A knowledge of HIPAA Law is not only essential for any business operating in the healthcare and health insurance industries (known as HIPAA-Covered Entities), it is also essential for any business providing a service for a Covered Entity that has access to Protected Health Information.
It is no understatement to say HIPAA Law is complicated. Due to the large number of scenarios it may cover, the language of the Health Insurance Portability and Accountability Act is “non-specific” and “technology neutral”, and thus open to different interpretations depending on the nature of the Covered Entity´s or service provider´s business.
Key to compliance with HIPAA Law is documentation. Everything from risk assessments to training schedules must be documented and kept for a minimum of six years. It is also necessary to document the reasons why a specific action has not been taken – for example when an “addressable” security safeguard has not been implemented.
All businesses and organizations subject to HIPAA Law are at risk of significant penalties if a violation of HIPAA occurs due to “wilful neglect” (i.e. knowing that a regulation existed, but failing to do anything about it). Therefore, not only is a knowledge of HIPAA Law essential, but also that the requirements of the law are acted upon.
Under Federal Regulations, specifically 45 CFR 164.308 – the HIPAA Security Rule’s Administrative Safeguards – HIPAA covered entities must appoint a HIPAA Security Officer. The Security Officer must develop and introduce internal policies and processes to safeguard the integrity of electronic protected health information (ePHI). IT managers are commonly put in this role as ePHI … Read more
All staff members should have been trained on their obligations under HIPAA Rules, but how and when should awareness and knowledge of HIPAA be promoted and increased? How regularly should refresher courses or further training be given? The various organizations subject to HIPAA Rules – covered entities, their business associates, and others – are required … Read more
Despite the best efforts of healthcare organizations and their business associates to protect data and follow HIPAA’s Security, Privacy, and Breach Notification Rules, information breaches can and do still happen. While cybercriminals are the breach bogeymen for most business sectors, healthcare often finds itself let down by its own staff. Even with the best procedures … Read more
Even some of the more basic aspects of the Health Insurance Portability and Accountability Act (HIPAA) can be difficult to understand, but when it comes to self-insured or self-administered health group plans, the level of complexity goes up a notch. Under HIPAA, healthcare clearing houses, providers, and health plans (referred to as covered entities), are … Read more
The HIPAA Privacy Rule puts a number of restrictions in place to keep protected health information (PHI) secure. This also hampers healthcare organizations’ ability to share information. A way to share data while remaining HIPAA compliant could be the de-identification of information. PHI that has been de-identified has had its identifying elements removed. HIPAA’s Privacy … Read more
Last year, Deven McGraw of the Department of Health and Human Services’ Office for Civil Rights (OCR) spoke about 2017’s HIPAA guidance. In 2016, the Joint Commission revised their position by allowing the use of text messages for orders, but this was quickly banned again. Later that year the Joint Commission again changed the ruling … Read more
Personal phones are increasingly finding themselves being used by healthcare professional to share patient data with care teams. This is an obvious breach of HIPAA Rules. Even if the data is sent to authorized individuals, the use of insecure and unencrypted networks to share sensitive information such as test results and patient data is a … Read more
Texting and HIPAA Compliance for Call Centers Any company that provides an answering or call-forwarding service for the healthcare sector needs to be aware of their obligations under the Health Insurance Portability and Accountability Act (HIPAA). Following the introduction of the Final Omnibus Rule in 2013, companies that provide services relating to the processing, sharing, … Read more
The Majority of SMS Messages Violate HIPAA There is no specific rule under HIPAA that outlaws protected health information (PHI) being sent via SMS – “Short Message Service”. However, there are a number of criteria that must be met for the use of SMS to send PHI to be HIPAA compliant. Many SMS messages violate … Read more
Google Docs and Google Drive are tools that facilitate document sharing, but can they be used to share documents containing protected health information (PHI)? Is using Google Docs HIPAA compliant? Is using Google Docs HIPAA compliant? The answer to whether using Google Docs is HIPAA compliant or not is both yes and no. Whether a … Read more
The ability to sign documents electronically has led to gains in efficiency in many industries, including the healthcare sector. However, there is still doubt over whether e-signatures are acceptable under HIPAA rules. The simple answer is “yes, they are acceptable and can be used”, but steps must be taken to validate the security and legal … Read more
