HIPAA News

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes

Posted by HIPAA Journal

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient.

Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months.

Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use.

The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed about the medical histories of recovering addicts, while preserving the privacy of patients. The new bill states a “history of opioid use disorder should, only at the patient’s request, be prominently displayed in the medical records (including electronic health records).”

The Department of Health and Human Services will be required to publish guidelines on when healthcare providers are permitted to prominently display details of a patient’s history of opioid use on their medical record.

Jessie’s mother Kate Grubb said, “I am ever so grateful for the passage of Jessie’s Law; it eases a mother’s aching heart that this law will save other lives and give meaning to Jessie’s death.”

The bill will now proceed to the U.S. House of Representatives’ Committee on Energy and Commerce for consideration.

Legislation Proposed to Align Part 2 Regulations with HIPAA to Improve Patient Care

Congressmen Tim Murphy and Earl Blumenauer introduced a similar bill – The Overdose Prevention and Patient Safety (OPPS) Act (HR 3545) – late last month. The bill is intended to align 42 Code of Federal Regulations Part 2 (Part 2) with HIPAA rules and will ensure doctors have access to their patients’ complete medical histories, including details of addiction treatment. Details of addiction treatment are prohibited from being shared with doctors. However, without access to full medical records, tragic incidents such as what happened to Grubb could occur time and again.

Rep. Murphy said, “The Overdose Prevention and Patient Safety Act will allow doctors to deliver optimal, lifesaving medical care, while maintaining the highest level of privacy for the patient.” Murphy also explained that while sharing sensitive information on substance use will help patients get the care they need; patient privacy must be protected. “We do not want patients with substance use disorders to be made vulnerable as a result of seeking treatment for addiction, this legislation strengthens protections of their records.”

The Overdose Prevention and Patient Safety Act reads, “Any record…that has been used or disclosed to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient in violation of paragraphs (1) or (2), shall be excluded from evidence in any proposed or actual proceedings relating to such criminal charges or investigation and absent good cause shown shall result in the automatic dismissal of any proceedings for which the content of the record was offered.”

A coalition of more than 30 healthcare stakeholders wrote to Reps Murphy and Blumenauer to express support for the bill. In the letter, the coalition points out that while the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released a final rule that will modernize Part 2, the final rule does not go far enough.

The post U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes appeared first on HIPAA Journal.

How Often Should Healthcare Employees Receive Security Awareness Training?

Posted by HIPAA Journal

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training?

Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training

Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails.

In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%.

In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised. In July alone, 9 email-related security incidents have been reported to OCR.

The recent WannaCry ransomware attacks may have exploited unaddressed vulnerabilities, but email remains the number one vector for spreading ransomware and malware. Many of these email attacks could have been prevented if employees had been trained to detect threats and knew how to respond appropriately.

Regular Security Awareness Training is a Requirement of HIPAA

Security awareness training is more than just a checkbox item to tick off to demonstrate compliance with HIPAA Rules. If fact, a one-off training session does not meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

45 C.F.R. § 164.308(a)(5)(i) requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management)”. As OCR recently pointed out in its July Cybersecurity Newsletter, all members of staff in an organization “can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.” It may not be possible to reduce risk to zero, but security awareness training can help to reduce risk to an acceptable level.

How Often Should Healthcare Employees Receive Security Awareness Training?

Cybercriminals are constantly changing tactics and new threats are emerging on an almost daily basis.  An effective security awareness program must therefore provide ongoing training; raising awareness of new threats as they emerge and when threat intelligence is shared by Information Sharing and Analysis Organization (ISAOs).

After the provision of initial training, HIPAA requires healthcare employees to receive periodic security updates – 45 C.F.R. § 164.308(a)(5)(ii)(A). While HIPAA does not stipulate how often these “periodic security updates” should be issued, OCR points out that monthly security updates work well for many healthcare organizations, with additional training provided bi-annually.

Some healthcare organizations may require less or more frequent updates and training sessions, which should be determined through the organization’s risk analyses.

