HIPAA Updates

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill.

Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud.

Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced.

There have been several important dates in the past two decades since HIPAA was originally passed – Notably the introduction of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.

The HIPAA Privacy Rule introduced many provisions to better protect the privacy of patients. The Security Rule was primarily concerned with the security of electronic protected health information. The Breach Notification Rule ensures that all breaches of protected health information are reported, while the Omnibus Rule introduced a broad range of changes, including new requirements required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Four key updates to HIPAA legislation are detailed below.

The Privacy Rule of HIPAA Passed into Legislature

The Privacy Rule of HIPAA was passed into legislature on December 28, 2000. The official name of the update to HIPAA is the “Standards for Privacy of Individual Identifiable Health Information.” The HIPAA Privacy Rule compliance date was April 14, 2003.

The HIPAA Privacy Rule details the allowable uses and disclosures of protected health information without first obtaining consent from patients. The HIPAA Privacy Rule also gives patients the right to obtain copies of their health data from HIPAA-covered entities.

The Security Rule of HIPAA Passed into Legislature

The Security Rule of HIPAA was passed into legislature on April 21, 2003, although the effective date was not until April 21, 2005. While the HIPAA Privacy Rule was concerned with all forms of protected health information, the HIPAA Security Rule is primarily concerned with the creation, use, storage and transmission of electronic PHI. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be introduced to keep PHI secure. The Security Rule also introduced requirements for when PHI is no longer required.

The Breach Notification Rule of HIPAA Passed into Legislature

The HIPAA Breach Notification Rule came from the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed on February 17, 2009. The HIPAA Breach Notification Rule took effect from August 24, 2009.

The Breach Notification Rule requires HIPAA-covered entities to submit notifications of breaches of protected health information to the Secretary of the Department of Health and Human Services within 60 days of the discovery of a breach if the breach involved 500 or more records. Smaller breaches must still be reported, no later than 60 days after the end of the year in which the breach was discovered. The Breach Notification Rule also requires notifications of a breach to be sent to affected patients within 60 days of the discovery of the breach.

The Omnibus Rule of HIPAA Passed into Legislature?

The HIPAA Omnibus Final Rule was issued on January 17, 2013. The HIPAA Omnibus Rule introduced several changes to the HIPAA Privacy, Security, and Breach Notification Rules.

One of the most important changes affected HIPAA business associates – individuals or entities that are contracted to HIPAA-covered entities to provide services that require access to PHI.

Since the passing of the HIPAA Omnibus Rule, business associates of HIPAA-covered entities, and their subcontractors, must implement safeguards to protect ePHI as required by the HIPAA Security Rule. Since the introduction of the Omnibus Rule, business associates of HIPAA-covered entities can be fined directly for HIPAA violations.

Another important update was clarification of “significant harm.” Prior to the introduction of the Omnibus Rule, many covered entities failed to report breaches as there was determined to have been no significant harm caused to patients as a result of the breach. After the Omnibus Rule, covered entities must be able to prove there was no significant harm if they decide not to report a breach.

Infographic Summary of Milestones in the History of HIPAA

In addition to the above major changes to HIPAA legislation, there have been numerous milestones in the history of HIPAA, which have been summarized in the infographic below. The infographic details legislation changes, clarifications of HIPAA Rules, major enforcement actions, and HIPAA audits – Click the image below to view the graphic in full size.

HIPAA History

The post In What Year Was HIPAA Passed into Legislature? appeared first on HIPAA Journal.

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires.

As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended.

Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not impose sanctions or penalties against healthcare organizations for the following provisions of the HIPAA Privacy Rule:

  • 45 CFR 164.510(b) – The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

Even in emergency situations, the HIPAA Privacy Rule permits HIPAA-covered entities to share patients’ PHI to assist in disaster relief efforts and to help ensure patients receive the care they need.

PHI may also be disclosed for the purpose of providing treatment to patients, in order to coordination patient care, or when referring patients to other healthcare providers.  PHI can be shared for public health activities to allow organizations to carry out their public health missions. Disclosures can be made to family members, friends, and other individuals involved in a patients’ care, as necessary, to identify, locate, or notify family members of the patient’s location, condition, or loss of life. Disclosures can be made to anyone, as necessary, to prevent or lessen a serious injury and disclosures can be made to the media about a patient’s general health status and limited facility directory information can also be disclosed for a named patient, provided the patient has not objected to such disclosures.

In all cases, the ‘minimum necessary’ standard applies. Information should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed.

Further information on the waiver can be found in the HHS bulletin on this link.

The post HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California appeared first on HIPAA Journal.

