NOW OFFERING VIRTUAL
The U.S. Office for Civil Rights just announced a 16th case, in which an organization was fined for failing to grant timely access to medical information.For agencies, this is fair warning: If clients ask for copies of any of their own records, it’s very important to grant them prompt access. The Feds announced about a year ago that they planned to focus on this. And indeed they have.
In a new memo, the U.S. Office for Civil Rights (OCR) says that healthcare providers may contact patients who have recovered from COVID-19 to inform them about how they can donate their blood and plasma containing antibodies to help other patients with COVID-19. OCR says this is a permissible disclosure under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The memo explains that HIPAA permits covered health care providers to identify and contact patients who have recovered from COVID-19 for population-based activities relating to improving health, case management, or care coordination. However, without patients’ authorization, the
Quietly, the Feds recently set the stage for a massive expansion of enforcement of privacy rules under the Health Insurance Portability and Accountability Act (HIPAA). The message: If business associates have potential access to any private health information, they should be prepared for the Feds to take enforcement action against them only for any breaches of privacy. In a new memo, the U.S. Office for Civil Rights (OCR) underlines the word “only”. Translation: The Feds’ authority to go after a business associate under HIPAA is nothing new, but, in practice, business associates typically came under scrutiny as an offshoot of
By Diane Evans, Publisher, MyHIPAA Guide A recent study of healthcare by the Clearwater CyberIntelligence Institute (CCI) points to laptops as a major threat to privacy and security breaches within health-related organizations. And yes, that includes I/DD providers. It’s no surprise. Because they are portable, laptops can easily be lost or stolen — often causing a breach of privacy. In some cases — including within the I/DD sector — the devices can be accessed remotely and used to access private health information. Residential providers, be extremely cautious in the use of laptops within your agencies. First, know where all these
An October 2018 story in the Pittsburgh Post-Gazette reports on a $1.8 million fine that an I/DD agency and its pharmacy subsidiaries in PA will pay for dispensing drugs for legitimate medical needs but without valid prescriptions. Read the full story here.
Dear providers, It’s important for you to know that HIPAA compliance covers the cybersecurity measures necessary for EVV. That information is straight from an email issued by ANCOR, which cites the EVV legislation as its source, along with Tim Hill, the Director of CMCS. Last year, as a service to our members, OPRA partnered with MyHIPAA Guide to spearhead the development of a HIPAA compliance program for the residential sector. This is the only program of its kind available for residential providers. The program includes all the materials you need for compliance, plus an option for unlimited phone and email
At the recent annual conference of the Association of Professional Developmental Disability Administrators (APDDA), we had the pleasure of hearing from administrators from facilities in Corpus Christi and San Antonio, Texas and Miami, Florida who spoke about their experiences preparing for and recovering from Hurricane Harvey and Hurricane Irma last fall. Part of building an emergency preparedness plan includes making provisions to meet the needs of residents with disabilities in the event of an evacuation. But! Even in an emergency preparedness plan, a resident’s health information is still protected by the HIPAA Privacy Rule. Check it out! The Department of
Key Point: If you don’t document it, you can’t prove you have followed privacy regulations — meaning you could face penalties. Security policies and procedures are mandated under the Health Information Portability & Accountability Act (HIPAA), and the regs are very specific about the policies and procedures you need to implement. Through your documentation of policies and procedures, specify the security measures you have in place and the procedures you have for ensuring daily vigilance. Keep in mind: Document everything, including all assessments, precautions, procedures, actions, findings, and processes covered under HIPAA requirements. Organize your compliance documentation in central locations,
By Justin Buren, OPRA Member While serving as Director of the FBI in 2012, Robert S. Mueller, III famously noted that “there are only two types of businesses: Those who have been hacked and those who will be.” Scarcely a year later, the Target credit card scandal rocked the nation, followed by a chain of data breaches that continues today – with healthcare a primary target. Recently, the Buren Insurance Group, Inc. commissioned the development of a cyber risk assessment survey, geared for small to medium size organizations. The 20-point survey (available on this website or by typing in hipaa.opra.org/quiz/cyber-risk-exposer)
At the start of each new year, it is always good to look back at federal settlements under the Health Insurance Portability and Accountability Act (HIPAA). That is how you know matters most to the Feds in terms of privacy enforcement. From 2017, here is a short list of key messages to providers: It’s your job to understand HIPAA requirements. Execute Business Associate Agreements with vendors and independent contractors with potential access to private health information. Don’t rest easy because you have security policies; you also need to manage security processes for daily vigilance. If you do experience a privacy
Since federal privacy rules require lots of documentation, a frequently asked question is: How long do we have to keep all the documents that accumulate as a result of compliance with the Health Insurance Portability and Accountability Act (HIPAA)? The answer: Six years — and that means six years after the date of a document’s creation or it’s most recent effective date. Keep in mind, all HIPAA-related activities must be documented. This includes privacy policies and procedures, privacy notices, resolution of complaints, staff training, business associate agreements and all else pertaining to privacy protections. Source: The U. S. Department of
In one of the HIPAA cases most relevant to the I/DD-Residential sector, a county agency delivering health services to low-income people settled a potential breach by paying out $215,000 to the Feds. The agency serves a rural population of about 120,000 in Skagit County, Washington — where nearly 18 percent of the people live below the federal poverty line according to the most recent labor statistics. As commonly happens, the Feds opened an investigation after receiving a complaint that appeared to result from the unintentional exposure of Private Health Information (PHI) involving only seven individuals. Looking further, the Feds discovered the