HIPAA

When we discuss HIPAA most of the articles have been on security and breaches, but HIPAA goes well beyond privacy and Security.  One aspect of the HIPAA rule is the “Right of Access”.   OCR (The Office for Civil Rights – the branch of HHS the enforces HIPAA) is enforcing this law even more strongly since the 21 Century Cures Act was published.  OCR has begun to levy fines against organizations that are in violation of the “Right of Access” rule.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has released an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims may be violating OFAC regulations.

Universal Health Systems was hit with a ransomware attach this week. Their servers began to fail over the weekend and Hospitals across the country completely lost access to their EHR systems. As a result of this attack many facilities were forced to go to pen and paper for medical record keeping. In many locations the nursing staff did not have access to medication lists and had no way ok knowing which medications patients needed, how much to dose, or even who needed medications.

in order to be HIPAA Compliant, you must maintain a "Culture of Compliance" at your office. This can include keeping your software up-to-date, regular required training and addressing risks that pose to your office. This month we address HIPAA training, encrypting your drives and Business Associate Agreements

Very often we have companies that provide us with computer hardware and software support can access our computer systems. The question is how secure are our trusted partners? In this case an Orthopedic Clinic did not properly manage access to their network and it cost them $1.5 million.

Have you encrypted your laptops? No? You should probably start thinking about getting those devices encrypted.

Under the new law known as the 21st Century Cures Act, information blocking is now ILLEGAL. That means if you get a request from another provider for patient information, you are required to provide that information. The Office of Inspector General at OIG can investigate all claims of information blocking by providers and can levy fines and / or enforce Corrective Action Plans (CAP).