Amida Care Mailing Potentially Revealed HIV Status of its Members

The New York not-for-profit community health plan Amida Care has reported a HIPAA breach that has potentially impacted 6,231 of its members.

Amida Care specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions such as HIV.

On July 25, 2017, Amida Care sent a flyer to some of its members who had contracted HIV, advising them of an opportunity to take part in a HIV research project. The double-sided flyers contained details of the HIV research project on one side, and information on an Amida Care Summer Life Celebration event on the other.

The decision had originally been made to send out the flyer in windowless envelopes, and those instructions were provided to the mailroom. However, due to fault with the envelope printer, and in order to make sure individuals received the flyer in time, the decision was made to send out the flyer in windowed envelopes.

Care was taken to prevent any sensitive information being visible through the clear plastic windows of the envelopes. A blank sheet of paper was included with the patient’s name and address, which was visible through the window.

However, while that should have prevented any information from being viewed, Amida Care discovered that the words “Your HIV detecta” – which were on the printed flyer – may have been visible through the paper.

Amida has informed all patients who received the mailing of the potential disclosure of sensitive information, which was limited to the above words. No other information was visible through the paper.  Amida Care has apologised for the error and has told patients steps have been taken to prevent similar incidents from occurring in the future.

This is the second breach of this nature to have been discovered this summer. In July, Aetna sent a mailing to 12,000 of its members via a third party firm. While the letters were sent inside sealed envelopes, details about prescribed HIV medications were visible through the plastic windows of the envelopes for some of those patients.

The post Amida Care Mailing Potentially Revealed HIV Status of its Members appeared first on HIPAA Journal.

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification:
Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn.

Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs.

Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them directly, although a significant burden would have been placed on self-funded employers by the rule change. Following publication of the proposed rule in the federal register in January 2014, HHS received more than 72 public comments. After examining those comments, the HHS made the decision to withdraw the proposed rule.

HHS will be re-examining the issues raised in the comments and will be exploring options and alternatives to comply with statutory requirements.

The Secretary of the HHS explained that regulations have already been established for compliance with HIPAA administration simplification standards, and enforcement of compliance with those standards. While the proposed rule has been withdrawn, the HHS has confirmed that covered entities are still required to comply with 45 CFR parts 160 and 162.

The post Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS appeared first on HIPAA Journal.

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands.

As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

As soon as the 72-hour period has elapsed, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply and covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care.

Further information on the HIPAA waiver in relation to Hurricane Maria can be viewed here.

In an emergency situation, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not strictly necessary, although such a waiver does offer some reassurance to covered entities that are operating in a disaster area.

The HHS has pointed out in its recent communication that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued, when it is in the best interests of patients to do so, to help identify patients, to help locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of preventing or controlling disease, injury or disability.

PHI can also be shared for the purposes of treatment, either the treatment of the patient or another person who may be affected by the same situation, as well as to help with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)

PHI can be shared with anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or prevent the threatened harm. Such disclosures can be made without the patient’s permission. It is left to the discretion of the covered entity to make a determination about the nature and severity of the threat to health – 45 CFR 164.512(j).

Disclosures can be made to family, friends, and other individuals involved in a patient’s care, and information can be shared to help identify, locate, and notify family members, guardians, or others responsible for a patient’s care – 45 CFR 164.510(b).

When others not involved in the treatment of a patient, including the media, request information about a specific patient by name, a HIPAA-covered entity is permitted to disclose “limited facility directory information” and provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the facility, provided the patient has not requested the information be kept private.

In all cases, any disclosures must be limited to the minimum necessary information to achieve the purpose for which the information is disclosed. At all times, even in emergency situations, the HIPAA Security Rule requirements apply and covered entities must continue to ensure administrative, physical, and technical safeguards are in place to preserve the confidentiality, integrity, and availability of PHI.

The post HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone appeared first on HIPAA Journal.

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.

AHA Urges Congress to Reduce Regulatory Burden on Hospitals

In a recent letter to the House Ways and Means Health Subcommittee, the American Hospital Association (AHA) suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems.

The AHA says the regulatory burden on hospitals and health systems is substantial and unsustainable and increased regulatory activity is making the situation worse.

One example provided refers to the Centers for Medicare & Medicaid Services, which in 2016 released 49 rules related to hospitals and health systems that spanned almost 2,400 pages. There has also been an increase in sub-regulatory guidance such as FAQs and blogs to help hospitals and health systems understand how to implement administrative policies.

In the letter, the AHA points out that “In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them.”

The AHA has suggested a number of ways that Congress can take action to immediately reduce the regulatory burden on hospitals, health systems and their patients.

