The HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule is Effective Today
| |

The HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule is Effective Today

“On April 26, 2024, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Final Rule, entitled the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the…

Nearly Three-Quarters of Organizations Were the Target of Attempted Business Email Compromise Attacks
| |

Nearly Three-Quarters of Organizations Were the Target of Attempted Business Email Compromise Attacks

In an article from KnowB4, there is new data that highlights just how dangerous business email attacks really are. The following is the complete article with helpful links. “Business Email Compromise (BEC) attacks often don’t get the press they require; these attacks utilize a heavy dose of social engineering to spoof company email accounts and impersonate individuals…

What is Social Engineering
| |

What is Social Engineering

Social engineering is a method used by cyber attackers to manipulate people into divulging confidential information or performing actions that compromise security. Unlike traditional hacking methods that rely on exploiting technical vulnerabilities, social engineering exploits human psychology and behavior to achieve its goals. Social engineering techniques can take various forms, such as: Social engineering attacks…

What is Phishing
| |

What is Phishing

Phishing is a form of criminally fraudulent social engineering. Phishing is a type of cyber attack where attackers attempt to trick you into divulging sensitive information such as your usernames, passwords, credit card details, or other personal information by posing as a trustworthy entity in an electronic communication. Phishing often mimics legitimate organizations such as banks,…

Watchdog Group Asks 5 Attorneys General to Investigate Crisis Pregnancy Center Privacy Practices
| |

Watchdog Group Asks 5 Attorneys General to Investigate Crisis Pregnancy Center Privacy Practices

By now I’m sure you’ve heard or read the story about the watchdog group, Campaign for Accountability, asking 5 Attorneys General to investigate pregnancy centers. I find it very suspicious this news broke the same day the HHS published a final rule amending the HIPAA Privacy Rule in an effort to protect abortionist. Just in…

The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA
| |

The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA

The Final Rule strengthens privacy protections for medical records and health information for women, their family members, and doctors who are seeking, obtaining, providing, or facilitating lawful reproductive health care. Today, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a Final Rule,…

3 Ways Your Center Can Prepare for Upcoming HIPAA Security Rule changes
| |

3 Ways Your Center Can Prepare for Upcoming HIPAA Security Rule changes

There have been rumors swirling about upcoming changes to the HIPAA Security Rule for some time now. Those changes were outlined in a previous article titled, “HHS Unveils Healthcare Cybersecurity Strategy” In preparation for the changes. the following by HealthITSecurity outlines some ways you can prepare your center. “In the decades since the HIPAA Security Rule was…

HHS’ Office for Civil Rights Release Final Version of Special Publication (SP) 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.
| |

HHS’ Office for Civil Rights Release Final Version of Special Publication (SP) 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.

The HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) are pleased to announce the publication of the final version of Special Publication (SP) 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide This revised publication, a collaborative effort between NIST and…

HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
| |

HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center, a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The “OCR is responsible for administering and enforcing health…

HHS Unveils Healthcare Cybersecurity Performance Goals
| |

HHS Unveils Healthcare Cybersecurity Performance Goals

Related to the previous post, “HHS Unveils Healthcare Cybersecurity Strategy” the Department of Health and Human Services recently released the voluntary healthcare cybersecurity goals healthcare organizations should strongly consider implementing. The following article by HealthITSecurity includes links to the paper as well as links to valuable information that may help your center with cybersecurity. The…

HHS Unveils Healthcare Cybersecurity Strategy
| |

HHS Unveils Healthcare Cybersecurity Strategy

The Department of Health and Human Services plan to strengthen healthcare cybersecurity is outlined in a new concept paper. The outline paper includes future updates to HIPAA and the establishment of voluntary performance goals. The following article by HealthITSecurity includes links to the paper as well as links to valuable information that may help your…

HHS RESOLVES PHISHING ATTACK INVESTIGATION
| |

HHS RESOLVES PHISHING ATTACK INVESTIGATION

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing…

Healthcare Cybersecurity Vulnerability Mitigation Guide
|

Healthcare Cybersecurity Vulnerability Mitigation Guide

The Cybersecurity and Infrastructure Security Agency, or CISA issued a cybersecurity vulnerability mitigation guide for healthcare, stressing the importance of addressing known vulnerabilities and reducing risk across the sector. HealthITSecurity provides an excellent overview. Their article along with links to the guide and other important resources are below. The Cybersecurity and Infrastructure Security Agency (CISA) issued a…

OCR Releases Cybersecurity Video: How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks
|

OCR Releases Cybersecurity Video: How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks

October is cybersecurity awareness month. The Office of Civil Rights (OCR), the enforcer of the HIPAA Rules, has released a cybersecurity video: How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks. This supports their previously identified goal to prioritize healthcare cybersecurity over the next two years. In recognition of National Cybersecurity Awareness Month, OCR…

Is Your Organization Eligible for Cyber Insurance?
| | |

Is Your Organization Eligible for Cyber Insurance?

