HIPAA News

OCR Seeks Permanent Deputy Director for Health Information Privacy

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.

OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare.

OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers.

HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records.

Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve patients’ access to their health data and to make it easier for that information to be shared with other healthcare providers and research organizations. Currently, aspects of the HIPAA Privacy Rule are discouraging providers from sharing data and patients are still have difficulty accessing their health information in a format that allows them to easily use and reuse their data.

OCR is encouraging the public to submit their comments to help OCR identify problem areas and remove regulatory obstacles that are hampering the transformation to value-based healthcare as well as aspects of HIPAA Rules that place an unnecessary burden on covered entities and their business associates which impede their ability to conduct care coordination and case management. However, changes can only be made to HIPAA Rules if they do not jeopardize the privacy and security of protected health information.

Specifically, OCR is seeking feedback on the following aspects of HIPAA Rules:

  • Changes to the HIPAA Privacy Rule to promote information sharing for treatment, care coordination, and/or case management which encourages, incentivizes, or requires HIPAA-covered entities to disclose PHI to other covered entities.
  • Changes to the HIPAA Privacy Rule to encourage healthcare providers and other covered entities to share treatment information with patients, their loved ones, and caregivers of adults in health emergencies, especially related to opioid misuse.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Changes to the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices.

Comments are also being sought from healthcare providers, business associates, and other covered entities along with answers to 54 questions detailed in the RFI.

The RFI will be published on December 14, 2018 and comments will be accepted for 60 days after the publication date. The RFI can be downloaded on this link.

The post OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Posted by HIPAA Journal

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI.

Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI.

On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC. OCR investigated and confirmed remote access to the calendar had continued and that the former employee had accessed the calendar on two occasions on July 8 and September 10, 2013 as a direct result of the failure to de-activate the former employee’s username and password. The calendar contained the electronic protected health information of 557 patients.

Further, the web-based calendar used by PSMC had been provided by a company (Google) that had not signed a business associate agreement with PSMC. Consequently, the use of the calendar in connection with ePHI constituted an impermissible disclosure. Without a BAA in place, PSMC had not received satisfactory assurances that Google would safeguard the ePHI contained in the calendar.

It should be noted that Google Calendar is now a “HIPAA compliant” calendar service, as it is included in Google’s BAA. However, unless a signed BAA is obtained by a covered entity prior to using the service in connection with any ePHI, it constitutes a HIPAA violation.

In addition to the financial penalty, PSMC has agreed to adopt a substantial corrective action plan to address all HIPAA compliance failures, including updating its security management and business associate agreement policies and procedures. Staff must also be trained on those new policies and procedures. The corrective action plan last for two years, during which time PSMC will have to submit annual reports to the HHS on whether it has met its compliance obligations.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

The settlement sends a message to all HIPAA covered entities of the importance of ensuring access to ePHI is promptly terminated when it is no longer required and serves as yet another reminder of the importance of making sure that a BAA is entered into with all vendors prior to any disclosure of ePHI.

This is the second OCR financial penalty for a HIPAA violation to be announced this month and the tenth OCR HIPAA penalty of 2018.

The post Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400 appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data

Posted by HIPAA Journal

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) have called for changes to HIPAA to be made to improve patients’ access to their health information, make health data more portable, and to better protect health data in the app ecosystem.

At a Wednesday, December 5, 2018, Capitol Hill briefing session, titled “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” leaders from AMIA and AHIMA joined other industry experts in a discussion about the impact federal policies are having on the ability of patients to access and use their health information.

Currently, consumers have access to their personal information and integrate and use that information to book travel, find out about prices of products and services from different providers, and conduct reviews and comparisons. However, while many industries have improved access to consumer information, the healthcare industry is behind the times and has so far failed to implement a comparable, patient-centric system.

“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President and CEO Douglas B. Fridsma. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”

AHIMA CEO Wylecia Wiggs Harris said, “AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape… the language in HIPAA complicates these efforts in an electronic world.”

The P in HIPAA does stand for portability, yet patients are still struggling to obtain their health data in a usable form that allows them to share that information with other entities. Health data should be portable, as is the case with other types of consumer information. Changes to HIPAA legislation will help the healthcare sector catch up with other industries.

Changes to HIPAA Required to Support Access and Portability of Health Data

Both AMIA and AHIMA suggest HIPAA needs to be modernized to improve patient access to health data and two options were suggested. One option is the establishment of a new term – “Health Data Set” – that incorporates all data about a patient that is held by a HIPAA-covered entity or business associate, including clinical, biomedical, and claims information.

