Report on Patient Privacy

  1. OCR Weighing Options After MD Anderson Loss, Writing Rules for ‘Safe Harbor’ Law

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Theresa Defino  | April 08, 2021 

    A loss in a court case, two new federal laws and their own thoughts on how to revise the privacy rule will be keeping officials from the HHS Office for Civil Rights (OCR) busy in the coming months writing rules and regulations. The range of topics OCR will address includes its enforcement approach, harmonization of 42 C.F.R. Part 2 regulations governing substance use records, security practices that would mitigate sanctions, and changes to medical records access requirements, among others...

  2. As Pandemic Enters 2nd Year, CISOs Face Ongoing Telework, Telemedicine Challenges

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Jane Anderson  | April 08, 2021 

    As the COVID-19 pandemic progressed from its urgent beginning to almost a “new normal,” chief information security officers (CISOs) at health systems have been fighting to combat emerging cyberthreats while supporting the sudden shift to telemedicine and working from home. In doing so, the officers said, the experience offers lessons for the path forward...

  3. Does 18th Right of Access Settlement Provide Needed ‘Gentle Nudging’?

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Theresa Defino  | April 08, 2021 

    The steady stream of resolution agreements between providers and the HHS Office for Civil Rights (OCR) for failures to provide patients their medical records might strike some as overkill. As of the end of March, there were 18 such settlements, which collectively brought OCR $918,500. But because OCR is 10 years late drafting a regulation for sharing penalties, none of that money went to the individuals who struggled to get their protected health information (PHI)...

  4. AHA: Privacy NPRM May Worsen Regulatory ‘Patchwork’

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Theresa Defino  | April 08, 2021 

    The notice of proposed rulemaking (NPRM) revising the privacy rule has some provisions worth supporting, but shortening by half the time frame providers would have to respond to an access request isn’t one of them. And if the HHS Office for Civil Rights (OCR) isn’t careful, it may add to the already confusing and burdensome “patchwork of health information privacy requirements” in effect today...

  5. Patient Privacy Court Case: April 2021

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Wogai Mohmand  | April 08, 2021 

    On March 11, 2021, Attorney General William Tong of Connecticut announced a settlement with American Medical Collection Agency (AMCA) related to a multistate investigation into a 2019 data breach.[1] AMCA specialized in small-balance medical debt collection primarily related to laboratories and medical testing facilities. From Aug. 1, 2018, to March 30, 2019, an unauthorized user gained access to AMCA’s system. AMCA did not detect the intrusion, and personal information, including Social Security numbers, payment card information, names of medical tests, and diagnostic codes were compromised...

  6. Privacy Briefs: April 2021

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Jane Anderson  | April 08, 2021 

    ◆ A Texas Medicaid subcontractor has been terminated after a data breach caused by a ransomware attack originating from Russia exposed the personal information of tens of thousands of low-income residents. A spokesperson for the Texas Health and Human Services Commission also said that the agency did not learn about the extent of the attack, which occurred last April, until it received questions about the incident from The Dallas Morning News.[1] According to news reports, the initial communications to the state agency from the contractor, Accenture, described a multistate incident involving health care providers and insurance billing and collections for...

  7. Fallout From Accellion, Humana Breaches Puts Focus on Subcontractors, Notifications

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Theresa Defino  | March 11, 2021 

    In early March, Southern Illinois University (SIU) School of Medicine posted a notice on its website pledging to offer free identity theft protection services for an unspecified number of individuals whose information was on a file transfer appliance (FTA) subject to a cyberattack in December.[1]...

  8. After a Breach Is Too Late: Ensure BA, Subcontractor Compliance Now

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Theresa Defino  | March 11, 2021 

    Sometime during the fall, a worker for a subcontractor of Humana Inc. decided to share actual member information from medical records via a Google document with people he was training to be medical coders, part of his attempt to run a “personal coding business endeavor.”[1]...

  9. Select Provisions of Subcontractor Agreement (Sample)

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | March 11, 2021 

    Below are the sample clauses that might be different or should be specifically considered when a HIPAA business associate (BA) is imposing obligations on subcontractors who may also access a covered entity’s (CE’s) protected health information when performing services for the BA.[1]...

  10. In Wake of 16th OCR Settlement, Time For CEs, BAs to Take Right of Access Seriously

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Jane Anderson  | March 11, 2021 

    As the HHS Office for Civil Rights (OCR) continues its crackdown on providers that fail to comply with the HIPAA right of access, privacy experts warn that it’s past time for covered entities (CEs) and business associates (BAs) to upgrade their access policies and procedures, and to take the right of access very seriously...

  11. Points to Consider When Beefing Up Procedures for Access Requests

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Jane Anderson  | March 11, 2021 

    HIPAA privacy experts recommend a series of steps for health care entities to take to beef up their medical records access programs—and potentially steer clear of HHS Office for Civil Rights (OCR) penalties in the process...

  12. Patient Privacy Court Case: March 2021

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Wogai Mohmand  | March 11, 2021 

    On Jan. 27, 2020, Brandywine Urology Consultants discovered that it was the victim of a ransomware attack.[1] The ransomware attack targeted encrypted records that included patient names, addresses, Social Security numbers, medical file numbers, claims data, and other financial and personal data. There was no attempt to extract a ransom. A group of individuals brought an action against Brandywine on behalf of themselves and on a class basis for claims of negligence, invasion of privacy, breach of contract, breach of fiduciary data, and Delaware security and consumer fraud violations...

