The HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule is Effective Today
| |

The HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule is Effective Today

“On April 26, 2024, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Final Rule, entitled the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the…

Nearly Three-Quarters of Organizations Were the Target of Attempted Business Email Compromise Attacks
| |

Nearly Three-Quarters of Organizations Were the Target of Attempted Business Email Compromise Attacks

In an article from KnowB4, there is new data that highlights just how dangerous business email attacks really are. The following is the complete article with helpful links. “Business Email Compromise (BEC) attacks often don’t get the press they require; these attacks utilize a heavy dose of social engineering to spoof company email accounts and impersonate individuals…

What is Social Engineering
| |

What is Social Engineering

Social engineering is a method used by cyber attackers to manipulate people into divulging confidential information or performing actions that compromise security. Unlike traditional hacking methods that rely on exploiting technical vulnerabilities, social engineering exploits human psychology and behavior to achieve its goals. Social engineering techniques can take various forms, such as: Social engineering attacks…

What is Phishing
| |

What is Phishing

Phishing is a form of criminally fraudulent social engineering. Phishing is a type of cyber attack where attackers attempt to trick you into divulging sensitive information such as your usernames, passwords, credit card details, or other personal information by posing as a trustworthy entity in an electronic communication. Phishing often mimics legitimate organizations such as banks,…

Watchdog Group Asks 5 Attorneys General to Investigate Crisis Pregnancy Center Privacy Practices
| |

Watchdog Group Asks 5 Attorneys General to Investigate Crisis Pregnancy Center Privacy Practices

By now I’m sure you’ve heard or read the story about the watchdog group, Campaign for Accountability, asking 5 Attorneys General to investigate pregnancy centers. I find it very suspicious this news broke the same day the HHS published a final rule amending the HIPAA Privacy Rule in an effort to protect abortionist. Just in…

The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA
| |

The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA

The Final Rule strengthens privacy protections for medical records and health information for women, their family members, and doctors who are seeking, obtaining, providing, or facilitating lawful reproductive health care. Today, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a Final Rule,…

3 Ways Your Center Can Prepare for Upcoming HIPAA Security Rule changes
| |

3 Ways Your Center Can Prepare for Upcoming HIPAA Security Rule changes

There have been rumors swirling about upcoming changes to the HIPAA Security Rule for some time now. Those changes were outlined in a previous article titled, “HHS Unveils Healthcare Cybersecurity Strategy” In preparation for the changes. the following by HealthITSecurity outlines some ways you can prepare your center. “In the decades since the HIPAA Security Rule was…

Updated Security Risk Assessment Tool 3.4 Now Available
| | |

Updated Security Risk Assessment Tool 3.4 Now Available

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) at the U.S. Department of Health and Human Services (HHS) announced the release of version 3.4 of the Security Risk Assessment (SRA) Tool. This is the same tool discussed at several conferences this year. Please use the…

Rhysida Ransomware Emerges as Latest RaaS Threat Group
|

Rhysida Ransomware Emerges as Latest RaaS Threat Group

In an article from HealthItSecurity, Rhysida, new ransomware-as-a-service group leverages phishing and Cobalt Strike exploits to access victim networks and deploy ransomware. Below is their article in full including a link to a very informative threat brief published by HHS, Office of Information Security. “Rhysida ransomware group is the latest threat group to target victims…

June 2023 HHS OCR Cybersecurity Newsletter
|

June 2023 HHS OCR Cybersecurity Newsletter

The Office of Health and Human Services Office of Civil Rights published their Quarterly Cybersecurity newsletter discussing HIPAA and Cybersecurity Authentication. Below is the newsletter in its entirety as well as resources. “Strong authentication processes are often analogized to a locked door in the cyber world. Weak or non-existent authentication processes leave your digital door open…

Snooping Into Medical Records is Expensive
| |

Snooping Into Medical Records is Expensive

The following is a report from the the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR “announced a settlement with Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima, Washington resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The OCR investigated…

Responding to Negative Online Comments. Is it worth it?
| |

Responding to Negative Online Comments. Is it worth it?

