Latest HIPAA News

HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17

Are you aware that investing in HIPAA compliance can actually result in increased revenue? Conversely, putting HIPAA compliance on the back burner can be detrimental to the organization.

The HIPAA compliance specialists, Compliancy Group, will be hosting a webinar to explain how investing in compliance can result in increased revenue.

Attendees will learn how and why investing time and money into HIPAA compliance can result in a positive year and will be provided with real-life examples of HIPAA-regulated entities that have invested time and money into their HIPAA compliance programs and have reaped the benefits.

Free Webinar Details

Thursday, August 17, 2023

11:00 a.m. PT ¦ 12:00 p.m. MT ¦ 1:00 pm CT ¦ 2:00 pm ET

Host: Compliancy Group

Speaker: Liam Degnan, Compliancy Group, Director of Strategic Initiatives

Please Use The Form On This Page To Sign Up

The post HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17 appeared first on HIPAA Journal.

HIPAA Compliance Guidelines

We have compiled these HIPAA Compliance Guidelines because HIPAA rules and regulations can be very confusing for healthcare professionals tasked with ensuring HIPAA compliance at their organization.

HIPAA Compliance Guidelines

Please use the form on this page to arrange to receive a free copy of the HIPAA Guidelines Checklist.

HIPAA Guidelines: Seven Elements For Effective Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2023. Here is a summary of the elements, which we outline in more detail below:

  1. Develop policies and procedures so that day-to-day activities comply with the Privacy Rule.
  2. Designate a Privacy Officer and a Security Officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations, and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

You can also read more about the background and history of the Seven Elements here, although this is not necessary.

Next we go over each element in more detail

Element 1: Why Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered Entities should ensure Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Element 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Element 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

Security Rule training must be even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Element 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Element 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Element 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of additional training is often sufficient to create and maintain a compliant workforce – especially if whole teams have to attend refresher training due to the non-compliance of an individual!

Element 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post HIPAA Compliance Guidelines appeared first on HIPAA Journal.

HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023

The Secretary of the Department of Health and Human Services (HHS) has announced that he does not plan to renew the COVID-19 Public Health Emergency, which is due to expire on May 11, 2023. The HHS’ Office for Civil Rights (OCR) has confirmed that the Notifications of Enforcement Discretion that were issued in response to the COVID-19 Public Health Emergency will expire one month from today, at 11:59 pm on May 11, 2023.

Four Notifications of Enforcement Discretion were announced by OCR in response to the COVID-19 Public Health Emergency in 2020 and 2021 to support the healthcare sector during the COVID-19 pandemic. Under the Notices of Enforcement Discretion, OCR would refrain from imposing financial penalties for violations of certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The flexibilities introduced by OCR concerned Community-based COVID-19 testing sites, uses and disclosures of protected health information by business associates for public health oversight activities, the use of online or web-based scheduling applications for scheduling individual appointments for COVID-19 vaccinations, and the use of telehealth remote communications that would not, under normal circumstances, be HIPAA-compliant.

OCR had previously stated that it would provide healthcare organizations with sufficient time to come into compliance with the HIPAA Rules regarding telehealth, so while the notice of enforcement discretion ends on May 11, 2023, HIPAA-covered entities will be provided with a three-month – 90-day – transition period, during which time financial penalties will not be imposed for non-compliance with the HIPAA Rules in connection with the good faith provision of telehealth services. The transition period starts on May 12, 2023, and expires at 11:59 pm on August 9, 2023.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Since the telehealth Notice of Enforcement Discretion took effect, healthcare providers have been able to use any non-public-facing remote communication product for audio and video communication to provide telehealth services, even if those platforms are not HIPAA compliant.  For instance, if a communication platform was used and the provider of that communication platform was unwilling to enter into a business associate agreement with the healthcare provider, the platform could be used without risking a financial penalty.

