All Posts in Category: HIPAA Blogs

hipaa audits underway

HIPAA Audits Underway! OCR’s Phase 2 Has Begun

On Monday, the HHS Office for Civil Rights (OCR) announced it has rolled out Phase 2 of its HIPAA audits, and entities have already begun receiving initial emails from OCR seeking audit contact information. The Phase 2 Audit Program is aimed at reviewing the policies and procedures of selected covered entities and their business associates to evaluate compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR’s announcement comes after data breaches in the health care industry compromised over 112 million records in 2015, according to OCR.

Phase 1 Audits

The HITECH Act required OCR to conduct periodic audits of covered entities and their business associates. Beginning in late 2011, OCR implemented a pilot audit program to assess the privacy and security controls and processes implemented by 115 covered entities across the country. Auditors then made site visits to each covered entity to evaluate compliance efforts. Following the site visits, auditors drafted a report describing how the audit was conducted, the compliance findings, and what actions the covered entity had taken in response to those findings. The covered entity then had an opportunity to develop corrective actions to address any identified concerns. The final report submitted to OCR incorporated the steps the covered entity took to resolve any compliance issues.

OCR reviewed the final reports to better understand compliance efforts with respect to the HIPAA Privacy, Security and Breach Notification Rules. In particular, OCR studied the final reports to ascertain what types of technical assistance should be developed and what forms of corrective action are the most effective. In reviewing the final reports, OCR determined several common shortcomings among covered entities, including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans.

OCR then announced its intentions to initiate a permanent audit program that was originally slated to begin in 2014. However, due to a lack of funding, OCR delayed the program. In May 2015, OCR began sending pre-audit screening surveys to covered entities classified as potential candidates for a Phase 2 Audit Program. In late 2015, OCR confirmed Phase 2 audits would begin in early 2016.

Phase 2 Audits

In the Phase 2 Audit Program, there will be a few significant changes from Phase 1 audits. First, business associates will be included in this round of audits. Additionally, most of the audits will be desk audits while only a few may ultimately result in more extensive on-site audits.

Phase 2 has already begun, with OCR sending out emails to covered entities to verify contact information. Every covered entity and business associate is eligible for an audit. Once OCR confirms an entity’s contact information, it will transmit a pre-audit questionnaire to gather data that will be used to create potential audit subject pools. OCR will then identify pools of covered entities and business associates who represent a wide range of organizations subject to the HIPAA Rules.

The Phase 2 Audit Program will be a three step audit process. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. The desk audits will examine specific compliance requirements of the Privacy, Security and Breach Notification Rules. According to OCR, all desk audits will be completed by the end of December 2016. Finally, while OCR states there will be fewer in-person audits than in the Phase 1 Audit Program, a third set of audits may be conducted onsite, which will be more comprehensive than desk audits and cover a broader range of HIPAA requirements.

In an effort to promote transparency, OCR will post audit protocols on its website closer to the 2016 audits. OCR has also announced the procedures used and results found in the Phase 2 audits will be evaluated so as to develop a permanent HIPAA audit program.

Implications for Health Care Entities

The launch of the Phase 2 Audit Program confirms OCR’s commitment to the evaluation of compliance with and enforcement of the HIPAA Privacy, Security and Breach Notification Rules.

If you are an entity subject to the HIPAA Rules, be on the lookout for emails from OCR and review your HIPAA policies and procedures, risk analysis, and other compliance documents.

OCR’s announcement regarding the launch of Phase 2 of the HIPAA Audit Program can be found here.

If you need Risk Assessments, Managed Services, or just IT Support, give us a call at (818) 356-7188.

Read More
northwell health hipaa settlement

Northwell Health HIPAA Settlement-Agrees To Pay $3.9M

The Feinstein Institute for Medical Research has agreed to settle potential HIPAA violations with a $3.9 million payment and a substantial corrective action plan.

Feinstein is a biomedical research institute based in Manhasset, N.Y., that falls under the Great Neck, N.Y.-based Northwell Health enterprise. In 2012, Feinstein reported a data breach after a computer containing the electronic protected health information of nearly 13,000 patients and research participants was stolen from an employee’s car. Information stored on the laptop included names, birth dates, addresses, Social Security numbers, diagnoses, laboratory results, medications and other medical information.

Northwell Health HIPAA Settlement

HHS’ Office of Civil Rights launched an investigation into the breach and determined Feinstein’s security management processes to be incomplete and insufficient to address potential risks and vulnerabilities of electronic PHI, including failure to restrict access to unauthorized users and a lack of policies and procedures to govern the removal of laptops out of its facilities.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Read More

$25,000 OCR Settlement For Physical Therapy

On February 16, 2016, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it had entered into an agreement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT), a physical therapy practice located in California, to resolve HIPAA violations arising from CPT’s impermissible disclosure of protected health information (PHI) on its website in the form of patient testimonials.

OCR initiated an investigation in 2012 and determined that CPT had impermissibly disclosed PHI on its website without obtaining HIPAA-compliant authorizations. Specifically, CPT posted patient testimonials, including full names and full face photographs, without obtaining valid authorizations from the individuals identified in the testimonials. OCR concluded that CPT violated the HIPAA’s Privacy Rule by failing to reasonably safeguard PHI, impermissibly disclosing PHI, and failing to implement policies and procedures designed to ensure compliance with the Privacy Rule’s authorization requirements.

