that the complaint goes through a process established by the HIPAA Enforcement Rule (2006) and fine-tuned by the HIPAA Final Omnibus Rule (2013). The process can be found in §160.300 of the HIPAA Administrative Simplification Regulations, and consists of: Initial … Read more
Although OneDrive can be configured to support HIPAA compliance, there is more to making OneDrive HIPAA compliant than adjusting a few settings and entering into a Business Associate Agreement with Microsoft. Many healthcare organizations subscribe to an Office 365 or Microsoft 365 business plan to access apps and services such as Word, Excel, and PowerPoint. … Read more
Because no software is HIPAA compliant by default, HIPAA Covered Entities and Business Associates that use or disclose PHI via the Microsoft Teams platform need to know how to make Microsoft Teams HIPAA compliant. Microsoft Teams is a sophisticated communications platform with secure chat, video, and file-sharing capabilities. Due to the many integrations and add-ons … Read more
The term HIPAA compliant telemedicine relates to the remote delivery of healthcare to patients and remote collaboration between healthcare providers while complying with the standards of the Privacy Rule and the safeguards of the Security Rule. Due to the nature of remote healthcare delivery and collaboration, it is not always easy to comply with the … Read more
The question ‘are Google Forms HIPAA compliant and suitable for use by healthcare organizations?’ is important when the Workspaces service is used to collect, store, or share Protected Health Information. Google Forms is a popular survey tool that allows users to create forms for data collection purposes and then export the data for analysis. Typically, … Read more
The HIPAA electronic signature rule is – at present – a proposed rule published by the Department for Health and Human Services in December 2022. If adopted, the HIPAA electronic signature rule would apply to a limited number of covered transactions. However, it could subsequently be extended to apply to other types of covered transactions … Read more
HIPAA compliance training for dental offices is an essential component of ensuring the privacy and security of patient information, mitigating risks of data breaches, adhering to legal requirements set forth by HIPAA, and promoting a culture of confidentiality and ethical practices within the dental profession. Protecting this information from unauthorized access, use, or disclosure is … Read more
HIPAA training for healthcare workers is a crucial component of ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA), as it provides comprehensive education and guidance on the regulations, policies, and procedures related to patient privacy, security of protected health information (PHI), proper use and disclosure of PHI, patient rights, breach management, and … Read more
HIPAA training is typically required to be conducted annually to ensure healthcare professionals and organizations stay up-to-date with the latest regulations, best practices, and any changes in policies or procedures related to the protection of patient privacy and security of health information. The purpose of annual HIPAA training is to ensure that healthcare professionals are … Read more
Many people will be familiar with the concept of Protected Health Information, and know that it must be safeguarded under the Health Insurance Portability and Accountability Act of 1996. But what are examples of Protected Health Information? How is it distinguished from other categories of information? The Health Insurance Portability and Accountability Act of 1996 … Read more
HIPAA violations are extremely serious in nature, but can you go to jail for a HIPAA violation? Is this a risk for all violations, or is it only certain ones that will result in jail terms? The answer, perhaps unsurprisingly, is yes you can go to jail for violating HIPAA. However, it is extremely unlikely … Read more
One of the core parts of the Health Insurance Portability and Accountability Act of 1996 is to protect patient privacy. Yet not all data is protected by HIPAA. The Act defines a subset of information – protected health information, or PHI – that it applies to. One of the key features of PHI is that … Read more
Though most HIPAA violations are avoidable, that some violations will occur is inevitable. Even the most diligent worker will occasionally make a mistake and, for example, send an email to the incorrect recipient. Incidental violations may also occur despite an individual’s best efforts. Should these violations occur, investigations will need to take place to determine … Read more
How you respond to a possible HIPAA violation can depend on the nature of the possible violation, how you become aware of it, and where the event occurs. For example, an alleged disclosure of more than the minimum necessary PHI in a circumstance that is unlikely to result in harm will be responded to differently … Read more
In 2011, the Office for Civil Rights commenced a series of pilot compliance audits to assess how well healthcare providers were implementing HIPAA Privacy and Security Rules. The first found of audits was completed in 2012 and highlighted many companies were failing to comply with even the most basic of HIPAA’s rules. Audited organizations registered … Read more
