Health Insurance Portability and accountability act HIPAA and stethoscopeAs an update to our previous post, HHS announced that the deadline to submit comments on their proposed rule to revise HIPAA regulations was extended until May 6, 2021. Changes contemplated by the proposed rule involve relaxing certain privacy standards, strengthening individuals’ rights to access their protected health information (PHI) and other initiatives that

The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced that it will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites during the nationwide public health emergency. The notice related to the relaxation

Section 3221 of the CARES Act ratified fundamental changes to the Public Health Service Act requiring HHS to revise 42 C.F.R. Part 2,  regulations within 12 months. The changes are significant and follow the increasing movement to align the rules that govern the confidentiality requirements of substance use disorder records with HIPAA. Our health law

The Department of Health and Human Services, Office of Civil Rights (OCR) recently released guidance and helpful examples illustrating how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to Essential Providers. Read the full post on our Healthcare

It’s time for year-behind-us reminisces and year-before-us prognostications and, for those of us with nothing better to do during the last few days of 2017 and first few days of 2018, attention turns to HIPAA enforcement. So what happened and what can we look forward to? If past is prologue, expect the sound of silence as there was nominal Office for Civil Rights (OCR) activity in 2017 and, with the one noisy exception, no actions to cause your ears to burn.

Continue Reading HIPAA New Year!

Boxing glovesAnytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask for is the risk analysis. The OCR has obviously lost its patience for entities that choose or fail to perform an adequate risk analysis. Earlier this month, Advocate Health Care Center (Advocate Health) agreed to pay a massive $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement is the largest to-date against a single entity.
Continue Reading HIPAA punches a serious blow: Advocate Health enters into $5.5-million settlement for violations

School children raising their hands ready to answer the question.

In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected Health information (PHI) is also a key puzzle piece for your classification scheme.

HIPAA establishes national standards for the use and disclosure of PHI, and also for the safeguarding of individuals’ electronic PHI, by covered entities and business associates. Merely having information commonly thought of as “protected health information” does not mean that HIPAA applies. And there are some surprises in which organizations are – and are not – covered by HIPAA. So, that’s the first question to answer – is your company a HIPAA covered entity or business associate?


Continue Reading Adding more class to Information Governance (Part 2)