Tag Archives: protected health information

Docs, You’ve Been Hacked. What’s Next?

Posted on by

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida health care providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point: Continue reading

Fall 2014 HIPAA Audits: Is Your Business Ready?

Posted on by

hipaa-audits-imageFile-3-a-7296By: Jackie Bain

Section 13411 of the HITECH Act authorizes and requires the Department of Health & Human Services Office for Civil Rights (“OCR”) to provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA Privacy and Security Rules. OCR conducted its first round of those audits in 2011 and 2012, and has announced that it will begin a second phase.  Unlike the first phase of audits, which were limited to covered entities, both covered entities and business associates are intended to be audited during this second phase.

How will audited businesses be selected?

This fall, OCR will deliver pre-audit surveys to between 550 and 800 covered entities.  OCR is attempting to obtain a fair snapshot of all covered entities, so these pre-audit surveys will be sent to health care providers, health plans, and health clearinghouses. Moreover, the audits will span the gamut of business sizes, from large corporations to solo practitioners. After pre-audit surveys are returned, OCR will randomly select 350 of those covered entities for a full audit.  As a part of these full audits, covered entities will be asked to identify their business associates.  OCR will then select 50 business associates to participate. Continue reading

What’s Hot on the #OIG Work Plan for 2014?

Posted on by

OIG crestThe U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released it’s 2014 Fiscal Year Work Plan. If you’ve got the stomach for the long version, click here. Around each fiscal year, the Department of Health and Human Services, Office of Inspector General publishes its annual Work Plan, which provides terrific insight into unique provider behavior and practices the OIG plans to target in 2014.  Medicare providers should pay particular attention to the following targeted areas:

Continue reading

HIPAA Stings Dermatology Practice

Posted on by

HIPAAThe US Department of Health and Human Services, Office of Civil Rights is the chief enforcer of HIPAA.  The Office’s recent enforcement of HIPAA with respect to a Massachusetts derm practice is illustrative of how the government views HIPAA and how vulnerable medical practices are.  Continue reading

Final Privacy Rule Affects Clinical Research Organizations

Posted on by

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

Final Privacy Rule Affects Clinical Research Organizations

Posted on by

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.