Written in collaboration with Erin MacLean, JD, CHC, CHPC. Over the past several weeks, many have been focused on the proposed changes to the HIPAA Privacy Rule announced in mid-December. While the proposed changes warrant attention and comment, the commentary to those proposed changes from the Department of Health and Human Services’ Office for Civil Rights (OCR) must not be overlooked. In its commentary, OCR provides valuable insights on its interpretation of a provider’s ability to disclose information to third parties under HIPAA’s current treatment exception, including a provider’s ability to share protected health information (PHI) with non-healthcare providers without an authorization.
Tag Archives: HIPAA
OCR announced its first HIPAA enforcement resolution of 2021. Picking up where it left off in 2020, this settlement involves Right of Access claims and results in a large non-profit health system with several affiliated covered entities agreeing to pay $200,000 to settle claims related to two of its affiliated entities.
Two years after issuing a request for information seeking feedback on possible changes to HIPAA and smack dab in the middle of a global pandemic, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) announced major proposed changes to the HIPAA Privacy Rule. The proposed changes focus on coordination of care and significant revisions to the patient right of access provisions, including shortening the timeframe to respond to patient requests for records to 15 days and permitting patients to take photos or videos of their PHI.
On November 19, 2020, the Office for Civil Rights (OCR) announced its 10th HIPAA Right of Access settlement of the year. OCR publicized its first five Right of Access settlements this year just over two months ago. It added two more in October and then three in November. And with a full month left in 2020, there may be more to come.
Historically, it often takes the Department of Health and Human Services’ Office for Civil Rights (OCR) five or more years to complete an investigation, bring an enforcement action and announce a resolution. That’s changing.
One of the most common areas of enforcement under HIPAA involves a failure to perform an accurate and thorough risk analysis. Despite the known enforcement history and growing frequency of cybersecurity incidents, lack of compliance with the risk analysis requirement is very common. I sat down with Sammy De La O of IT Direct to get his perspective on performing a risk analysis and addressing the results.
Less than a month after announcing five right of access enforcement action resolutions in one day, the Office for Civil Rights (OCR) announced two more last week.
In just one week, OCR announced settlements totaling $10.6 million with three organizations for alleged systemic HIPAA Security Rule violations. In each of the three cases, the entity self-reported a hacking incident. Combined, the hacking incidents compromised the health information of more than 16 million people. While it’s not common to see three large settlements in one week, enforcement for HIPAA Security Rule non-compliance is not new and likely will continue with increasing intensity.
October is Cybersecurity Awareness Month! It’s no secret that healthcare entities and the businesses that serve them are a popular target for cybercriminals – costing millions each year and damaging reputations. In fact, hacking and IT incidents are the leading cause of reported HIPAA breaches. Healthcare executives need to understand both the risks and […]
Today, OCR announced its largest HIPAA enforcement settlement so far this year. An orthopedic clinic agreed to pay $1.5 million and to adopt a corrective action plan after a 2016 hacking incident that compromised over 200,000 patient records. OCR’s investigation revealed systemic HIPAA Privacy and Security Rule issues. This settlement confirms that HIPAA Security Rule violations remain an important enforcement focus, that post-incident compliance will not excuse pre-incident noncompliance and that seven figure settlements are not reserved just for large hospital systems.