On June 5, 2023, HHS reached a settlement agreement with a New Jersey psychiatry practice that included, amongst other requirements, a fine of $30,000 to settle a complaint about an impermissible disclosure of protected health information when the psychiatry practiced disclosed the patient’s protected health information in a response to a negative online review. The…

Protecting Patient Data: The Importance of Cybersecurity in Healthcare
| |

Protecting Patient Data: The Importance of Cybersecurity in Healthcare

The following article is taken from a recent article written by KnowBe4, which does an excellent job explaining the importance of cybersecurity as well as outlining some practices to implement to ensure your organization has a robust cybersecurity program. Give it a read and compare your organization’s practices to those mentioned in the article. Should…

New York Attorney General Fines Practicefirst $550K For Failure to Protect Health Records
|

New York Attorney General Fines Practicefirst $550K For Failure to Protect Health Records

It appears that the New York Attorney General Letitia James is becoming more aggressive regarding the protection of health records. On May 25, 2023 AG Letitia James fined practice management vendor Practicefirst $550,000 to resolve data security failures stemming from a 2020 data breach that impacted 1.2 million individuals. As outlined by HealthSecurity.com, the “New York-based Practicefirst…

Healthcare Organizations Face Increased Scrutiny
| | |

Healthcare Organizations Face Increased Scrutiny

An increase in hacking incidents, new regulatory requirements and compliance initiatives due to Dobbs and Pixel use, and lawsuits against healthcare organizations over privacy violations are soaring. HIPAA-regulated entities and other organizations that operate in the healthcare space are now facing increased scrutiny of their data security practices and compliance programs. An increase in enforcement actions and…

HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector
| | |

HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector

On April 17th, “The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector: These efforts are a key part of the Administration’s work to secure all of our Nation’s critical infrastructure from cyber threats….

RFI HIPAA Privacy Rule
| | | |

RFI HIPAA Privacy Rule

On April 12th, the Office of Health and Human Services (HHS) published a Notice of Proposed Rule Making (NPRM) to seek comments regarding modifications to the HIPAA Privacy Rule ‘to support reproductive healthcare and privacy.’ Don’t let the misleading intentions lead you to believe this is a positive move for healthcare, much less for reproductive…

HHS Restructures OCR to Handle Increased HIPAA Complaints
| | |

HHS Restructures OCR to Handle Increased HIPAA Complaints

It should not come as a surprise that on February 27, 2023 HHS announced three new divisions within the Office of Civil Rights (OCR): An Enforcement Division, a Policy Division, and a Strategic Planning Division. In HHS’s report to Congress, HHS noted a 25% increase in HIPAA and HITECH complaints received in 2020. The Director…

HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information
| | |

HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

The HHS Office of Civil Rights (OCR) provided Congress with two reports for 2021 regarding HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. These reports can help organizations like pregnancy centers and business associates better comply with the requirements of HIPAA by giving insight to trends in the HIPAA environment….

New Bill to Strengthen HIPAA Protections for Patients Seeking Reproductive Healthcare
| | |

New Bill to Strengthen HIPAA Protections for Patients Seeking Reproductive Healthcare

US Senators Michael Bennet (D-CO) and Mazie Hirono (D-HI) introduce the Secure Access for Essential Reproductive (SAFER) Health Act. The act aims to strengthen HIPAA protections; as a result, it would prohibit providers from disclosing patient information relating to abortion or pregnancy loss without patient consent. The February 9, 2023 press release states, “The SAFER…

How to Dispose of Electronic Protected Health Information Under HIPAA
| | |

How to Dispose of Electronic Protected Health Information Under HIPAA

Improper disposal of either paper or electronic protected health information is a HIPAA violation. HIPAA requires organizations to implement and follow administrative, technical, and physical safeguards. These types of violation lead to investigation by the Office of Civil Rights (OCR) and substantial civil money penalties. July 6, 2021 HealthReach Community Health Centers experienced a breach…

How to Dispose of Paper Protected Health Information Under HIPAA
| |

How to Dispose of Paper Protected Health Information Under HIPAA

Disposing of paper protected heath information (PHI), such as medical records needs to be done in a HIPAA compliant way. It is important to implement and follow administrative, technical, and physical safeguards all the time, but especially when it comes to disposing of paper PHI. Improper disposal of PHI violates HIPAA, which can lead to…

HHS OCR Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies
| | |

HHS OCR Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies

The bulletin highlights the obligations of covered entities and business associates when using online tracking technologies like Google Analytics or Meta Pixel. These technologies are designed to collect and analyze information about how users interact with a regulated entity’s website or mobile application. Does your organization share electronic protected health information (ePHI) with online tracking…

FBI Reports Hive Ransomware Actors Have Extorted Over $100M From Victims
|

FBI Reports Hive Ransomware Actors Have Extorted Over $100M From Victims

The Federal Bureau of Investigations (FBI) warns of ongoing malicious activity by the notorious Hive ransomware gang. The Hive ransomware gang has extorted more than $100 million from its victims, which includes organizations from a wide range of industries such as government facilities, communications, information technology, with a focus on healthcare and public health entities….