As part of the resolution agreement, CPT admitted civil liability for violating the Privacy Rule, agreed to pay $25,000, and entered into a three-year corrective action plan (CAP) with OCR. The CAP requires CPT to develop and implement written policies and procedures to ensure Privacy Rule compliance that include, but are not limited to, measures that address (i) permissible uses and disclosures of PHI, and (ii) individual authorization requirements. The CAP also requires CPT to provide workforce training on its HIPAA policies and procedures; subjects CPT to heightened reporting requirements related to HIPAA violations; and obligates CPT to submit annual CAP-compliance reports. In addition to those conditions—which are standard in OCR corrective action plans—the CAP also requires CPT to remove all PHI from its website for which it does not have a valid HIPAA-compliant authorization by February 12, 2016.

For health care providers and suppliers subject to HIPAA, OCR’s resolution agreement with CPT is particularly noteworthy for two reasons:

CPT’s failure to obtain valid authorizations from patients before posting their names and faces on its website represents a straightforward violation of a basic HIPAA requirement that HIPAA-covered entities must be aware of, and comply with, especially in connection with marketing activities that utilize PHI; and
CPT was required to admit civil liability for violating the Privacy Rule, a departure from previous OCR resolution agreements that customarily contain “No Admission” provisions explicitly rejecting any admission of liability. This appears to be the first time a covered entity has been required to admit civil liability as part of a resolution agreement, and may portend a new approach by OCR to investigating and resolving HIPAA complaints.

Original content by JDSupra Business Advisor

Read More
okay to share hipaa

When It’s Okay To Share – HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules about who can look at and receive an individual’s health information. “Covered entities” that must follow the HIPAA regulations include health plans, most healthcare providers, and healthcare clearinghouses. Business associates of covered entities also must follow parts of the HIPAA regulations.

“Business associates” are generally contractors, subcontractors, and other outside persons and companies that need to be able to access individual health records held by a covered entity to provide a service. Examples of business associates include:

  • Billing companies
  • Companies that help administer health plans
  • Lawyers, accountants, and IT specialists
  • Data management companies

These covered entities and business associates must follow HIPAA regulations or face heavy fines and other penalties. Generally, a covered entity cannot use or share an individual’s health information without written permission, unless the law allows for it.

Examples of when it;s okay to share HIPAA info/patient information without written consent include:

  • When the information is necessary to provide treatment.
  • When not disclosing it would interfere with a disaster relief organization’s ability to respond to an emergency.
  • As necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
  • To relay information about a patient’s location in the facility and general condition.

Providers also may share patient information to the extent necessary to seek payment for services rendered.

Original Content by H.H.S.

Read More
CAM HIPAA Solutions for HIPAA Consulting in Los Angeles

ALMOST 13000 AFFECTED BY RECENT PHARMACY DATA BREACHES

Three data breaches have been reported by pharmacy stores in the past two months, resulting in the PHI of almost 13,000 pharmacy customers being exposed or disclosed to unauthorized individuals.

Walmart Reports Breach of 4,800 Patients’ Data

 

Walmart stores recently announced that some of its online pharmacy customers may have had their names, addresses, date of births, and prescription histories exposed as a result of a coding error that was made while the company was migrating data between servers.

Between February 15 and February 18, 2015, online customers who logged into the company’s online pharmacy may have been able to view the data of other customers who logged in at the exact same time. No Social Security numbers or financial data were exposed as a result of the coding error.

Dan Toporek, a spokesperson for Walmart, said a few thousand individuals had been affected, although this is a small percentage of the number of individuals who used the company’s online pharmacy during the four-day stretch.

The data breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), with the breach report indicating 4,800 patients were affected. Toporek said there is no reason to believe that any data have been used inappropriately, although all customers who had their data exposed as a result of the error would be individually notified and offered identity protection services.

Hard Drive Containing 3000 Customers’ PHI Stolen in Roark’s Pharmacy Burglary

 

A burglary at Roark’s Pharmacy in Oneida, TN., in January has impacted 3,000 of the store’s customers. A hard drive containing customer prescription information and personal data was stolen by thieves who broke in to the pharmacy in the early hours of January 13. The break-in and theft was discovered four hours later when pharmacy owner, Terry Roark, arrived to open the store at 6:30am.

The thieves had taken all of the pharmacy’s narcotics, $400 in cash, and a computer hard drive containing the data of 3,000 customers. The thieves are understood to have broken in in order to steal narcotics, and took other items of value, including the hard drive. The thieves gained access to the building by sawing through the door and removing it from its hinges. While law enforcement officers have investigated the burglary and obtained CCTV footage from the service station next door, the DVR system linked to the pharmacy’s CCTV cameras was also stolen in the break-in. No suspects have been arrested.

5,000 Customers Affected by Locust Fork Pharmacy Data Breach

 

Locust Fork Pharmacy in Alabama has reported a security incident to the Office for Civil Rights that has affected 5,000 of its customers. The incident is listed as an “unauthorized access/disclosure”, although no further information has been made available about the incident.

Read More
divorce and hipaa violations

Until Death Do Us Part – Divorce And HIPAA Violations

The Office of Civil Rights (“OCR”), a division of the Department of Health and Human Services, recently took the rare step of imposing civil monetary penalties against a large home health provider for violating the Health Insurance Portability and Accountability Act (“HIPAA”), highlighting the importance of developing written policies that meet the realities of how and where employees use documents with patients’ personal health information (“PHI”).

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website