HHS OCR Requests Feedback on HIPAA Privacy Rule

On January 28, 2019, the Office of Health and Human Services the Office for Civil Rights (HHS OCR) issues a Request for Information (RFI) seeking input from covered entities regarding several aspects of the Health Insurance Portability and Accountability Act (HIPAA).  Specifically, the HHS OCR is seeking input regarding several elements of the Privacy Rule, including the following: Encouraging information-sharing for treatment and care coordination Facilitating parental involvement in care Addressing the opioid crisis and serious mental illness Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices I am aware that several AAA member services who have struggled with many of the HIPAA restrictions regarding the sharing of PHI with other healthcare entities.  In particular, with regard to individuals who suffer opioid overdoses and efforts to ensure the individual has access to drug treatment programs.  Additionally, HHS OCR is seeking input from covered healthcare providers regarding the “good faith” efforts to obtain acknowledgement of the receipt of Privacy Practices.  This has been a considerable challenge for...

This content is available only to AAA members.
Log In or Register

HIPAA Breach Results in Highest Settlement in OCR History

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced earlier this month that is has entered into the largest settlement agreement in the history of the Department with Anthem, Inc., the largest Blue Cross and Blue Shield health benefit companies in the country.  Anthem, Inc. agreed to pay $16 million to HHS and take substantial corrective action to settle numerous potential violations of both HIPAA Privacy and Security Rules after it exposed protected health information (PHI) for nearly 79 million people. In March 2015 Anthem filed a breach report with OCR after they discovered that their Information Technology (IT) systems were infiltrated by cyber-attackers who had gained access to their systems after an Anthem employee opened a phishing email.  This email released an undetected continuous persistent threat attack that permitted the cyber-attackers to access their systems from December 2014 through the end of January 2015.  This attack opened access that ultimately resulted in the PHI of nearly 79 million people to be stolen. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis.  Additionally, OCR determined that Anthem “failed to have sufficient policies and procedures to regularly review IT system activity, identify...

This content is available only to AAA members.
Log In or Register

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to. This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data. While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk. The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name...

This content is available only to AAA members.
Log In or Register

HHS Office of Civil Rights Announces Phase 2 HIPAA Audit Review Program

On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program.  The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules.  These rules are enforced by the HHS Office for Civil Rights (OCR). Background on Phase 1 In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations.  The pilot audit program was conducted in three phases.  OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance.  This protocol was then tested using a limited number of audits.   The final step involved using the revised audit protocols on a larger number of covered entities.  Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012. Phase 2 Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and...

This content is available only to AAA members.
Log In or Register