Now that the Notice of Enforcement Discretion is due to expire, healthcare providers must now enter into a HIPAA-compliant business associate agreement with the provider of the communication platform to be able to continue to use it after August 9, 2023. Healthcare providers should make arrangements to obtain a business associate agreement or transition to a HIPAA-compliant communications platform as soon as possible to prevent any disruption to telehealth services and to avoid financial penalties for non-compliance.

You can view the OCR announcement on this link (PDF).

The post HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023 appeared first on HIPAA Journal.

What Gets Overlooked For HIPAA Compliant Email Retention?

In this post, we cover the 5 Requirements for HIPAA Compliant Email Retention.

In a recent survey, we discovered that HIPAA compliant email retention is often overlooked and incorrectly implemented when organizations consider their overall HIPAA data retention requirements.

Email Retention Of PHI

Because Covered Entities email out Protected Health Information (PHI), all emails containing that information, either in the body text or as an attachment, must comply with the following HIPAA regulations:

  • Emails must be securely backed up and retained for a minimum of six years as per the HIPAA Security rule.
  • Specific access and audit controls must be implemented to safeguard the integrity of PHI in emails.
  • A system needs to be in place to prevent improper modification or deletion of emails.

Regular email solutions do not cover these HIPAA requirements. While some solutions such as Office 365 can include email backups, these are not sufficient for full HIPAA email compliance.

As an example of how HIPAA compliant email needs to be implemented we examined a leading HIPAA email retention solution (ArcTitan from TitanHQ) and rated its functionality based on HIPAA compliance requirements. Included below is the review summary and details of exactly how any HIPAA compliant email solution needs to work. You can read the full review here.

Review Summary

  • ArcTitan from TitanHQ is a seamless, easy-to-implement, and cost-effective email retention solution that has been designed for HIPAA compliant email retention requirements.
  • ArcTitan works robustly for any size of Covered Entity or Business Associate, protecting all emails with PHI, and covering all the necessary HIPAA retention requirements.

The 5 Requirements for HIPAA Compliant Email Archiving

Here are the 5 specific ways ArcTitan is HIPAA compliant for email retention, and which must be covered for full HIPAA email compliance.

1. Encrypted Storage

ArcTitan encrypts all emails in its secure data centers, ensuring that PHI is protected from unauthorized access. In addition, ArcTitan provides data loss prevention mechanisms, such as email audit functionality. This guarantees emails have not been altered or deleted and also prevents the destruction of emails by a dishonest or malcontent employee.

2. Retention Policies

ArcTitan enables Covered Entities to implement retention policies for email archiving. In this way, organizations can ensure that emails are retained for the correct period of time as required by HIPAA rules.

What is often overlooked is that most organizations’ email systems are centered around specific email usage on a per-employee basis, and when a person leaves their email address and emails are often deleted. This can invertedly break HIPAA rules unless the departed employee’s emails are backed up and retained for six years as part of the retention policy.

3. Search Capabilities

Emails are automatically placed in a cloud-based secure archive using sophisticated indexing. Unlike a simple data backup, ArcTitan uses the indexing to include a powerful search facility. to enable organizations to quickly and easily search through their email archives. It can be very time consuming to find and recover individual emails with regular backup systems often taking weeks and tying up IT resources.

4. Compliance Reporting & Audit Trails

Organizations can easily demonstrate their compliance with HIPAA rules for email with ArcTitan’s comprehensive reporting and audit trails of all email activity which use ID authentication. This can be very important if an organization is required involved in litigation, needs to confirm proof of delivery, or to comply with an audit request from the Department of Health and Human Services.

5. Access Controls

Access to archived emails on ArcTitan is limited to authorized personnel, known as Data Guardians, thanks to the platform’s strong access controls. Additionally, Data Guardians are responsible for managing legal hold and deletion requests.

You can read the full review here which contains more details of pricing, technical specifications and non HIPAA benefits to organizations.

The post What Gets Overlooked For HIPAA Compliant Email Retention? appeared first on HIPAA Journal.