Insurance companies that provide cyber insurance have been educating themselves about today’s cyber environment and the relatively new market of cyber insurance. Now, insurance companies are more aware of the need for their insured organizations to have proper security measures that include a wide range of solutions. As insurers better understand what a “secure organization”…

HHS Plans to Prioritize Healthcare Cybersecurity
|

HHS Plans to Prioritize Healthcare Cybersecurity

The Department of Health and Human Services indicates they will prioritize cybersecurity over the next two years. Below is the article in full from HealthItSecurity outlining the announcement including links to the White House’s commitment to creating updated healthcare cybersecurity standards, as well as links to additional resources. “HHS and its many agencies and offices serve…

Updated Security Risk Assessment Tool 3.4 Now Available
| | |

Updated Security Risk Assessment Tool 3.4 Now Available

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) at the U.S. Department of Health and Human Services (HHS) announced the release of version 3.4 of the Security Risk Assessment (SRA) Tool. This is the same tool discussed at several conferences this year. Please use the…

What is the Health Breach Notification Rule and Who Does It Apply To?

What is the Health Breach Notification Rule and Who Does It Apply To?

In an article from HealthItSecurity, the Federal Trade Commission’s Health Breach Notification Rule applies to vendors of personal health records, including health apps and other non-HIPAA-covered entities. Below is their article in full including links to current enforcement actions, proposed changes, examples of covered entities, as well as links to particular sections of the law…

Snooping Into Medical Records is Expensive
| |

Snooping Into Medical Records is Expensive

The following is a report from the the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR “announced a settlement with Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima, Washington resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The OCR investigated…

Responding to Negative Online Comments. Is it worth it?
| |

Responding to Negative Online Comments. Is it worth it?

On June 5, 2023, HHS reached a settlement agreement with a New Jersey psychiatry practice that included, amongst other requirements, a fine of $30,000 to settle a complaint about an impermissible disclosure of protected health information when the psychiatry practiced disclosed the patient’s protected health information in a response to a negative online review. The…

Protecting Patient Data: The Importance of Cybersecurity in Healthcare
| |

Protecting Patient Data: The Importance of Cybersecurity in Healthcare

The following article is taken from a recent article written by KnowBe4, which does an excellent job explaining the importance of cybersecurity as well as outlining some practices to implement to ensure your organization has a robust cybersecurity program. Give it a read and compare your organization’s practices to those mentioned in the article. Should…

New York Attorney General Fines Practicefirst $550K For Failure to Protect Health Records
|

New York Attorney General Fines Practicefirst $550K For Failure to Protect Health Records

It appears that the New York Attorney General Letitia James is becoming more aggressive regarding the protection of health records. On May 25, 2023 AG Letitia James fined practice management vendor Practicefirst $550,000 to resolve data security failures stemming from a 2020 data breach that impacted 1.2 million individuals. As outlined by HealthSecurity.com, the “New York-based Practicefirst…

Healthcare Organizations Face Increased Scrutiny
| | |

Healthcare Organizations Face Increased Scrutiny

An increase in hacking incidents, new regulatory requirements and compliance initiatives due to Dobbs and Pixel use, and lawsuits against healthcare organizations over privacy violations are soaring. HIPAA-regulated entities and other organizations that operate in the healthcare space are now facing increased scrutiny of their data security practices and compliance programs. An increase in enforcement actions and…

HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector
| | |

HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector

On April 17th, “The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector: These efforts are a key part of the Administration’s work to secure all of our Nation’s critical infrastructure from cyber threats….

RFI HIPAA Privacy Rule
| | | |

RFI HIPAA Privacy Rule

On April 12th, the Office of Health and Human Services (HHS) published a Notice of Proposed Rule Making (NPRM) to seek comments regarding modifications to the HIPAA Privacy Rule ‘to support reproductive healthcare and privacy.’ Don’t let the misleading intentions lead you to believe this is a positive move for healthcare, much less for reproductive…

HHS Restructures OCR to Handle Increased HIPAA Complaints
| | |

HHS Restructures OCR to Handle Increased HIPAA Complaints

It should not come as a surprise that on February 27, 2023 HHS announced three new divisions within the Office of Civil Rights (OCR): An Enforcement Division, a Policy Division, and a Strategic Planning Division. In HHS’s report to Congress, HHS noted a 25% increase in HIPAA and HITECH complaints received in 2020. The Director…

HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information
| | |

HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

The HHS Office of Civil Rights (OCR) provided Congress with two reports for 2021 regarding HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. These reports can help organizations like pregnancy centers and business associates better comply with the requirements of HIPAA by giving insight to trends in the HIPAA environment….

