One of the most common areas of enforcement under HIPAA involves a failure to perform an accurate and thorough risk analysis. Despite the known enforcement history and growing frequency of cybersecurity incidents, lack of compliance with the risk analysis requirement is very common. I sat down with Sammy De La O of IT Direct to get his perspective on performing a risk analysis and addressing the results.
Author Archives: Dena M. Castricone, CIPP/US, CIPM
Part I: How to Improve Your Cybersecurity Defenses Through HIPAA Security Rule Compliance HIPAA Security Rule compliance significantly reduces the risk that a healthcare entity will suffer a cyber incident. During this session, we will look closely at three key HIPAA Security Rule requirements and examine the processes and technologies that both enable compliance as […]
Less than a month after announcing five right of access enforcement action resolutions in one day, the Office for Civil Rights (OCR) announced two more last week.
In just one week, OCR announced settlements totaling $10.6 million with three organizations for alleged systemic HIPAA Security Rule violations. In each of the three cases, the entity self-reported a hacking incident. Combined, the hacking incidents compromised the health information of more than 16 million people. While it’s not common to see three large settlements in one week, enforcement for HIPAA Security Rule non-compliance is not new and likely will continue with increasing intensity.
October is Cybersecurity Awareness Month! It’s no secret that healthcare entities and the businesses that serve them are a popular target for cybercriminals – costing millions each year and damaging reputations. In fact, hacking and IT incidents are the leading cause of reported HIPAA breaches. Healthcare executives need to understand both the risks and […]
Today, OCR announced its largest HIPAA enforcement settlement so far this year. An orthopedic clinic agreed to pay $1.5 million and to adopt a corrective action plan after a 2016 hacking incident that compromised over 200,000 patient records. OCR’s investigation revealed systemic HIPAA Privacy and Security Rule issues. This settlement confirms that HIPAA Security Rule violations remain an important enforcement focus, that post-incident compliance will not excuse pre-incident noncompliance and that seven figure settlements are not reserved just for large hospital systems.
Today, OCR announced five new settlements under its “HIPAA Right of Access Initiative,” making right of access the most prominent area of HIPAA enforcement so far this year. In 2019, OCR indicated that it would prioritize claims involving individuals’ right to receive timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. And it is making good on its promise. All providers must pay special attention to this issue as patient complaints in this area are high and provider compliance typically is not strong.
Conducting an effective internal investigation is a critical compliance function. A flawed investigation may result in a failure to identify a compliance issue or to implement appropriate remediation efforts. This post outlines six important steps to follow in every internal investigation.
HIPAA breaches happen. So long as humans are involved in handling protected health information (PHI), there will be mistakes that result in a breach (and, of course, this does not include hacking incidents or bad actor breaches). For compliance purposes, the response to a breach is key. Providers that respond swiftly, implement corrective measures and timely notify affected patients and file a thorough breach report with the Department of Health and Human Services (DHHS) are far more likely to avoid scrutiny.
Early in the COVID-19 pandemic, Governor Ned Lamont expanded the use of telehealth for Medicaid-enrolled providers and in-network providers through various executive orders (G, DD and FF (collectively, the “Telehealth Executive Orders”)). That expansion included permitting the use of audio-only (telephone) delivery of telehealth services. On Friday, July 31, 2020, the Governor signed legislation, An Act Concerning Telehealth, that codified many of the provisions in the Telehealth Executive Orders through March 15, 2021.