The security updates should include details of the latest security threats including phishing and social engineering scams that have been reported by other covered entities or shared by an ISAO. The security alerts can take many forms – email bulletins, posters, newsletters, team discussions, classroom-based training or CBT sessions. It is up to the covered entity to determine which are the most appropriate. Annual or biannual training sessions should be more in-depth and should cover new risks faced by an organization and recap on previous training.

OCR also points out in its recent newsletter that covered entities must document any training provided to employees. Without documentation on the training provided, newsletters sent, updates issued and evidence of workforce participation, it will not be possible to demonstrate to OCR auditors that training has taken place. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j).

OCR provides some training materials on privacy and security, with third-party training companies and anti-phishing solution providers offering specific training courses on the full range of cybersecurity threats.

Tailoring training to the needs of the individual will help to ensure that all employees become security assets and organizations develop a robust last line of defense against phishing attacks.

The post How Often Should Healthcare Employees Receive Security Awareness Training? appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

Posted by HIPAA Journal

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.

Only One Third of Patients Use Patient Portals to View Health Data

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals.

The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information.

GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource.

Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information online, yet only 15% of hospital patients and 30% of other providers’ patients accessed their data online.

When patient portals are used to access health data it is usually preceding a medical appointment or soon afterwards to view medical test results. Information is also commonly accessed in order to share health data with a new healthcare provider. However, mostly, patients were using the portals to schedule appointments, set reminders or order medication refills.

The problem does not appear to be a lack of interest in viewing or obtaining health information, rather it is one of frustration. The process of setting up access to patient portals and viewing health data is time consuming. Patients usually have multiple healthcare providers and must repeat the process for each provider. In order to view all their health information, they must use a different portal for each provider and manage separate login information for each. Further, patient portals are not standardized. Each requires patients to learn how to access their information and familiarize themselves with the portal.

When the patient portals have been set up, patients often discover incomplete or inaccurate information, with information inconsistent among different providers. It would make life easier if all information could be transferred electronically between each provider or aggregated in one place, yet patients were confused by the process and were unaware if this was possible, and if so, how it could be done. Many patients did not even know if their health information could be downloaded or transmitted.

GAO pointed out that while the HHS has been encouraging healthcare providers to give patients access to health data via patient portals, there does not appear to have been any follow up. GAO says the HHS appears to be unaware of how effective its program has been. GAO has recommended HHS set up some performance measures to determine whether its efforts are actually working.

The post Only One Third of Patients Use Patient Portals to View Health Data appeared first on HIPAA Journal.

Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms

Posted by HIPAA Journal

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians.

The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database.

Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images.

Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems have been implemented, they were not widely used by clinicians. Only 7.3% of respondents said a secure messaging system was being used by most clinicians.

Pagers remain the most commonly used communication systems and are still used by 79.8% of hospitals to communicate with clinicians. 49% of respondents said they use pagers for patient care–related (PCR) communications.

The survey also revealed that standard text messages are being extensively used, often to communication PHI, even though sending PHI over the SMS network is a violation of HIPAA Rules. Standard text messages are not encrypted, do not have access controls and can easily result in the accidental disclosure of PHI to unauthorized individuals.

52.9% of clinicians said they received standard text messages for PCR communications at least once a day and 21.5% of respondents said they received standard text messages including the individually identifiable information of patients. 41.3% said they received some identifiable information such as patients initials along with health care related information. 21% said text messages regarding urgent healthcare information were received at least once a day.

Text messages are a convenient method of communication for use in hospitals. The majority of physicians carry mobile phones at work, although without a secure messaging platform, there is considerable potential for a HIPAA violation.

The HHS’ Office of the National Coordinator for Health IT has made it clear that standard text messaging is not secure and should not be used to communicate PHI since there is no encryption or access controls.

ONC suggests, “Implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”

The post Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms appeared first on HIPAA Journal.

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

Posted by HIPAA Journal

The American Healthcare Informatics Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data.

The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization.

AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing.

AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data. The new model form should help clear up confusion.