  13. To Win Cybersecurity Support, Foster Engagement, Offer Risk-Based Reports

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Jane Anderson  | March 11, 2021 

    Health care organizations’ boards of directors and C-suite level officers—particularly chief financial officers (CFOs)—must buy into organizations’ overall HIPAA security and cybersecurity strategies in order for those strategies to be properly funded and supported...

  14. Cybersecurity Board Communication Checklist

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Jane Anderson  | March 11, 2021 

    When communicating with high-level company executives and board members about cybersecurity issues, experts advise brevity and clarity—and emphasizing the bottom line.[1]...

  15. Privacy Briefs: March 2021

    Report on Patient Privacy Volume 21, Number 3. March 11, 2021  | Author: Jane Anderson  | March 11, 2021 

    ...

  16. Excellus Agrees to Pay $5.1M, Implement CAP To Settle OCR Investigation From 2015 Breach

    Report on Patient Privacy Volume 21, Number 2. February 04, 2021  | Author: Jane Anderson  | February 04, 2021 

    Excellus Health Plan Inc., based in Rochester, New York, agreed to pay $5.1 million and implement a two-year corrective action plan (CAP) to settle alleged violations related to a breach that was discovered in 2015 but dated back to 2013. The massive breach exposed protected health information (PHI), including Social Security numbers and claims data, for more than 9.3 million members over the course of nearly 17 months.[1]...

  17. Awaiting New Leader, OCR Collects NPRM Feedback, Closes Breach, 14th Access Case

    Report on Patient Privacy Volume 21, Number 2. February 04, 2021  | Author: Theresa Defino  | February 04, 2021 

    Unless an extension is granted or the notice of proposed rulemaking (NPRM) is withdrawn, covered entities (CEs) and business associates (BAs) have until late March to submit comments on possible revisions to the privacy rule. The day after President Biden was sworn in and six weeks after it was first announced,[1] the HHS Office for Civil Rights (OCR) published the NPRM officials posted in December.[2]...

  18. Long-Awaited HIPAA Privacy Revision NPRM on Care Coordination Released

    Report on Patient Privacy Volume 21, Number 2. February 04, 2021  | Author: Jane Anderson  | February 04, 2021 

    The HHS Office for Civil Rights (OCR) is moving forward with its plans to modify the HIPAA privacy rule in ways it says will make it easier for health care organizations to share information that will enable them to better coordinate care, perform outcomes research and improve quality over time...

  19. Once Pandemic Under Control, Eyes May Turn to New Federal Legislation

    Report on Patient Privacy Volume 21, Number 2. February 04, 2021  | Author: Jane Anderson  | February 04, 2021 

    The prospects for new federal privacy and cybersecurity legislation are improving as the Biden administration takes office, although few observers expect action on the issue before the COVID-19 pandemic is brought under control...

  20. MD Anderson Sees Vindication After Long Battle, Says Others Will Benefit

    Report on Patient Privacy Volume 21, Number 2. February 04, 2021  | Author: Theresa Defino  | February 04, 2021 

    True or false: It is possible to be compliant with the encryption standard under the security rule even if not every device has this safeguard installed...

  21. Privacy Briefs: February 2021

    Report on Patient Privacy Volume 21, Number 2. February 04, 2021  | Author: Jane Anderson  | February 04, 2021 

    ◆ The Florida Healthy Kids Corporation (FHKC), a Medicaid managed care plan, said one of its vendors, Jelly Bean Communications Design, experienced a security incident spanning seven years that involved “several thousand” Medicaid applicants. Jelly Bean Communications was responsible for hosting the Florida Healthy Kids website during the hacking incident, the managed care company said. “FHKC was notified on December 9, 2020, that several thousand applicant addresses had been inappropriately accessed and tampered with,” said a statement from the managed care company. “These addresses are collected as part of the online Florida KidCare application.” There is no evidence that any...

  22. Security Threats Soar From Nation-State Bad Actors as the New Year Gets Underway

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Jane Anderson  | January 07, 2021 

    Security threats to health care entities will continue to escalate in 2021, as bad actors with significant capabilities target pandemic-weary organizations still struggling with a stay-at-home workforce, cybersecurity experts report...

  23. Health Care Cybersecurity Checklist for 2021

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Jane Anderson  | January 07, 2021 

    Experts interviewed by RPP recommended a variety of strategies to stay ahead of evolving security threats this year, particularly as the COVID-19 pandemic winds down and threats from highly capable bad actors ramp up...

  24. On the Eve of a New Administration, OCR Offers 'Comprehensive Reforms' to HIPAA

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Theresa Defino  | January 07, 2021 

    With barely a month left before the Biden administration is set to take over, the HHS Office for Civil Rights (OCR) announced a proposed regulation that would dispense with the requirement for providers to obtain acknowledgement from patients that they have received a notice of privacy practices (NPP).[1]...

  25. OCR Decries Records Retrieval as 'Cost Center,' Would Require Faster Access

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Theresa Defino  | January 07, 2021 

    Citing “substantial confusion” on the issue of “whether or not a provider can charge a reasonable cost based-fee” for records access, the HHS Office for Civil Rights (OCR) is proposing to revise several requirements related to patient’s access to medical records...