Due to its technical and often ambiguous language, complying with the HIPAA Security Rule can present some difficulty for dental offices. One easy solution to complying with the HIPAA Security Rule that is being widely adopted in all areas of the healthcare industry the implementation of a system of secure messaging. Secure messaging is conducted … Read more
Why was HIPAA created? HIPAA’s Origins In August 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law, the first of its kind created. Those who created HIPAA claimed that it was made to “improve the portability and accountability of health insurance coverage” for employees between jobs. Combatting waste, fraud and … Read more
To answer the question does HIPAA apply to pharmacies, it is necessary to review the definitions of HIPAA Covered Entities, healthcare providers, and health care in the General Administrative Requirements of the Administrative Simplification provisions. Most people assume that HIPAA does apply to pharmacies because pharmacies have access to health information when they fill prescriptions. … Read more
The Health Insurance Portability and Accountability Act was established in 1996 and covers many aspects of patient privacy. To help enforce the Act, the Enforcement Rule of 2006 was added that gave the Office for Civil Rights the ability to prosecute for HIPAA violations. The hope was that by issuing financial – and sometimes criminal … Read more
A large part of data privacy concerns how long data can be stored after use. This is also covered by the HIPAA, which stipulates in its rules how long data can be retained after it has been collected and used. Individual States may have their own rules and legislation regarding this issue, but for the … Read more
The Health Insurance Portability and Accountability Act (1996) covers all areas of patient privacy. Its main purpose is to ensure that all protected health information (PHI) and electronic PHI (ePHI) remains secure and confidential. However, it must not be so restrictive that when healthcare professionals need to share PHI to accomplish a treatment-related task they … Read more
Under the Breach Notification rule, all HIPAA violations must be reported within 60 days of its discovery. However, it can be confusing for CEs and BAs to determine who to report the breach to, and what details the breach notification should contain. Reporting a HIPAA Violation Anyone can report a HIPAA violation to the Department … Read more
HIPAA came into effect in 1996, with the initial goal of easing the transfer of health insurance policies and other health documents between employers. Since then, it has come to cover many aspects of health data, namely concerning Protected Health Information (PHI). Additions and alterations were made to HIPAA legislation came in 2003 via the … Read more
PHI stands for Protected Health Information, which refers to any information in a medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or treatment. The question what does PHI stand for is … Read more
First enacted in 2002, the HIPAA Privacy Rule (also known as the “Standards for Privacy of Individually Identifiable Health Information”) regulates who can access patient health data. Such data, termed Protected Health Information (PHI), must only be disclosed to necessary individuals without interrupting its processing. HIPAA applies to any party that is deemed a “covered … Read more
Confusingly, though the encryption of Protected Health Information (PHI) is defined as an “addressable” requirement under HIPAA legislation it is compulsory. The use of the term “addressable” merely means that it is up to covered entities (CEs; those who can access and modify PHI) to decide how best to encrypt the data. The encryption is, … Read more
HIPAA risk assessments, though often tedious, are a critical part of ensuring HIPAA compliance. The Security Rule, created in 2003 to ensure that electronic health data is only accessed by authorized personnel, was the first part of HIPAA that required such risk assessments. Password Requirements The Security Awareness and Training section of the Security Rule … Read more
The answer to the question does using email to send patient names and ePHI violate HIPAA Rules is that it depends on the content of the email, who it is being sent to, and what for; and whether controls are in place to ensure transmission security – when required. Questions such as does using email … Read more
HIPAA compliance software provides a range of tools to help organizations achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) and maintain compliance thereafter. However, because of the complexity of HIPAA, organizations are advised to select a software solution from a vendor who also provides support, training, and guidance. Most HIPAA Covered Entities … Read more
Calendly is a tool that is popularly used by many businesses for managing meeting and appointment schedules. Can Calendly be used by healthcare organizations? Does it’s use comply with HIPAA? Businesses generally spend considerable time and effort scheduling meetings and appointments and going after employees to confirm appointments. Calendly is created to do away with … Read more