Alternatively, the definition of a Designated Record Set that is currently used in HIPAA legislation could be updated and for certified health IT to be required to provide that data set in electronic form and in a way that allows patients to use and reuse their data.

Both options would serve as a solution to the problem – The former would support a patient’s right to access their health data and also support the development of the ONC’s certification program in the future to allow patients to view, download, and electronically transmit their health data to third parties through an Application programming interface (API). The update to current record set definition would help to clarify rules for both providers and patients.

HIPAA Right of Access Should be Extended

AMIA and AHIMA also support the extension of the HIPAA individual right of access and amendment to entities that are not covered by HIPAA but manage individual health data: Entities such as companies that develop mHealth apps and health social media applications.

Similar data is created, stored, and transmitted by HIPAA-covered and non-HIPAA-covered entities, yet data access policies differ for both groups. There should be greater uniformity of data access, regardless of what type of entity collects and stores health data.

AMIA and AHIMA also suggest federal regulators should clarify current guidance related to third-party legal requests. “Health Information management (HIM) professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” explained AHIMA’s Wylecia Wiggs Harris. “AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”

The post AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

Posted by HIPAA Journal

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.

OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures

Posted by HIPAA Journal

An HHS’ Office for Civil Rights (OCR) investigation into an impermissible disclosure of PHI by a business associate of a HIPAA-covered entity revealed serious HIPAA compliance failures.

Advanced Care Hospitalists (ACH) is a Lakeland, FL-based contractor physicians’ group that provides internal medicine physicians to nursing homes and hospitals in West Florida. ACH falls under the definition of a HIPAA-covered entity and is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. ACH serves approximately 20,000 patients a year and employed between 39 and 46 staff members per year during the time frame under investigation.

Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice.

A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day.

In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed.

OCR investigated the breach and discovered that despite having been in operation since 2005, ACH did not implement any HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures. ACH also failed to conduct a risk analysis until March 4, 2014.

Even though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a business associate agreement with that individual. As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online.

In addition to paying the $500,000 fine, ACH has agreed to implement a robust corrective action plan to correct all HIPAA compliance failures.

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

The latest settlement is the ninth OCR HIPAA compliance penalty of 2018. $25,572,000 has been paid to OCR in 2018 to resolve compliance failures.

The post OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures appeared first on HIPAA Journal.

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

Posted by HIPAA Journal

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and adoption of a more integrated approach to privacy that includes both the healthcare sector and consumer sector.

The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule).

Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies.

AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an example. Pennsylvania and New Jersey are neighboring states, but they have different policies covering HIV/AIDS data. If an HIV/AIDS patient from Pennsylvania was to visit a hospital in New Jersey, information on their HIV/AIDS diagnosis would not be accessible by clinicians in New Jersey, even though the information has high importance in treatment decisions. The patient would also be unlikely to receive their data from the New Jersey hospital to take back to their healthcare provider in Pennsylvania.

“AMIA encourages the administration to ensure that federal rules lay a common foundation across jurisdictional and geographic boundaries while also providing a process for jurisdictions to address local needs and norms.”

In recent years there has been a significant increase in consumer devices and information systems that record similar information to medical devices and healthcare information systems. The line between the two has been blurred. Action is therefore required to develop concordant privacy policies across health and consumer data ecosystems.

HIPAA was introduced 22 years ago in 1996 at a time when healthcare organizations were predominantly using paper records. While HIPAA has been updated to account for the shift to electronic records, AMIA points out that the adoption of health-related technologies that were unavailable in 1996 has resulted in the formation of gaps that now endanger patient privacy.

The changes made to HIPAA through the introduction of the Privacy Rule have ensured that patients have access to their health data and greater control over what is done with that information. What is now required are similar rights and protections for consumers.

While AMA does not suggest that either HIPAA or the Common Rule should be applied to the consumer data ecosystem, both “should serve as important and informative inputs to [the] conversation on consumer data privacy.”

AMA has called for the Federal Trade Commission (FTC) to develop a consumer data strategy that “Supports trust, safety, efficacy, and transparency across the proliferation of commercial and non-proprietary information resources,” and suggests that the time is right to develop an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

The post AMIA Calls for Greater Alignment of Federal Data Privacy Rules appeared first on HIPAA Journal.