The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters. OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.
OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of. In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference. Continue Reading September Privacy and Security Updates
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has been busy lately, issuing three news releases on the HIPAA Privacy and Security Rules.
On February 24th, OCR published a crosswalk between the HIPAA Security Rule and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The document outlines the safeguards required by the Security Rule and maps them to the applicable subcategory in the Cybersecurity Framework and other commonly used frameworks. The Security Rule does not require healthcare organizations to follow the Cybersecurity Framework, but OCR points out that many organizations already follow the Cybersecurity Framework and that the crosswalk can help organizations discover gaps in their security policies. OCR released the crosswalk less than a week after Hollywood Presbyterian reported that it paid hackers to end a malware attack on the hospital’s computer systems. Continue Reading Recent HIPAA Updates from OCR
Last Friday, the U.S. Department of Health and Human Services Office of the National Coordinator for Health IT (“ONC”) and the Office for Civil Rights (“OCR”) released two fact sheets regarding permitted uses and disclosures of protected health information (“PHI”) among health care providers and other entities covered by HIPAA. ONC and OCR developed these fact sheets after health care providers expressed confusion over if and when PHI can be shared without the patient’s prior written consent under the HIPAA Privacy Rule (the “Privacy Rule”). Additionally, as ONC has been actively pushing health care providers toward interoperability of electronic health recordkeeping systems, many view the lack of clarity and understanding around the Rules a hindrance to achieving this goal.
Written By: Kimberly Gold
With the September 23, 2013 compliance date for the HIPAA Omnibus Rule only one week away, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have developed model Notices of Privacy Practices (“NPP”) to help health care providers and health plans ensure compliance with the HIPAA Privacy Rule and recent changes implemented under the Omnibus Rule.
It is crucial that covered entities update their NPPs no later than September 23, 2013. Health care providers must make the updated NPP available upon request and must have the revised NPP available at the practice location and posted in a clear and prominent location. Health plans must post the updated NPP on their website no later than September 23, 2013, and must distribute a summary of changes or copies of updated NPP in the next annual mailing.
The model NPP implements several new requirements, including the necessary statement of the uses and disclosures of protected health information (“PHI”) that require an authorization, including a statement that most uses and disclosures of psychotherapy notes and of PHI for marketing purposes and the sale of PHI require an authorization.
OCR and ONC created the model NPP in response to covered entities’ requests for additional guidance on how to create a clear, accessible notice that their patients or plan members can understand. The following models were created for use by health plans and health care providers:
- Notice in the form of a booklet;
- A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
- A notice with the design elements found in the booklet, but formatted for full page presentation; and
- A text only version of the notice.
The agencies indicated that the models can serve as the baseline for covered entities working to come into compliance with the new requirements. While they may be a helpful baseline, it is important to remember that the NPPs must be tailored for each covered entity’s particular practices.
Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers. Recognizing the widespread confusion surrounding the interpretation of the rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released new tools to educate providers and consumers about HIPAA. Continue Reading OCR Publishes HIPAA Guides for Providers and Consumers