All posts by josh

northwell health hipaa settlement

Northwell Health HIPAA Settlement-Agrees To Pay $3.9M

The Feinstein Institute for Medical Research has agreed to settle potential HIPAA violations with a $3.9 million payment and a substantial corrective action plan.

Feinstein is a biomedical research institute based in Manhasset, N.Y., that falls under the Great Neck, N.Y.-based Northwell Health enterprise. In 2012, Feinstein reported a data breach after a computer containing the electronic protected health information of nearly 13,000 patients and research participants was stolen from an employee’s car. Information stored on the laptop included names, birth dates, addresses, Social Security numbers, diagnoses, laboratory results, medications and other medical information.

Northwell Health HIPAA Settlement

HHS’ Office of Civil Rights launched an investigation into the breach and determined Feinstein’s security management processes to be incomplete and insufficient to address potential risks and vulnerabilities of electronic PHI, including failure to restrict access to unauthorized users and a lack of policies and procedures to govern the removal of laptops out of its facilities.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Read More

$25,000 OCR Settlement For Physical Therapy

On February 16, 2016, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it had entered into an agreement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT), a physical therapy practice located in California, to resolve HIPAA violations arising from CPT’s impermissible disclosure of protected health information (PHI) on its website in the form of patient testimonials.

OCR initiated an investigation in 2012 and determined that CPT had impermissibly disclosed PHI on its website without obtaining HIPAA-compliant authorizations. Specifically, CPT posted patient testimonials, including full names and full face photographs, without obtaining valid authorizations from the individuals identified in the testimonials. OCR concluded that CPT violated the HIPAA’s Privacy Rule by failing to reasonably safeguard PHI, impermissibly disclosing PHI, and failing to implement policies and procedures designed to ensure compliance with the Privacy Rule’s authorization requirements.

As part of the resolution agreement, CPT admitted civil liability for violating the Privacy Rule, agreed to pay $25,000, and entered into a three-year corrective action plan (CAP) with OCR. The CAP requires CPT to develop and implement written policies and procedures to ensure Privacy Rule compliance that include, but are not limited to, measures that address (i) permissible uses and disclosures of PHI, and (ii) individual authorization requirements. The CAP also requires CPT to provide workforce training on its HIPAA policies and procedures; subjects CPT to heightened reporting requirements related to HIPAA violations; and obligates CPT to submit annual CAP-compliance reports. In addition to those conditions—which are standard in OCR corrective action plans—the CAP also requires CPT to remove all PHI from its website for which it does not have a valid HIPAA-compliant authorization by February 12, 2016.

For health care providers and suppliers subject to HIPAA, OCR’s resolution agreement with CPT is particularly noteworthy for two reasons:

CPT’s failure to obtain valid authorizations from patients before posting their names and faces on its website represents a straightforward violation of a basic HIPAA requirement that HIPAA-covered entities must be aware of, and comply with, especially in connection with marketing activities that utilize PHI; and
CPT was required to admit civil liability for violating the Privacy Rule, a departure from previous OCR resolution agreements that customarily contain “No Admission” provisions explicitly rejecting any admission of liability. This appears to be the first time a covered entity has been required to admit civil liability as part of a resolution agreement, and may portend a new approach by OCR to investigating and resolving HIPAA complaints.

Original content by JDSupra Business Advisor

Read More
okay to share hipaa

When It’s Okay To Share – HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules about who can look at and receive an individual’s health information. “Covered entities” that must follow the HIPAA regulations include health plans, most healthcare providers, and healthcare clearinghouses. Business associates of covered entities also must follow parts of the HIPAA regulations.

“Business associates” are generally contractors, subcontractors, and other outside persons and companies that need to be able to access individual health records held by a covered entity to provide a service. Examples of business associates include:

  • Billing companies
  • Companies that help administer health plans
  • Lawyers, accountants, and IT specialists
  • Data management companies

These covered entities and business associates must follow HIPAA regulations or face heavy fines and other penalties. Generally, a covered entity cannot use or share an individual’s health information without written permission, unless the law allows for it.

Examples of when it;s okay to share HIPAA info/patient information without written consent include:

  • When the information is necessary to provide treatment.
  • When not disclosing it would interfere with a disaster relief organization’s ability to respond to an emergency.
  • As necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
  • To relay information about a patient’s location in the facility and general condition.

Providers also may share patient information to the extent necessary to seek payment for services rendered.

Original Content by H.H.S.

Read More
divorce and hipaa violations

Until Death Do Us Part – Divorce And HIPAA Violations

The Office of Civil Rights (“OCR”), a division of the Department of Health and Human Services, recently took the rare step of imposing civil monetary penalties against a large home health provider for violating the Health Insurance Portability and Accountability Act (“HIPAA”), highlighting the importance of developing written policies that meet the realities of how and where employees use documents with patients’ personal health information (“PHI”).

Read More
Prepare for 2016 HIPAA Audits

7 Ways to Prepare for 2016 HIPAA Audits

Phase two of audits for the Health Insurance Portability and Accountability Act (HIPAA) are coming this year as the Office of Civil Rights looks to crack down on violations.