Webinar: Lessons and Examples of 2022’s HIPAA Breaches and Fines

In 2022 the Office for Civil Rights (OCR) did not slow down its enforcement actions. Over 55% of HIPAA fines in 2022 were levied against small medical practices.

Watch this recorded webinar to learn about:

  • The breaches and fines of 2022 (what caused them and who was affected).
  • How to protect yourself from committing a breach in 2023 and avoid a large fine.
  • What we expect the main HIPAA issues to be in 2023 and what to look out for.

Please fill in the form to be immediately directed to the video.

HIPAA has by now become an essential part of an organization’s culture, affecting many aspects of how business is conducted. HIPAA regulations are continuously being modified, and it is therefore essential to keep up-to-speed with the latest changes.

The post Webinar: Lessons and Examples of 2022’s HIPAA Breaches and Fines appeared first on HIPAA Journal.

National HIPAA Summit – Reader Offer Discount Code

The National HIPAA Summit is the leading forum on healthcare EDI, privacy, breach notification, confidentiality, data security, and HIPAA compliance, and the deadline for registration for the Virtual 40th National HIPAA Summit is fast approaching. The event provides a tremendous opportunity for learning through HIPAA workforce training sessions and keynote speeches from top government officials and leading industry professionals.

Reader Offer: $100 Off Registration Fee

The HIPAA Journal has a $100 discount for readers. Enter “HIPAAJournal” (not case sensitive) on the Registration Page.  This is a reader offer for the benefit of The HIPAA Journal readers. (Not a sponsored post, or an affiliate link)

Register for the Virtual 40th National HIPAA Summit Here

Attendees will gain valuable insights into health information privacy, healthcare cybersecurity, HIPAA enforcement, and a wealth of information to help them maintain HIPAA compliance and take healthcare data privacy and security to the next level.

This year, the HIPAA Summit is being co-chaired by:

  • Adam Greene, JD, MPH – Partner and Co-chair, Health Information & HIPAA Practice, Davis Wright Tremaine LLP, HIPAA Summit Distinguished Service Award Winner, Former Senior Health Information Technology and Privacy Specialist, Office for Civil Rights, HHS, Washington, DC
  • Kirk J. Nahra, JD – Partner and Co-chair of the Privacy and Cybersecurity Practice, Wilmer Hale, Adjunct Professor, American University Washington College of Law, Washington, DC
  • Iliana Peters, JD, LLM – Shareholder, Polsinelli, Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
  • Robert M. Tennant, MA – Vice President, Federal Affairs, Workgroup for Electronic Data Interchange (WEDI); Former Director, HIT Policy, Medical Group Management Association; Washington, DC

Virtual 40th National HIPAA Summit – March 7-10, 2023

The Virtual 40th National HIPAA Summit runs March 7-10, 2023, and is split into several mini-summit groups. These groups cover privacy and HIPAA compliance best practices, HIPAA breach trends, and HIPAA enforcement initiatives and breach trends. This year summit groups covering post-Dobbs reproductive health information privacy, Privacy risks from website tracking technologies, current and emerging security risks, medical and wearable device cybersecurity, incident response and breach notification best practices, privacy and security in the metaverse, business associate compliance and risk management, lessons learned from healthcare ransomware attacks, and more.

Government Keynote Speakers

  • Nicholas Heesters, MEng, JD, CIPP – Senior Advisor for Cybersecurity, Office for Civil Rights, US Department of Health and Human Services, Philadelphia, PA
  • Melanie Fontes Rainer, MSME, JD – Director, Office for Civil Rights, HHS; Former Senior Advisor, Healthcare to Attorney General, CA DOJ; Former Chief of Staff, Medicare-Medicaid Coordination Office, Centers for Medicare & Medicaid Services, Washington, DC
  • Micky Tripathi, MPP, PhD – National Coordinator for Health Information Technology, US Department of Health and Human Services, Washington, DC
  • Elisa K. Jillson, JD – Counsel to the Director, Bureau of Consumer Protection, U.S. Federal Trade Commission, Washington, DC

