Upcoming Webinars

  • No upcoming events

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.


Menu
Log in

HIPAA News and Enforcement 

<< First  < Prev   1   2   3   4   Next >  Last >> 
  • 29 Jun 2022 10:43 AM | Zachary Edgar (Administrator)

    On the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away, President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra called on HHS agencies to take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care. Today, in direct response, the HHS Office for Civil Rights (OCR) issued new guidance to help protect patients seeking reproductive health care, as well as their providers.

    In general, the guidance does two things:

    1. Addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
    2. Addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

    According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care.

    “How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

    This guidance addresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. Specifically, the guidance:

    • Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
    • Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

    OCR is also issuing information for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge. This guidance:

    • Explains how to turn off the location services on Apple and Android devices.
    • Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.

    The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

    The guidance on Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.

    Reference

    https://www.hhs.gov/hipaa/newsroom/index.html

  • 13 Jun 2022 11:32 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect.

    This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information.

    While telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area.  Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.

    “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

    The Guidance on How the HIPAA Rules Permit Health Plans and Covered Health Care Providers to Use Remote Communication Technologies for Audio-Only Telehealth may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • 6 Apr 2022 11:33 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) today released a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021.  The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI).  This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

    “This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

    Through today’s RFI, OCR is seeking public comment on the following provisions of law:

    • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

      One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

      The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

      Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

      The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

    OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

    Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health

    Reference

    HIPAA News Releases & Bulletins


  • 28 Mar 2022 11:34 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations and one matter before an Administration Law Judge related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Two of these cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to twenty-seven since the initiative began. OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The other enforcement actions result from healthcare providers impermissibly disclosing their patients’ protected health information (PHI).  OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational Right of Access provision:

    Reference

    HIPAA News Releases & Bulletins

  • 28 Feb 2022 11:36 AM | Zachary Edgar (Administrator)

    Cyberattacks grabbed headlines throughout 2021 as hacking and IT incidents affected government agencies, major companies, and even supply chains for essential goods, like gasoline.  For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic.  More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled. And at the end of December, a critical vulnerability in a widely used Java-based software known as “Log4j” grabbed headlines with warnings about the potential risks this security flaw could pose for organizations of all sizes.  Such unpatched vulnerabilities give hackers easy access to an organization’s computer server, and possible entry into other parts of a network. These reports underscore why it is so important for health care to be vigilant in their approach to cybersecurity. With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.

    All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope.  You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.

    If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so.  Some best practices include:

    • Maintaining offline, encrypted backups of data and regularly test your backups;
    • Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
    • Regular patches and updates of software and Operating Systems; and
    • Training your employees regarding phishing and other common IT attacks.

    Good cyber hygiene habits help keep your network healthy and protect the ePHI on your systems.  OCR is here to help with guidance and resources:

    Reference

    HIPAA News Releases & Bulletins

  • 20 Dec 2021 11:40 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services' (HHS) through its Office for Civil Rights (OCR) is issuing guidance to help clarify how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits covered health care providers to disclose protected health information to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms.  This guidance helps implement the U.S. Department of Justice's model extreme risk protection order legislation that provides a framework for states to consider in creating laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives.  These orders can be an important step toward improving the public's safety by helping to prevent firearm injuries and deaths.

    The guidance issued today by OCR provides new guidance to support an extreme risk protection order on how HIPAA allows covered health care providers to disclose protected health information about an individual, without the individual's authorization. The guidance includes specific examples for each permission.

    "Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country," said HHS Secretary Xavier Becerra. "Today's guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing fire arms."

    "HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis," said OCR Director Lisa J. Pino. "Today's guidance helps clarify legal requirements and to better support individuals in crisis."

    The Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/extreme-risk-protection-orders/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • 30 Sep 2021 11:41 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

    The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. This is because the HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates.

    Today's guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. This information will be helpful to the public as we continue to navigate the COVID-19 pandemic.

    "We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19," said OCR Director Lisa Pino.

    The Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • 10 Sep 2021 11:43 AM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces the resolution of its twentieth investigation in its HIPAA Right of Access Initiative.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.  Children’s Hospital & Medical Center (CHMC) has agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.  CHMC is located in Omaha, Nebraska, and provides pediatric health care services.

    Reference

    HIPAA News Releases & Bulletins

  • 2 Jun 2021 2:19 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has announced its nineteenth settlement of an enforcement action in its HIPAA Right of Access Initiative, which supports individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) has agreed to take corrective actions and pay $5,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. DELC is a West Virginia based healthcare provider that provides treatment for Endocrine disorders.

    Reference

    HIPAA News Releases & Bulletins


  • 25 May 2021 2:20 PM | Zachary Edgar (Administrator)

    Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  Peachstate is based in Georgia and is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA).  Peachstate provides diagnostic and laboratory-developed tests, including clinical and genetic testing services.

    Reference

    HIPAA News Releases & Bulletins


<< First  < Prev   1   2   3   4   Next >  Last >> 


Copyright Med Comply LLC 2022

Med Comply does not claim copyright over US Federal and State materials

CPT codes are copyright 1995-2022 American Medical Association. All rights reserved.


About Us

Join Us

Find Us

Med Comply is a healthcare compliance firm that strives to bring high quality compliance guidance and one-on-one consulting services to small and medium sized physician and NPP practices.   

Learn More

Join today as either a monthly or a yearly member and enjoy full access to the site and ongoing personalized compliance and billing support. 

Join Today

Powered by Wild Apricot Membership Software