While the suggestions cover many areas, there are two suggestions relating to the Health Insurance Portability and Accountability Act (HIPAA) which AHA points out negatively affects patient care.

Currently there are barriers that prevent beneficial sharing of patient health data. For example, HIPAA Regulations restrict the sharing of patient data for healthcare operations, including the use of data for quality assessment and improvement activities. The restrictions also apply to outcomes evaluation, activities related to evaluations of provider competence and performance, and to information about patients that has been disclosed to or received by providers that have or have previously had a patient relationship.

The challenge in an integrated health setting is, in many cases, patients do not have a relationship with all of the healthcare providers with whom information must be coordinated.

AHA says “A clinically integrated setting and each of its participating providers must focus on and be accountable for all patients. Moreover, achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

AHA suggests that HIPAA should allow all patients’ medical information to be disclosed to and used by all participant providers in an integrated care setting, and that it should not be necessary for a patient to have a direct relationship with all of those organizations that technically use and have access to the data.

The AHA also suggests that all treating providers should be allowed access to patients’ substance use disorder treatment records. Currently, patients must provide consent before treating providers can access those records, which is an obstacle to integrated patient care. Further, in certain situations, not having access to that information can endanger patients’ health.

The AHA suggests Overdose Prevention and Patient Safety Act (H.R. 3545) reforms should be enacted and “fully align requirements for sharing patients’ substance use disorder treatment records with HIPAA regulations that allow the use and disclosure of patient information for treatment, payment and healthcare operations.”

This would ensure that all providers and organizations that have a direct treatment relationship with a patient have access to that individual’s complete medical record, including their history of treatment for substance use disorder.

The AHA also suggested Congress cancel Stage 3 Meaningful Use requirements, pointing out that the regulatory burden on hospitals and health systems is considerable, yet those requirements have no clear benefit to patient care.

The post AHA Urges Congress to Reduce Regulatory Burden on Hospitals appeared first on HIPAA Journal.

AHA Urges Congress to Reduce Regulatory Burden on Hospitals

In a recent letter to the House Ways and Means Health Subcommittee, the American Hospital Association (AHA) suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems.

The AHA says the regulatory burden on hospitals and health systems is substantial and unsustainable and increased regulatory activity is making the situation worse.

One example provided refers to the Centers for Medicare & Medicaid Services, which in 2016 released 49 rules related to hospitals and health systems that spanned almost 2,400 pages. There has also been an increase in sub-regulatory guidance such as FAQs and blogs to help hospitals and health systems understand how to implement administrative policies.

In the letter, the AHA points out that “In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them.”

The AHA has suggested a number of ways that Congress can take action to immediately reduce the regulatory burden on hospitals, health systems and their patients.

While the suggestions cover many areas, there are two suggestions relating to the Health Insurance Portability and Accountability Act (HIPAA) which AHA points out negatively affects patient care.

Currently there are barriers that prevent beneficial sharing of patient health data. For example, HIPAA Regulations restrict the sharing of patient data for healthcare operations, including the use of data for quality assessment and improvement activities. The restrictions also apply to outcomes evaluation, activities related to evaluations of provider competence and performance, and to information about patients that has been disclosed to or received by providers that have or have previously had a patient relationship.

The challenge in an integrated health setting is, in many cases, patients do not have a relationship with all of the healthcare providers with whom information must be coordinated.

AHA says “A clinically integrated setting and each of its participating providers must focus on and be accountable for all patients. Moreover, achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

AHA suggests that HIPAA should allow all patients’ medical information to be disclosed to and used by all participant providers in an integrated care setting, and that it should not be necessary for a patient to have a direct relationship with all of those organizations that technically use and have access to the data.

The AHA also suggests that all treating providers should be allowed access to patients’ substance use disorder treatment records. Currently, patients must provide consent before treating providers can access those records, which is an obstacle to integrated patient care. Further, in certain situations, not having access to that information can endanger patients’ health.

The AHA suggests Overdose Prevention and Patient Safety Act (H.R. 3545) reforms should be enacted and “fully align requirements for sharing patients’ substance use disorder treatment records with HIPAA regulations that allow the use and disclosure of patient information for treatment, payment and healthcare operations.”

This would ensure that all providers and organizations that have a direct treatment relationship with a patient have access to that individual’s complete medical record, including their history of treatment for substance use disorder.

The AHA also suggested Congress cancel Stage 3 Meaningful Use requirements, pointing out that the regulatory burden on hospitals and health systems is considerable, yet those requirements have no clear benefit to patient care.

The post AHA Urges Congress to Reduce Regulatory Burden on Hospitals appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.