Former Methodist Hospital Employees Charged with HIPAA Violations
|

Former Methodist Hospital Employees Charged with HIPAA Violations

The US Attorney’s Office for the Western District of Tennessee announced the indictment of five former employees of a Tennessee-based Methodist Hospital for committing HIPAA violations. The five have been indicted by a federal grand jury for conspiring to unlawfully disclose patient information. “A federal grand jury has indicted five former Methodist Hospital Employees for…

The OCR Releases Video on Recognized Security Practices Under HITECH
|

The OCR Releases Video on Recognized Security Practices Under HITECH

In recognition of National Cybersecurity Awareness Month the OCR produced a video for organizations covered under the HIPAA Rules on ‘Recognized Security Practices.’ Recommended security practices can help your organization improve your ability to safeguard patient and client information from cyberattacks and better safeguard the health care services we all rely upon.   In January 2021…

American Data Privacy and Protection Act (ADPPA) Requirements
|

American Data Privacy and Protection Act (ADPPA) Requirements

For organization’s not required to comply with HIPAA – you will soon have very similar requirements imposed if the American Data Privacy and Protection Act (ADPPA) becomes law. The ADPPA is comprehensive and will impact organizations from marketing companies that use geolocation to pregnancy resource centers, and a whole lot more! ADPPA Requirements for Covered…

How the American Data Privacy and Protection Act Could Impact Your Organization
|

How the American Data Privacy and Protection Act Could Impact Your Organization

The following article written by HealthIT Security highlights the American Data Privacy and Protection Act (ADPPA). This legislation should not be a surprise to anyone. The comprehensive nature of the Act reveals the turbulent landscape of data privacy. For example, this law, if passed, would impact organization from marketing companies that use geolocation to pregnancy…

Statement by HHS Secretary Xavier Becerra on President Biden’s Executive Order to Protect Access to Reproductive Health Care
|

Statement by HHS Secretary Xavier Becerra on President Biden’s Executive Order to Protect Access to Reproductive Health Care

This article is taken directly from an email received from the Department of Health and Human Services as a way to keep you up to date regarding the actions taken by HHS and the OCR in regards to the overturning of Roe v. Wade. The U.S. Department of Health and Human Services (HHS) Secretary Xavier…

HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe
| |

HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe

This article is taken directly from an email received from the Department of Health and Human Services as a way to keep you up to date regarding the actions taken by HHS and the OCR in regards to the overturning of Roe v. Wade. HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme…

RFI HITECH
|

RFI HITECH

On April 7, 2022, The Office for Civil Rights (OCR) issued a request for information (RFI) seeking feedback on two requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH). Recall that the HITECH Act was signed into law in 2009 to promote the adoption of electronic health records (EHR).  Parts of the HITECH Act addressed concerns…

OCR: Complying With the HIPAA Security Rule Substantially Prevents and Mitigates Most Cyberattacks
|

OCR: Complying With the HIPAA Security Rule Substantially Prevents and Mitigates Most Cyberattacks

The OCR announced in its March 2022 Cybersecurity Newsletter that compliance with the HIPAA Security Rule can both prevent and mitigate cyberattacks. Healthcare hacking incidents have steadily increased throughout 2020 and 2021 with no decrease in sight. From 2019 to 2020 the industry experienced a 45% increase of hacking or IT incidents and between 2020…

5 Barriers to Secure Email Communication
|

5 Barriers to Secure Email Communication

1. Cumbersome email technology HIPAA compliant email requires encryption. Email encryption services go about encryption differently. Some email encryption services require recipients to login to a portal, which means creating a username and password that must be remembered. Other services require the sender to insert certain words to initiate encryption.  2. Training For the selected…

HIPAA Business Associates

HIPAA Business Associates

HIPAA requires covered entities to have a business associates agreement in place with business associates that interact with an organization’s protected health information. A business associate agreement ensures that the business associate will follow the same security and privacy measures as a HIPAA covered entity. Why is this important? Read on. Recently, two business associates (printing companies) that provide printing and mailing services…

Changes to the HIPAA Privacy Rule: HIPAA Update
|

Changes to the HIPAA Privacy Rule: HIPAA Update

The proposed changes from the RFI issued December 2018 include: strengthening individuals’ right to access their own health information improving information sharing for care coordination and case management for individuals facilitating greater family and caregiver involvement enhancing flexibilites for disclsoures in emergency or threatening circumastances reducing administrative burdens on HIPAA covered entities HHS has extended…

The Amendment to the HITECH Act
|

The Amendment to the HITECH Act

Congress amended the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes. The HITECH Act did not require covered entities and business associates (organizations required…