Under the Healthcare Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities and business associates must appoint a person (or persons) to the role of HIPAA Compliance Officer. A current employee can be appointed or a new role can be created. The Compliance Officer position can even be filled by outsourcing the duties temporarily or … Read more
A North Audubon Hospital registered nurse had her employment contract terminated as a penalty following an allegation by a patient that she had violated HIPAA regulations. Dianna Hereford contested the termination on the grounds of a HIPAA violation by filing an action in Jefferson Circuit Court and stating she had “strictly complied with HIPAA regulations”. … Read more
Almost every HIPAA covered entity, as well as their business associates and the healthcare professionals they employ, does their utmost to guaranteed HIPAA rules are respected – but what happens when an unintentional HIPAA violation occurs? What should covered entities, healthcare employees, and business associates do? How Should Healthcare Employees Report an Unintended HIPAA Violation? … Read more
Can mobile devices be used to transmit health information under HIPAA? Mobile devices such as smartphones, tablets, and other portable devices have transformed the way people work and send information. Healthcare providers and HIPAA-covered entities are no exception and mobile devices can be found in almost every health facility. Sharing information via mobile data may … Read more
The Health Insurance Portability and Accountability Act, commonly know as HIPAA, has probably been the most significant set of regulations to impact the healthcare industry since it first came into law in 1996. Despite this, there are still a number of insurers and healthcare providers that do not fully understand their requirements under HIPAA, especially … Read more
Dropbox offers healthcare organizations a simple tool to store and share files, but is Dropbox HIPAA compliant? Can entities use Dropbox to save or transfer protected health information (PHI)? Is Dropbox HIPAA Complaint? Dropbox offers a service where files can be saved to cloud storage and shared with other users. Many individuals and companies share … Read more
Skype and similar messaging platforms are useful tools to rapidly share information, but is Skype compliant with HIPAA regulations? Would sending protected health information (PHI) via Skype as part of an electronic text message violate HIPAA rules? Currently, the topic of whether Skype is HIPAA compliant is up for debate. While messages are encrypted and … Read more
Is it possible for patients to sue or file lawsuits for a HIPAA violation? As there is no private cause of action in HIPAA, it is not possible for a patient to sue for a HIPAA violation under HIPAA rules. Patients are not entitled to seek damages for violation of HIPAA rules even in cases … Read more
HIPAA password requirements call for a number of processes to be established to create, modify, and protect passwords if no other equally effective security option is in use. We advise the use of two factor authentication as the optimal method to comply with HIPAA password requirements. The HIPAA Security Rule outlines the HIPAA password requirements … Read more
What is a HIPAA Texting Policy? A HIPAA Texting Policy is a guide or set of procedures that should be drawn up following a review of methods used by staff, medical professionals, and business associates to transmit protected health information (PHI). Any risks that have been identified during the review should be addressed by the … Read more
Cloud storage offers a number of benefits to companies in many industries, but can covered entities in the healthcare industry use Microsoft OneDrive? Is OneDrive HIPAA compliant? Microsoft Office 365 Business Essentials is a standard software package that is successfully used by healthcare providers. It also includes an online exchange for email. Another feature of … Read more
Every healthcare employee should know how to report a HIPAA violation, who they should report the violation to, and if the violation warrants a report to the Department of Health and Human Services’ Office for Civil Rights (OCR). HIPAA covered entities and their business associates are obliged to investigate any possible HIPAA violation that occurs … Read more
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, is a law that people often talk about, but why is HIPAA so important? What did HIPAA change and how does it impact patients and the healthcare industry? HIPAA came into effect in 1996 with the goal of addressing the issue of health insurance … Read more
For the moment, Amazon’s Alexa is not HIPAA compliant. This reduces its utility to those in the healthcare field. This is surely only temporary and a HIPAA compliant version may be on its way. Amazon’s cloud platform, Amazon Web Services (AWS), can be used in compliance with HIPAA, and Amazon are said to be interested … Read more
Google Voice is a telephony service from Google used by people as a call forwarding and messaging service, among other functions. Many are asking the question of whether Google Voice is HIPAA compliant or not – can it be used by healthcare employees in compliance with HIPAA rules? Is Google Voice HIPAA compliant? Google Voice … Read more