Keynote Speakers

  • Patrice Ettinger, JD, CIPP/US – Chief Privacy Officer, Pfizer; Past Chair, International Association of Privacy Professionals; Former Chief Privacy Officer, Avon, New York, NY
  • Sally Greenberg – Executive Director, National Consumers League; Former Senior Product Safety Counsel, Consumers Union; Former Eastern States Civil Rights Counsel, Anti-Defamation League, Washington, DC
  • Trevor Hughes, JD, CIPP – President and Chief Executive Officer, International Association of Privacy Professionals; Former Executive Director, Network Advertising Initiative and Email Sender and Provider Coalition, Boston, MA
  • Walter E. Johnson, MS, CCEP, CCEP-I, CHC, CHPC – Assistant Privacy Officer, Inova Health System; President, Health Care Compliance Association, Washington, DC
  • Deven McGraw, JD, MPH, LLM – Cofounder and Lead, Data Stewardship & Data Sharing, Invitae; Former Deputy Director, Health Information Privacy, OCR, HHS, Redwood City, CA
  • Faith Myers, JD – Chief Privacy Officer & Vice President, Global Privacy, McKesson; Chief Privacy Officer & Senior Vice President, Compliance Officer, CoverMyMeds, Smyrna, GA
  • Jules Polonetsky, JD – Chief Executive Officer, Future of Privacy Forum; Former Chief Privacy Officer, AOL and DoubleClick; Former Consumer Affairs Commissioner, New York City; Former Member, New York State Assembly; Former Legislative Aide, Congressman Charles Schumer, Washington, DC
  • Daniel J. Solove, JD – John Marshall Harlan Research Professor of Law, George Washington University Law School; Founder, TeachPrivacy; Author, Understanding Privacy; Information Privacy Law The Future of Reputation: Gossip, Rumor, and Privacy on the Internet and The Digital Person: Technology and Privacy in the Information Age, Washington, DC
  • Gerry Zack, MBA, CPA, CFE, CIA, CRMA – Chief Executive Officer, Health Care Compliance Association (HCCA) and Society of Corporate Compliance and Ethics (SCCE); Former Chair, Association of Certified Fraud Examiners (ACFE), Minneapolis, MN

On Tuesday, February 28, 2023, there is an opportunity for professional certification preconference certified cyber security architect (CCSA) training (separate registration required). This will be followed by the preconference basic training day on March 2, 2023. The pre-conference basic training day is included in the basic HIPAA Summit registration and includes 8 training sessions, followed by a HIPAA Workforce Training Faculty Q&A.

2023 HIPAA Summit – HIPAA Workforce Training Sessions

  • HIPAA Privacy Basics – Adam Greene, JD, MPH
  • Breach Notification Rule and HIPAA Enforcement Rule Basics – Iliana Peters, JD, LLM
  • HIPAA Workforce Training 3: HIPAA Security Basics – David Holtzman, JD, CIPP/US/G
  • How to Achieve the Right Balance of Data Privacy and IT Security – Pamela Hrubey, DrPH, CIPM, CIPP/US, CCEP
  • Business Associate Basics – John Haskell, JD
  • Basics of State Privacy and Security Laws and Relationship to Federal Regulation – Sheila Sokolowski, JD
  • The Basics of Information Blocking – Jodi Daniel, JD, MPH
  • HIPAA Administrative Transactions Basics – Robert M. Tennant, MA

The full schedule for the event can be downloaded here – HIPAA Summit Schedule (PDF). The event will be live-streamed, and an archive of the webcast will be made available to registered individuals for several months after the event for workforce training purposes.


Reader Offer: $100 discount

The HIPAA Journal has a $100 discount for readers simply enter “HIPAAJournal” (not case sensitive) on the Registration Page.

