After the 2013 HIPAA Omnibus rules went into effect, there was a delay as the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) brought their auditing program in line with the new requirements. Based on last month’s announcement in the Federal Register, it seems like they are about ready to start auditing organizations again. I suppose most healthcare covered entities and business associates don’t read the Federal Register regularly, so here are the pertinent details. OCR is planning an information collection (survey) effort, targeting 1,200 covered entities (typically health plans, health care clearinghouses, and health care providers) as well as business associates. The announced goal of the survey is: to determine suitability for the Office for[…]

Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards. As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals. How Bad Is It? A recent study by the Ponemon institute revealed that 94% of medical institutions have[…]

HIPAA has specific requirements for reporting breaches of Protected Health Information. How do you identify a breach, and how do you know whether you need to report a breach? Protected Health Information Asset Management You should have a list of all places that protected health information resides within your office, your network, and your systems – and any business associates you work with. Ideally, you should also know which records are located where, so that when it does come time for notification, you’re ready. If there is a loss, theft, or attack, you know if that system had PHI on it or not, and can act appropriately. Being able to identify a breach becomes easier when you have all of[…]

Should Reasonably Have Known The HIPAA Breach Notification Rule has an interesting turn of phrase: “should reasonably have known”.  A company is liable if they reasonably should have known about a breach.  So what is reasonable?  The latest 2013 rulemaking gives some guidance on that:  §164.404(a)(2) expands that to reasonably should have known by exercising reasonable diligence.  And then goes on to define it as “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances”.  Further adding that as soon as a workforce member or other agent has knowledge or should have had knowledge of the breach, the clock on notification starts. So, you’ve got some relatively vague definitions of what’s reasonable, and as soon as someone[…]

This article describes the HIPAA contingency planning and security incident response requirements. The relevant subsections of the HIPAA law are §164.308(a)(6) and §164.308(a)(7).  HIPAA contingency planning is a term used broadly to cover security incident response procedures and contingency planning for emergency situations that may compromise protected health information. HIPAA contingency planning is one of the administrative safeguards that a covered entity must employ. The audit requirements for HIPAA contingency planning is covered in a separate post. HIPAA Security Incident Procedures “Implement policies and procedures to address security incidents.” [§164.308(a)(6)] A covered entity is required to be able to identify, mitigate and respond to security incidents in a timely and reasonable fashion. The procedure for responding to security incidents should be[…]

This article describes the HIPAA information access management requirements for accessing electronic protected health information. The relevant subsection of the HIPAA law is §164.308(a)(4).  Section §164.308 of the Health Insurance Portability and Accountability Act describes the administrative safeguards that a covered entity must employ. This article will explore section §164.308(a)(4), which deals with ensuring that appropriate authorization mechanisms are in place when electronic protected health information (ePHI) is accessed. HIPAA Information Access Management “Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.” [§164.308(a)(4)] A covered entity is responsible for isolating and guarding ePHI from unauthorized access. This section outlines the implementation requirements of a covered[…]