Following the introduction of end-to-end encryption, many Covered Entities are wondering is WhatsApp HIPAA compliant. Although end-to-end encryption protects PHI during transit, the popular messaging app does not include all the features required to comply with the Health Insurance Portability and Accountability Act. It is a common misconception that encryption alone make an app HIPAA … Read more
Although Microsoft has developed a number of products to meet the needs of businesses in regulated industries, not all are HIPAA compliant. Is Microsoft Outlook HIPAA compliant? That depends on the version of Outlook used, how it is configured, and the content of the Business Associate Agreement supporting the service. As HIPAA is technology neutral, … Read more
Although the Health Insurance Portability and Accountability Act stipulates employee training is mandatory, neither the Privacy Rule not the Security Rule provide guidelines regarding the HIPAA training requirements. This can be a significant obstacle to Covered Entities working towards HIPAA compliance. Businesses in the healthcare and health insurance industries (Covered Entities) and businesses providing services … Read more
To answer the question Is Slack HIPAA Compliant, one has to look at its functions and, more importantly, the mechanisms it has in place to protect the integrity of Protected Health Information at rest and in transit. Also, one has to look at the content of the company´s Business Associate Agreement. Slack – an acronym … Read more
Google Hangouts is one among many apps, social media tools, and messaging services that healthcare professionals want to use to share protected health information (PHI). Is Google Hangouts HIPAA compliant and can it be used to share PHI? Is Google Hangouts HIPAA Compliant? Healthcare organizations use a range of Google services every day. Google Hangouts, … Read more
Is Facebook Messenger HIPAA compliant and can it be used by healthcare professionals to share protected health information (PHI) in compliance with HIPAA Rules? Healthcare professionals are increasingly using non-traditional communication tools and platforms. Many are wondering if these platforms can be used to share PHI. Somewhat thanks to Facebook’s popularity, their chat application Facebook … Read more
HIPAA covered entities must know their obligations under the HIPAA Breach Notification Rule and have processes ready to be put in place should a protected health information (PHI) disclosure be discovered. Even if covered entities are familiar with the requirements in theory, those who have never suffered a breach may not understand their duties in … Read more
The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, imposes a number of restrictions and requirements on the healthcare sector, but what is the purpose of HIPAA? Healthcare staff can be quite vocal on things prohibited by HIPAA, but are the gains worth the effort? What is the Purpose of HIPAA? Enacted … Read more
If you need to make a HIPAA complaint, do you know who complaints should be directed to within your covered entity? All healthcare staff who believe that have knowledge of a violation of HIPAA should report the violation internally. Generally, organizations have an appointed Privacy Officer, and this is normally the person you should report … Read more
If a Nurse violates HIPAA rules, what happens next? How would this HIPAA violation be dealt with and what penalties could an individual face for accidentally or deliberately violating HIPAA by accessing, disclosing, or sharing protected health information (PHI) without proper authorization? All covered entities and their business associates must follow the Health Insurance Portability … Read more
A Declaratory Ruling and Order to clarify HIPAA rules concerning patient telephone calls has been issued by the Federal Communication Commission (FCC) Understanding of and compliance between the Telephone Consumer Protection Act (TCPA) and patient telephone call rules under HIPAA have long caused trouble for a number of healthcare providers. Finally, 24 years after the … Read more
FaceTime is a video call service offered by Apple between certain iOS devices, but is it HIPAA compliant? Would it be against HIPAA Rules to use FaceTime to share protected heath information (PHI)? Below, we will review the security measures used by FaceTime; ask whether a business associate agreement (BAA) with Apple would be necessary; … Read more
Blockchain technology is widely spoken about when discussing the security of cyptocurrency transactions, but could blockchain be used for medical records? Could the use of blockchain technology benefit and improve the security of healthcare data? It is still early days when it comes to using blockchain to access medical records, but the potential improvements in … Read more
Is Google’s G Suite HIPAA compliant? Can healthcare organizations and covered entities use G Suite and not be in violation of HIPAA? Google have included a number of security and privacy features in G Suite to ensure it can be used in a manner compliant with the HIPAA Security Rule. Google have also shown their … Read more