Register for the Virtual 40th National HIPAA Summit Here

This is a reader offer for the benefit of The HIPAA Journal readers. This is not a sponsored post, this is not an affiliate link, The HIPAA Journal has no financial arrangement with The HIPAA Summit.

The post National HIPAA Summit – Reader Offer Discount Code appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Organizations

One of the problems with developing legislation for the entire healthcare industry is rules must be written for organizations of different sizes, with vastly different business models, budgets, staffing levels, and capabilities. Rules need to be written that are sufficiently flexible to accommodate this variety and be appropriate for all organizations and their unique operating structures.

One of the challenges with developing HIPAA was to create rules that would correct inefficiencies and get the healthcare system working more harmoniously. They also needed to stand the test of time and be flexible enough to accommodate changes that could not be envisaged when the legislation was signed into law. When the Privacy and Security requirements were introduced, they needed to be specific enough to serve as a practical framework for healthcare organizations to follow yet be flexible enough to account for changes in technology and operating practices over time.

This was vital as the process of updating legislation is simply too slow to allow for regular changes to be made. The HHS needs to issue a request for information to find out what needs to change, process the feedback, then a notice of proposed rulemaking, review the comments on the proposed changes, pen the final rule, issue that rule, and provide sufficient time for healthcare organizations to comply with the changes. That process spans several years, yet working practices evolve and new technology is constantly being introduced.

The way that HIPAA needed to be written has naturally led to the legislation receiving a lot of criticism. HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages.

In this article – and the next two in the series – I will explain the benefits of HIPAA and how the proposed Privacy Rule changes will help to address some of the current pain points and should significantly improve HIPAA for healthcare organizations, their employees, patients and members. You can read about the benefits of HIPAA for healthcare professionals here.

How HIPAA has Benefited Healthcare Organizations

HIPAA was signed into law more than 25 years ago in 1996 before many current healthcare workers had even been born. For those in the industry old enough to remember, at that time there was a desperate need to improve efficiency in the healthcare industry, as a huge amount of time and effort was wasted on inefficient manual processes, the cost of which was driving up the cost of healthcare at an unsustainable level.

HIPAA improved efficiency by standardizing healthcare transactions across the industry, including requiring all healthcare organizations to use the same standard code sets and follow standard administrative practices. Not only did the standards introduced by the HIPAA Administrative Simplification Rules help to eliminate waste and reduce the administrative burden on healthcare organizations, they have also helped to improve patient safety by reducing the potential for medical errors by making it easier to match records with the right patients. Before the introduction of HIPAA, healthcare fraud was rife and was costing the healthcare industry around $7 billion a year. The standardization of healthcare transactions has helped to reduce significantly reduce fraud.

The introduction of the HIPAA Privacy, Security, and Breach Notification Rules brought many benefits to healthcare organizations, but also some of the biggest pain points for HIPAA-covered entities. These updates required considerable changes to working practices and came with a significant administrative burden. HIPAA set clear – and sometimes not so clear – rules on how health information can be used and disclosed, how health information must be handled, and the policies and procedures that need to be implemented to ensure the confidentiality, integrity, and availability of protected health information. The HIPAA Privacy Rule has empowered patients to take a much more active role in their healthcare, allowing them to check their medical records for errors and get any errors corrected, which has helped to reduce the risk of medical errors and improve patient outcomes, which naturally has many benefits for healthcare organizations. By having standard rules in place, patients have the same rights no matter where they obtain care, and the safeguards to ensure the confidentiality of health information have helped to build trust between patients and their healthcare providers.

The HIPAA Security Rule set standards for all covered entities to follow to ensure the confidentiality, integrity, and availability of electronic health information and helped healthcare providers successfully transition from paper records and charts to electronic health records and encouraged the adoption of new technologies for improving efficiency and the quality of care in a safe and secure way. The HIPAA Security Rule was not meant to be a comprehensive checklist of every security measure that should be considered or implemented, rather it is a set of minimum standards for security that must be achieved. By adopting those standards, healthcare organizations have prevented many data breaches and avoided the considerable costs of those breaches. Many of the data breaches now being reported are due to employee errors and non-compliance with the HIPAA Security Rule.