Evernote is a cloud-based application that is handy for taking notes, planning projects, making to do lists, and working together in teams. Nevertheless, can healthcare professionals and doctors use Evernote with ePHI without HIPAA violation? Does Evernote support HIPAA compliance? Evernote is intended to be an accessible database for many digital data, including documents, images, … Read more
Google Keep is a web-based note taking program that makes it possible to create notes and share them through several devices. The platform is famous, but is it HIPAA compliant? Can healthcare organizations use Google Keep in association with ePHI? Google has created numerous products that may be employed in healthcare. Google has been known … Read more
Return Path is an email marketing and optimization system that allows organizations to have autopilot management of their email marketing campaigns and analytics. A lot of organizations use Return Path. Can healthcare organizations do the same? Does Return Path support HIPAA compliance? Sending Emails to Patients and Health Plan Members There are guidelines that healthcare … Read more
An employee who discovers an HIPAA violation committed by the company management or by a co-employee may want to report the incident to the Department of Health and Human Services’ Office for Civil Rights (OCR). An employee can report a HIPAA violation to OCR, but investigation will only proceed if the HIPAA violation report was … Read more
About 750,000 businesses today use Zoom as it is a popular video and web conferencing program. Are healthcare organizations allowed to use Zoom for sharing PHI? Does it support HIPAA compliance? Since Zoom is a video and web conferencing platform that is cloud-based, it makes it possible for people from various locations to join web … Read more
Google Sheets is a service for creating, viewing and sharing spreadsheets provided by Google. Is it all right for HIPAA-covered entities to use Google Sheets in conjunction with identifiable protected health information? Does it constitute violating the HIPAA rules? As per the HIPAA Rules, healthcare organizations need to protect the confidentiality, availability and integrity of … Read more
In relation to the use of new technology, the healthcare industry is quite slow compared to other industries. It is an undeniable fact that the healthcare industry seems to refuse change, even if those changes would be considerably profitable to patients. In this time of advanced technology when tablets, Smartphones and the Internet of Things … Read more
Can Google Docs be considered as HIPAA compliant? Is uploading of files with protected health information (PHI) to Google Docs allowed? This post will evaluate the HIPAA compliance of Google Docs and determine if HIPAA-covered entities or business associates can use it in conjunction with ePHI. Does Google Docs Encrypt Files? To be HIPAA compliant, … Read more
Healthcare organizations often ask about the HIPAA compliance of Google services. One Google product that particularly caused some misunderstandings is Google Hangouts. Can healthcare professionals use Google Hangouts to send and receive protected health information (PHI)? Is it HIPAA Compliant? Google Hangouts is Google’s video chat system that took the place of Huddle or Google+ … Read more
Cloud storage services are a convenient way for people to store and share data. Though people use diverse devices from varied places, they can gain access to the uploaded data files provided that they are hooked up to the internet. Does this technology support HIPAA compliance? Can healthcare organizations utilize iCloud to keep electronic protected … Read more
WebEx is an online video conferencing and collaboration platform that organizations use to facilitate communication among persons and partners from different places so that they are as if meeting all in one place. Can healthcare organizations use WebEx as well? Is it HIPAA compliant? If using resources such as WebEx, healthcare organizations can make connections … Read more
Zoho is a collection of cloud-based tools and applications developed by a Pleasanton, CA-based company since 1996. Zoho products and services include the following: Zoho Mail (email) Zoho CRM (a customer relationship management platform) Zoho Show (presentation program) Zoho Docs (document editor) Zoho Sheet (spreadsheet editor) Zoho Creator ( app builder) Zoho Chat (live chat … Read more
Can healthcare companies use HelloFax for sending documents with protected health information (PHI)? Does this fax service support HIPAA compliance? Regular fax machines are not the same as digital fax services. Healthcare companies have been utilizing this piece of equipment to transfer physical documents including those that contain PHI from one fax machine to another. … Read more
Slack is a useful communication and collaboration tool. But the HIPAA compliance of Slack before using in the healthcare industry must be clarified. . Can Slack be used by healthcare organizations for disclosing protected health information (PHI) without breaking the HIPAA? From the time Slack was introduced, it is not regarded as HIPAA compliant, although … Read more
The HIPAA Risk analysis is an essential part of HIPAA compliance, however plenty of healthcare companies and business associates fail at it. Hence they are prone to paying for pricey data breaches and big financial fines for HIPAA noncompliance. HIPAA Risk Analysis – What is it? As per 45 C.F.R. § 164.308(u)(1)(ii)(A), the HIPAA Security … Read more