New Bill to Strengthen HIPAA Protections for Patients Seeking Reproductive Healthcare
| | |

New Bill to Strengthen HIPAA Protections for Patients Seeking Reproductive Healthcare

US Senators Michael Bennet (D-CO) and Mazie Hirono (D-HI) introduce the Secure Access for Essential Reproductive (SAFER) Health Act. The act aims to strengthen HIPAA protections; as a result, it would prohibit providers from disclosing patient information relating to abortion or pregnancy loss without patient consent. The February 9, 2023 press release states, “The SAFER…

How to Dispose of Electronic Protected Health Information Under HIPAA
| | |

How to Dispose of Electronic Protected Health Information Under HIPAA

Improper disposal of either paper or electronic protected health information is a HIPAA violation. HIPAA requires organizations to implement and follow administrative, technical, and physical safeguards. These types of violation lead to investigation by the Office of Civil Rights (OCR) and substantial civil money penalties. July 6, 2021 HealthReach Community Health Centers experienced a breach…

How to Dispose of Paper Protected Health Information Under HIPAA
| |

How to Dispose of Paper Protected Health Information Under HIPAA

Disposing of paper protected heath information (PHI), such as medical records needs to be done in a HIPAA compliant way. It is important to implement and follow administrative, technical, and physical safeguards all the time, but especially when it comes to disposing of paper PHI. Improper disposal of PHI violates HIPAA, which can lead to…

HHS OCR Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies
| | |

HHS OCR Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies

The bulletin highlights the obligations of covered entities and business associates when using online tracking technologies like Google Analytics or Meta Pixel. These technologies are designed to collect and analyze information about how users interact with a regulated entity’s website or mobile application. Does your organization share electronic protected health information (ePHI) with online tracking…

Former Methodist Hospital Employees Charged with HIPAA Violations
|

Former Methodist Hospital Employees Charged with HIPAA Violations

The US Attorney’s Office for the Western District of Tennessee announced the indictment of five former employees of a Tennessee-based Methodist Hospital for committing HIPAA violations. The five have been indicted by a federal grand jury for conspiring to unlawfully disclose patient information. “A federal grand jury has indicted five former Methodist Hospital Employees for…

The OCR Releases Video on Recognized Security Practices Under HITECH
|

The OCR Releases Video on Recognized Security Practices Under HITECH

In recognition of National Cybersecurity Awareness Month the OCR produced a video for organizations covered under the HIPAA Rules on ‘Recognized Security Practices.’ Recommended security practices can help your organization improve your ability to safeguard patient and client information from cyberattacks and better safeguard the health care services we all rely upon.   In January 2021…

American Data Privacy and Protection Act (ADPPA) Requirements
|

American Data Privacy and Protection Act (ADPPA) Requirements

For organization’s not required to comply with HIPAA – you will soon have very similar requirements imposed if the American Data Privacy and Protection Act (ADPPA) becomes law. The ADPPA is comprehensive and will impact organizations from marketing companies that use geolocation to pregnancy resource centers, and a whole lot more! ADPPA Requirements for Covered…

How the American Data Privacy and Protection Act Could Impact Your Organization
|

How the American Data Privacy and Protection Act Could Impact Your Organization

The following article written by HealthIT Security highlights the American Data Privacy and Protection Act (ADPPA). This legislation should not be a surprise to anyone. The comprehensive nature of the Act reveals the turbulent landscape of data privacy. For example, this law, if passed, would impact organization from marketing companies that use geolocation to pregnancy…

California State Legislature Passes AB1242 to Protect Abortion Data Privacy

California State Legislature Passes AB1242 to Protect Abortion Data Privacy

Meta’s role in a Nebraska investigation into a mother-daughter pair who performed an abortion more than 20 weeks after fertilization, which is illegal in Nebraska is making both the federal and state law makers take notice and make legal moves to protect individual’s who seek abortions within their borders. Assembly member Bauer-Kahan’s bill, AB 1242,…

Defeating the ‘Fake Clinic’ Argument by Creating a Culture of Compliance
|

Defeating the ‘Fake Clinic’ Argument by Creating a Culture of Compliance

Many from the pro-choice perspective argue against the legitimacy of pregnancy centers by stating they are ‘fake clinics that don’t even have to abide by HIPAA’. For example, the AMA Journal of Ethics wrote an extensive article that states, “Despite looking like legitimate clinics, most CPCs are not licensed, and their staff are not licensed…

What About This Transaction
|

What About This Transaction

45 CFR 162.1101: Health care claims or equivalent encounter information transaction is either of the following: a) A request to obtain payment, and necessary accompanying information, from a health care provider to a health plan, for health care. b) If there is not direct claim, because the reimbursement contract is based on a mechanism other than…

Common HIPAA Violations Part 2
|

Common HIPAA Violations Part 2

Impermissible Uses and Disclosures While the failure to conduct or complete a security risk assessment is the most common violation for organizational behavior, the most common violation for individuals are impermissible uses and disclosures of protected health information (PHI) and electronic protected health information (ePHI). Impermissible uses and disclosures occur when PHI is disposed of…

Common HIPAA Violations Part 1
| |

Common HIPAA Violations Part 1

Security Risk Assessment The HIPAA Security Rule requires organizations to conduct a Security Risk Assessment, also called a security risk analysis. When it comes to HIPAA violations, the failure to conduct or complete a security risk assessment seems to be the most common violation. However, this does not have to be the case! There are…

The Amendment to the HITECH Act
|

The Amendment to the HITECH Act

Congress amended the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes. The HITECH Act did not require covered entities and business associates (organizations required…