It is hoped that the new form will be used as a standard across the industry which will make it easier for patients to exercise their rights under HIPAA, regardless of which healthcare providers they use.

AHIMA interim CEO Pamela Lane said, “Our hope is that it will help connect patients with their health information and make them more empowered healthcare consumers.”

Streamlining the Process of Providing Copies of Health Data to Patients

The ONC recently issued a report in which HIPAA-covered entities were given tips to help streamline the process of providing patients with access to their healthcare data.

The ONC report explained its research has shown that oftentimes patients are confused about the process of accessing their health data. Forms are confusing and patients are often unaware of their rights under HIPAA. For example, many are unaware that under HIPAA Rules they are permitted to have PHI provided in the format of their choosing. Paper copies can be requested or they are entitled to have their health data in electronic form – electronic copies can be sent via email or provided on a portable storage device such as a CD or zip drive.

The new model PHI access request form ties in with the advice given by the ONC and patients can stipulate how they would like their PHI copies to be delivered. The form should also make processing requests straightforward for healthcare providers and help them to streamline the processing of PHI access requests.

The form is suitable for use by all types of healthcare providers, from large multi-hospital health systems to individual physicians, clarifying what patients have the right to access and what healthcare organizations must provide.

Lane said the the model PHI access request form is “Written in easy-to-understand language for all patients” explaining, “this model form and explanation of use provides healthcare providers with a customizable tool that both ensures their compliance and captures patient request information in a clear, simple format.”

The final version of the PHI access request form can be downloaded from AHIMA on this link.

Recommendations for HIPAA Covered Entities Wishing to Use the Model PHI Access Request Form

The model PHI access request is self-explanatory for patients, but AHIMA has given additional recommendations for healthcare providers who wish to start using the new form.

AHIMA suggests the form should be customized to match the capabilities of healthcare providers’ systems and can be updated as required when systems are upgraded. Healthcare providers can also add their address, logos and barcodes to the forms should they so wish.

While the form is HIPAA-compliant in its original form, healthcare providers that customize the form must ensure that any changes comply with HIPAA Rules. Healthcare providers are told they should read 45 CFR 164.524(c)(3) to ensure the form stays compliant.

Internal policies can be developed by HIPAA-covered entities, but AHIMA stresses those policies must be in line with HIPAA guidance and should not serve as a barrier to health data access. HIPAA Rules allow covered entities to charge patients fees for providing copies of their health data. AHIMA recommends providers consult OCR guidance on fees as well as state laws to ensure compliance.

The post Model HIPAA-Compliant PHI Access Request Form Released by AHIMA appeared first on HIPAA Journal.

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

Posted by HIPAA Journal

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018.

Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought.

One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could assist and take on additional tasks.

The HITECH Act required ONC to appoint a Chief Privacy Officer; however, an alternative is for ONC to request personnel from other HHS agencies. Faced with a $22 million cut in its operating budget, ONC will turn to the HHS’ Office for Civil Rights to assist with privacy functions with the ONC only maintaining ‘limited support’ for the position of Chief Privacy Officer.

The Chief Privacy Officer has been instrumental in improving understanding of HIPAA Rules with respect to privacy since the HITECH Act was passed. Many healthcare organizations have impeded the flow of health information due to a misunderstanding of the HIPAA Privacy Rule. The Chief Privacy Officer has helped to explain that HIPAA Rules do not prevent the exchange of health information – They only ensure information is shared securely and the privacy of patients is preserved. These outreach efforts are likely to be impacted by the loss of the Office of the Chief Privacy Officer.

Rucker explained that discussions are now taking place between ONC and OCR to determine how these and other tasks will be performed, but explained that privacy and security are implicit in all aspects of the work performed by ONC and that will not change.

Cutbacks are inevitable with the trimming of the ONC’s budget but Rucker has explained that the HHS will continue to ensure privacy and security issues are dealt with and efforts to improve understanding of the HIPAA Privacy and Security Rules will also continue.

The post Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018 appeared first on HIPAA Journal.