In order to comply with the HIPAA password requirements, it is best to understand what they are so you can determine whether they apply to your organization. This is because if an organization uses HIPAA compliant authentication methods other than usernames and passwords to control access to ePHI the HIPAA Password requirements may not apply. … Read more
The Department of Health and Human Services’ Office for Civil Rights released its cybersecurity newsletter for August 2018 and told HIPAA-covered entities to be certain to employ physical, administrative and technical safety measures to keep the privacy, integrity, and accessibility of electronic protected health information (ePHI) protected. A similar care ought to be applied to … Read more
A patient-signed HIPAA release form should be secured before sharing the protected health information (PHI) with other people or providers, except in the event of scheduled disclosures for therapy, payment or healthcare operations allowed by the HIPAA Privacy Rule. Brief summary of the HIPAA Privacy Rule The HIPAA Privacy Rule (45 CFR §164.500-534) was enacted … Read more
Geofencing technology creates an electronic fence surrounding a specific location or area online. Going into that invisible boundary triggers the sending of push notifications to the person’s mobile phone. Retailers began using this geofencing technology some time back. Google is likewise using it to alert users based upon location. A digital marketing firm is helping … Read more
Entities working in the healthcare industry need access to protected health information (PHI), which is why they need to know what the HIPAA law considers as PHI. PHI confidentiality, integrity and availability are safeguarded by the HIPAA Security Rule, while PHI uses and disclosure are limited by the HIPAA Privacy Rule. If an entity violates … Read more
Intercom is a messaging software-as-a-service solution that is popular among businesses that chat with their clients. There is a potential use for this software in the healthcare industry when healthcare providers and patients chat with each other. Does Intercom comply with HIPAA rules when used in connection with electronic protected health information (ePHI)? Before HIPAA … Read more
SendGrid is a service that businesses use for sending email messages. It is a very quick and easy way to communicate marketing messages to clients. Even so, can healthcare organizations use SendGrid without breaking HIPAA rules? Does SendGrid comply with HIPAA requirements? The conduit exception rule does not cover businesses that offer cloud-based email marketing … Read more
A HIPAA audit checklist is a list of the HIPAA regulations and standards that apply to a covered entity’s operations which can be used to assess the covered entity’s compliance with HIPAA. Because not all regulations and standards affect covered entities’ operations in the same way, there is no one-size-fits-all HIPAA audit checklist. One of … Read more
The healthcare industry experiences many insider breaches every year which calls on covered entities and business associates to take steps to reduce the occurrence of these incidents. There are four ways of categorizing the different approaches to mitigate insider threats: Educate: It refers to teaching the workforce about the allowable uses and disclosures of PHI, … Read more
Healthcare employees need to be aware of the HIPAA rules and regulations and the possible penalties if they break these rules. This is why covered entities need to conduct HIPAA awareness training for their employees. In case a healthcare employee breaks the HIPAA rules, four outcomes are possible. The employer may opt to deal with … Read more
Uber Health, which beta launched this March, is a platform that is used for arranging cost effective transportation for patients. About 100 healthcare organizations need to try the platform before it is officially launched. However, there are questions raised on the HIPAA compliance of Uber Health. Uber Health features an online dashboard that healthcare providers … Read more
WordPress is a popular content management system that anyone can use to create websites quickly. Many businesses use WordPress but is it HIPAA compliant so that healthcare organizations can use the platform in connection with protected health information? The HIPAA compliance requirements for websites are actually a little vague. But with respect to the storage … Read more
If you’re thinking of setting up a business in the healthcare industry that will likely have access to protected health information, it’s necessary to know how to be HIPAA compliant. What does it mean to be HIPAA compliant and how do healthcare organizations achieve this status? It’s not easy to become HIPAA compliant because it … Read more
Google Calendar is one of the products and services offered in Google’s G Suite, which was launched in 2006. It is a tool that is used for time management and scheduling of appointments. Will the use of this tool by healthcare organizations, which may require adding protected health information (PHI), be considered a HIPAA rules … Read more