HIPAA was signed into law in August of 1996, and the Privacy and Security Rules were both implemented over a decade ago. Moreover, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which made significant changes to a variety of facets of HIPAA, passed in 2009. Section 13411 of the HITECH Act requires the Office of Civil Rights (OCR)–which is part of the U.S. Department of Health and Human Services (HHS)–to conduct periodic HIPAA audits.

Why is there so much emphasis on meeting standards that have been required for two decades in some instances? It’s due mainly to the increased use of technology in healthcare and accompanying cybersecurity risks. The purpose of this article is to provide an overview of the OCR audit program (phase 2), identify key areas of risk and provide suggestions on how to mitigate adverse findings.

Prepare for 2016 HIPAA Audits

OCR Audit Program

In 2011, OCR launched the requisite OCR Pilot Privacy, Security, and Breach Notification Audit Program. For the first phase, only covered entities were audited. This second phase includes business associates of covered entities.

Regardless of the type of entity, the time frames for the audit are the same. From the time the audit notification letter is sent from OCR, organizations should plan on a 30 day to 90 day process. Analogous to a Recovery Audit Contractor (RAC) audit, an entity has a certain period of time to produce the requested information. The information may be requested either on-site or as a desk audit, which is described below.

Next, OCR reviews the information provided and drafts a report. The entity then has the opportunity to review and respond to the draft report, after which OCR finalizes the report.
The scope of the phase 1 audits was limited to the federal Privacy, Security and Breach Notification Rules. This does not mean that a state law or international law provision may have been violated-it just was not addressed in the phase I audits.

Phase 2 audits will be more robust, in part due to a $4 million increase in OCR’s 2016 budget. Another area of difference will be the number of on site versus desk audits. During the phase 1 audits, covered entities were evaluated by a third party, who visited them on-site. Phase two audits will include a greater number of desk audits – entities responding to the audits from their desks by providing policies and documentation of privacy policies and procedures to HHS.

This serves as a signal —a key administrative area that will be looked at during the audits are the adequacy of policies and procedures. Therefore, the number of administrative and security violations could increase significantly.

Key Areas of Risk

A good place for practices to start is to look at the findings from phase 1, as well as recent penalties that were assessed by HHS for HIPAA violations. Violations occurred in the administrative, technical and physical realms. Primarily, policies and procedures were found to be inadequate; encryption of USB drives, laptops and email was found to be lacking; and inadequate employee security awareness and training were some of the major areas of vulnerability.

Suggestions to Mitigate Adverse Findings

The most prudent approach is to be prepared ahead of time, much like an IRS or Joint Commission audit. Whatever aspect of HIPAA compliance an organization is addressing, a good vantage point from which to start is the patient information. Every action should take into account the confidentiality, integrity and availability of the information. The way to make employees and contractors aware is through training. While the required way to hold business associates and subcontractors accountable is through the contractual obligations in a business associate agreement (BAA). Moreover, an annual risk assessment is a must. And, the HHS website is the ideal place to find explanations of what is set out in the laws and regulations.

Here are some tips to make sure that the practice is HIPAA compliant and avoid an adverse audit outcome:

  1. Begin compliance efforts from the vantage point of the government, who may “review pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation”;
  2. Read Section 164.316 for what is required in relation to policies and procedures from an administrative, technical and physical aspect;
  3. Curtail policies and procedures to your individual practice;
  4. Know where the external and internal sources of protected health information are located;
  5. Encrypt everything both at rest and in transit and make sure that the level of encryption utilized is adequate;
  6. Train employees– Trustwave is a reputable vendor that has online training or various organizations offer live courses; and
  7. Perform due diligence on various third party risk assessors for expertise, price and quality.

OCR audits and HIPAA compliance should not be taken lightly. RAC audits also started with a pilot program more than a decade ago and now generate a substantial amount of revenue for the government, as well as serving as a check on providers’ claims submissions. Those submission, by the way, are also required to be HIPAA-compliant.


The overall goal of the phase 2 audits is to raise awareness and provide the opportunity for entities to correct their practices surrounding the creation, receipt, transmission and maintenance of protected health information.

The flip side, however, is that OCR may assess a penalty. Given that there are going to be more on site and business associate audits, the findings may translate into increased scrutiny by OCR on other fronts. Therefore, organizations of all types should look at the OCR audit like an IRS audit: a practice should be prepared for an audit. Failure to do so could be costly.

Original content by Modern Medicine Network

Read More
Los Angeles Physical Therapist HIPAA Violation

Los Angeles Physical Therapist HIPAA Violation – Receives $25,000 Fine

Los Angeles-based Complete P.T. Pool & Land Physical Therapy will pay $25,000 to settle HIPAA violations for allegedly posting patient testimonials, including full names and photos, on its website without obtaining authorization.

The Department of Health and Human Services Office for Civil Rights announced the settlement terms on its website on Feb. 16. The settlement also requires Complete P.T. to adopt and implement a corrective action plan, and annual reporting of compliance efforts for one year.

The complaint filed with the OCR on Aug. 8, 2012 said Complete P.T. was required by HIPAA to seek authorization for the testimonials.

OCR’s investigation revealed that Complete P.T failed to reasonably safeguard protected health information, disclosed PHI without authorization,and failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements.

“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes,” said OCR Director Jocelyn Samuels in a statement posted on the OCR website. “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

Original content by Healthcare IT News

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website