The HIPAA Breach Notification Rule provides important benefits to patients, but there are also benefits for healthcare organizations. Compliance with this aspect of HIPAA ensures transparency about unauthorized access and disclosures of protected health information and promptly notifying patients about data breaches – which are often out of the control of healthcare organizations –can improve trust in healthcare organizations and reduce the reputational damage caused by data breaches. Importantly, HIPAA lacks a private cause of action, which helps HIPAA-covered entities avoid the considerable legal costs of defending lawsuits from patients who believe their privacy has been violated.

How the Proposed Updates to the HIPAA Privacy Rule will Benefit Healthcare Organizations

While the HIPAA Rules lack specificity in certain areas and incorporate flexibilities to avoid the need for regular updates, updates to HIPAA are required to accommodate changes in working practices and advances in technology, and to correct the elements that are either not achieving the purpose they were intended to or are no longer important. There has also been considerable criticism over the years that HIPAA continues to place an unnecessary administrative burden on healthcare organizations. After issuing an RFI, OCR published a Notice of Proposed Rulemaking in 2021 to update the HIPAA Privacy Rule, mostly to strengthen individuals’ rights to access their own health information and to reduce the administrative burden on healthcare organizations.

These Privacy Rule changes should help to improve information sharing, which will make patient care coordination and case management easier, including the coordination and management of care through social and community services. The updates will also facilitate family and caregiver involvement in the care of individuals that are experiencing emergencies or health crises. The restrictions of HIPAA have been clear became clear throughout the opioid and COVID-19 public health emergencies. The update helps to address this by incorporating flexibilities to permit disclosures in emergencies and threatening circumstances. These updates will help healthcare providers deliver better care and improve patient outcomes.

The amount of paperwork involved in providing healthcare also needed to be addressed. Finally, some of the time-consuming tasks that healthcare organizations still need to perform manually are being eliminated, such as the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and retain copies of that documentation for 6 years.

Any update to HIPAA comes with a considerable workload initially but the benefits should be felt quickly. OCR believes the efficiencies introduced by the Privacy Rule changes will help to save $3.2 billion over five years, thus limiting the increase in the cost of healthcare. The Final Rule has yet to be published in the Federal Register, but that should finally happen in 2023.

Healthcare Organizations are Still Struggling with HIPAA Compliance After 26 Years

HIPAA has been in effect for 26 years, the Privacy and Security Rules for two decades, and the Omnibus Rule and Breach Notification Rules for 14 years, yet HIPAA compliance is still proving to be a challenge for many healthcare organizations.

One of the common complaints about HIPAA that makes compliance complicated is the frequent use of terms use as reasonable… exercise reasonable diligence, implement reasonable and appropriate policies and procedures, reduce risks and vulnerabilities to a reasonable and appropriate level. There are also ‘required’ and ‘addressable’ provisions, where addressable provisions are still required elements of compliance, in some form. These flexibilities are what make HIPAA workable for such a wide range of healthcare organizations and stay relevant, but they can present significant challenges for healthcare organizations, especially smaller practices that lack the staff and resources to devote to compliance.

One of the ways that many smaller healthcare organizations have simplified compliance and ensured all the i’s are dotted and t’s are crossed is by using HIPAA compliance software. These software solutions guide healthcare organizations through compliance with all aspects of the HIPAA Rules, eliminating the guesswork and making sure that no provisions are overlooked. The software can be used to achieve compliance and maintain the compliance program, prompting risk analyses, updates, and training, and ensuring compliance efforts are fully documented to ensure painless audits and investigations.

Security Rule compliance can be particularly challenging, as the Security Rule does not provide specifics about technologies that should be used to protect healthcare data. Many healthcare organizations have simplified compliance and gone above and beyond the requirements of HIPAA by adopting a cybersecurity framework. Frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HITRUST Cybersecurity Framework provide structure, transparency, and guidance for achieving compliance with HIPAA and other privacy and security regulations and provide clarity and consistency while reducing the burden of compliance.