Google Slides is a web-based presentation editor that can be used to create slide shows, project presentations and training material. It can be used for free by any person who doesn’t have a software program with the same functionality like Microsoft PowerPoint. Is it possible for healthcare organizations to use Google Slides in connection with … Read more
Many healthcare organizations today use cloud platforms like Azure and AWS. In fact, the value of the healthcare cloud computing market was determined to be $4.65 billion in 2016 and would likely rise to over $14.76 billion by 2022. According to KeyBlanc, Amazon AWS is the leading cloud platform with a 62% market share, followed … Read more
When covered entities “knowingly” violate HIPAA Rules, what is the financial penalty and when are fines issued? It is important to know the answers to these questions as these relate to the safety and integrity of people’s healthcare information. The Health Insurance Portability and Accountability Act or HIPAA is a federal law that healthcare organization … Read more
Zendesk is a platform offering customer service software and support ticketing system. Over 200,000 companies use Zendesk for handling customer support, managing customer queries and building relationships with clients. Can healthcare organizations in the U.S. also use Zendesk products and services for patient communication and electronic protected health information (ePHI) management? Is Zendesk compliant with … Read more
Office 365 is Microsoft’s set of subscription products that includes the following programs: Word, Excel, OneNote, PowerPoint, Outlook, Access and Publisher. Can healthcare organizations use Office 365 without violating the HIPAA and HiTECH Act Rules? If HIPAA covered entities purchase Office 365 through the Volume Licensing Programs or the Dynamics CRM Online Portal, Microsoft is … Read more
Vendors who offer their services to healthcare organizations understand the importance of being recognized as HIPAA compliant. Hence, many service providers often ask if it is possible to get a HIPAA certification? Ideally, a HIPAA certification would serve as proof that a third-party vendor understands and follows all aspects of HIPAA rules. If for example … Read more
eFileCabinet is a document management system (DMS) that many businesses have been using for on-site and cloud storage. Is this platform suitable for healthcare organizations to use, too? Is it HIPAA compliant? Document management systems (DMS) help businesses and organizations maintain, manage, and safely store electronic documents in a single location. Systems like this simplify … Read more
Using the cloud as repository of ePHI has certain advantages that prompt many healthcare organizations to transition to the cloud. Here are a number of key benefits of cloud computing: Healthcare organizations can increase data center capacity by linking to a public cloud. This is possible without needing to invest in more hardware. The cloud … Read more
Many healthcare organizations are transitioning to utilizing the cloud for managing patients’ ePHI. But before any HIPAA covered entity does the same thing, it is necessary to understand important matters such as HIPAA compliance and the requirements for cloud computing. In this article, common misconceptions about HIPAA compliance and cloud computing will be discussed to … Read more
Ademero is a document management software (DMS) that businesses use to monitor and manage their documents. The software likewise helps them go paperless and transition to digital. Will using Ademero, however, not violate any HIPAA Rules? The HIPAA Security Rule incorporates required and addressable usage details. These required usage details or implementation specifications, when executed, … Read more
When HIPAA-covered entities along with their business associates stop doing business, the duty to follow HIPAA rules doesn’t stop yet. This simple fact was made very clear by the HHS’ Office for Civil Rights (OCR) when it charged FileFax Inc with penalty amounting to $100,000 for violating HIPAA rule. FileFax is a firm in Northbrook, … Read more
Box is another popular cloud storage and content management service. Anyone can create a Box account and use personally for file-sharing, uploading content and inviting others to view or edit the content. Businesses that want to use Box must sign up for a business, enterprise or elite account. Can healthcare organizations also use Box for … Read more
Before answering the question whether FaceTime is HIPAA compliant, it has to be acknowledged at the outset that no communications platform will be completely HIPAA compliant basically because the law deals with users and not technology. That being said, two things need to be considered to be able to tell if the app adheres to … Read more
According to the Protected Health Information Data Breach Report of Verizon, 58% of healthcare data breaches are caused by insiders. The problem is the difficulty of detecting insider breaches. 75% of insider threats go unnoticed. For instance, a healthcare employee at a Massachussetts hospital was accessing healthcare records without authorization for 14 years. When he … Read more
Healthcare organizations can use email to send messages internally. If the email system is protected by a firewall, there’s no need to encrypt messages. But if messages with protected health information will be sent externally beyond the firewall, it is necessary to make sure that only authorized persons will see the messages. The email service … Read more
How many healthcare data breaches occurred in 2017 and how many of those violated HIPAA rules resulted in financial penalties? It’s difficult to get accurate data about HIPAA violations for several reasons. First, many data breaches are not reported. The Department of Health and Human Services’ Office for Civil Rights only publish on its breach … Read more
Can HIPAA-covered entities use G Suite without violating HIPAA Rules? G Suite was developed by Google with privacy and security protection features necessary to safeguard data. It satisfies the required standards of the HIPAA Security Rule. If necessary, Google willingly signs a business associate agreement with a HIPAA-covered entity. Does this mean G Suite is … Read more
Many covered entities get confused on the topic of HIPAA medical records retention and other record retention requirements. But the retention requirements of HIPAA are pretty straightforward and will be clarified in this article. The first thing to know is that there is no HIPAA medical records retention period. The Privacy Rule does not specify … Read more
The Centers for Medicare and Medicaid Services (CMS) sent emails to healthcare providers last November 2017 to explain the prohibited use of text messages in healthcare because of security and patient privacy concerns. SMS messages are not secure and could expose patients’ sensitive data and affect the integrity of medical records. Although there are SMS … Read more
Can healthcare organizations and its employees use Google Voice? Is it HIPAA compliant? Google Voice is a telephony service that provides voicemail and voicemail transcription to text. It can be used for sending text messages for free as well. With its useful features, many healthcare professionals would like to use it not just for work … Read more
Healthcare organizations are not prohibited by HIPAA to use cloud services. Cloud services allow organizations to lower their IT costs. But there are rules to follow before any cloud service can be used to ensure the security and confidentiality of protected health information. One of the cloud service providers out there is Microsoft Azure. So … Read more
Many HIPAA covered entities do not fully understand the HIPAA Conduit Exception Rule. As a result, there are services that are misclassified as conduit when in reality they are business associates. This is a violation of HIPAA rules and attracts financial penalties. The issuance of HIPAA Omnibus Final Rule on January 25, 2014 introduced an … Read more
HIPAA-covered entities are responsible for making sure that the transmission of protected health information by email is secured. The entity may choose any HIPAA compliant email provider as long as appropriate controls guarantee PHI confidentiality, integrity and availability. A HIPAA compliant email provider must offer end-to-end encryption of messages. It doesn’t matter if the software … Read more
The HIPAA Security Rule requires the effective management of information access. Employees who are granted access to protected health information must have proper authorization. But what happens when employees leave their work? The organization needs to make sure that PHI access privileges are terminated immediately. If procedures to terminate access to PHI are not implemented, … Read more
Bill Clinton signed the Health Insurance Portability and Accountability Act or HIPAA on August 21, 1996. The HIPAA ensured the continuity of health insurance coverage for everyone, especially the employees that were between jobs. It also accomplished the following: set standards as to the amount of pre-tax medical savings that could be saved prohibited tax-deduction … Read more
Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be … Read more
The Health Insurance Portability and Accountability Act (HIPAA) is an important piece of legislation, first introduced in 1996. But, why is HIPAA so important? How has HIPAA helped to improve the healthcare industry and the care given to patients? HIPAA was designed to address one issue in particular: Insurance coverage for individuals that are “between … Read more
Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business … Read more
Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is … Read more
In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has … Read more
There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and … Read more
Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in … Read more
Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA … Read more
HIPAA Simplified History Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, … Read more
Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule. There exists some ambiguity surrounding Skype and … Read more
The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more
In 1996, the Health Insurance Portability and Accountability Act was introduced into US law. In time since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry, with widespread influence. Despite its importance, many healthcare providers and insurers are still unaware of HIPAA rules, and as a … Read more