In 2021, the HITECH Act received an update to encourage the adoption of recognized security practices such as those developed under section 405(d) of the Cybersecurity Act of 2015 and covered by these cybersecurity frameworks to improve cybersecurity across the healthcare industry. The update provides incentives in the form of reduced penalties and sanctions and shorter audits and investigations by OCR, which considers the adoption of recognized security practices as a mitigating factor when making determinations about HIPAA Security Rule violations and data breaches.

HIPAA is Only the First Step

The main benefits of HIPAA for healthcare organizations are improvements in efficiency through standardized working practices which eliminate waste, improve patient safety, and boost profits. HIPAA compliance fosters trust between providers and patients and health plans and their members and helps to improve patient outcomes, increase patient and client loyalty, and improve retention.

However, HIPAA is just a set of minimum standards for privacy and security, so HIPAA compliance can be viewed as only the first step. Adopting a cybersecurity framework and implementing recognized security practices will further strengthen an organization’s security posture, and thanks to the HITECH Act update, there is now an added incentive for doing this.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Organizations appeared first on HIPAA Journal.

Captify Health Suffers 3-Year Breach of its Your Patient Advisor Website

Captify Health has recently started notifying users of its Your Patient Advisor online service that their sensitive information has been exposed and obtained by unauthorized individuals. In some cases, credit card information was stolen and misused. Captify Health prepares patients for their colonoscopy procedures by providing the colonoscopy preparation products recommended by doctors through its Your Patient Advisor service. As an online retailer, Captify Health collects customer information and processes debit/credit card payments through the website.

An external investigation into credit card fraud pointed to Captify Health as the source of a data breach. Captify Health was informed in March 2021 about the potential breach and conducted an internal investigation, with assistance provided by a third-party digital forensics firm. Malicious code was identified on the website which was transmitting the data of its customers to a third-party server. That information included full names, addresses, birth dates, payment card numbers, expiration dates, and security codes.

The forensic investigation revealed the initial breach of its website occurred on May 26, 2019, and lasted until April 20, 2021. During those 3 years, 244,296 individuals had used its service and potentially had their sensitive information stolen. According to the breach notification letters, sent via the Californian law firm Lewis Brisbois Bisgaard & Smith, there was an extensive investigation into a potential breach and it was determined on October 13, 2022, that malicious code had been added to its website. The affected individuals were then identified and contact information was verified, and breach notification letters were sent on December 16, 2022.

Captify Health said in its notification letters that “out of an abundance of caution, we have taken steps to ensure our platform is safe and secure for all purchases.” It is unclear how many individuals affected by the breach have experienced misuse of their credit card information. Captify Health has recommended customers carefully review their account statements for signs of fraudulent activity.

Retailers are often targeted to gain access to payment card information, as happened with the attack on the retailer Target, which resulted in the theft of the credit card details of 40 million customers via malware on its point-of-sale system. What stands out in the Captify Health breach is the length of time it took to identify the breach – almost three years; the time taken to investigate the potential breach and confirm a data breach had occurred – 19 months; and the time it took to issue notifications to affected individuals – more than two months (64 days) after confirming malicious code was confirmed as being present on its website, and 21 months after Captify Health was first notified about fraudulent credit card use.

The incident was reported to the Maine Attorney General on December 16, 2022, but it is not yet showing on the HHS’ Office for Civil Rights breach portal. Captify Health states in its website privacy policy that it is in full compliance with the HIPAA regulations and signs business associate agreements with doctors that use its service, which indicates the company is a business associate under HIPAA. A breach such as this has significant potential to cause serious reputational damage and puts Captify Health at risk of regulatory fines.

The post Captify Health Suffers 3-Year Breach of its Your Patient Advisor Website appeared first on HIPAA Journal.