Hurricane Harvey HIPAA Reminder

Disasters, which can ultimately lead to a data breach, come in various forms – natural, man-made and technical. HIPAA, the HITECH Act, the Federal Trade Commission and the Securities and Exchange Commission are just a handful of entities requiring that the confidentiality, integrity and availability of the sensitive information (e.g., protected health information (PHI) and personally identifiable information (PII)) remain intact. Although federal HIPAA has distinct categories (e.g., covered entity, business associate, and subcontractor), other state or federal government entities use “covered entity” to mean any person that creates, receives, maintains or transmits PHI or PII.

HIPAA sets forth three main categories of safeguards: administrative, physical, and technical safeguards. Often times, these categories overlap. For example, the administrative requirement of a sanction policy compliments the physical requirement of two-factor identification for building access.

Below are a couple of select sections from the Code of Federal Regulations (CFR), which organizations should be particularly vigilant about in relation to disasters.

•45 CFR §164.310 (Physical) – requires that policies and procedures for facility access in order to restore lost data under the disaster recovery and emergency access plan.

•45 CFR §164.308 (Administrative Safeguards) – multiple requirements are set forth under this particular section of the CFR. For example:

•Security management process

•Annual risk analysis

•Information activity review

•Workforce clearance procedure

•Security awareness training

•Contingency plan

 

Read More: http://snip.ly/duepz#http://www.diagnosticimaging.com/blog/hurricane-harvey-hipaa-reminder

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

The Value and Importance of Health Information Privacy

Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals’ dignity. At the same time, health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The intent of this chapter1 is to define privacy and to delineate its importance to individuals and society as a whole. The value and importance of health research will be addressed in Chapter 3.

CONCEPTS AND VALUE OF PRIVACY

Definitions

Privacy has deep historical roots (reviewed by Pritts, 2008Westin, 1967), but because of its complexity, privacy has proven difficult to define and has been the subject of extensive, and often heated, debate by philosophers, sociologists, and legal scholars. The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and confusion persists over the meaning, value, and scope of the concept of privacy. At its core, privacy is experienced on a personal level and often means different things to different people (reviewed by Lowrance, 1997Pritts, 2008). In modern society, the term is used to denote different, but overlapping, concepts such as the right to bodily integrity or to be free from intrusive searches or surveillance. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention and cultural expectations (Nissenbaum, 2004NRC, 2007b).

Our report, and the Privacy Rule itself, are concerned with health informational privacy. In the context of personal information, concepts of privacy are closely intertwined with those of confidentiality and security. However, although privacy is often used interchangeably with the terms “confidentiality” and “security,” they have distinct meanings.Privacy addresses the question of who has access to personal information and under what conditions. Privacy is concerned with the collection, storage, and use of personal information, and examines whether data can be collected in the first place, as well as the justifications, if any, under which data collected for one purpose can be used for another (secondary)2 purpose. An important issue in privacy analysis is whether the individual has authorized particular uses of his or her personal information (Westin, 1967).

Confidentiality safeguards information that is gathered in the context of an intimate relationship. It addresses the issue of how to keep information exchanged in that relationship from being disclosed to third parties (Westin, 1976). Confidentiality, for example, prevents physicians from disclosing information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are breaches of confidentiality (Gostin and Hodge, 2002NBAC, 2001).

 

Read More: http://snip.ly/tlhw0#https://www.ncbi.nlm.nih.gov/books/NBK9579/

 

Knowing what to expect in a HIPAA audit is the key to passing it

Knowing what to expect in a HIPAA audit is the key to passing itHealthcare professionals have to mandatorily carry out HIPAA audits in a way that satisfies the regulatory authorities. This needs a thorough understanding of the exact meaning and import of words contained in HIPAA. They also need to get a grasp of the purpose and intent conveyed in HIPAA’s language. This is absolutely essential for both the Covered Entity and the Business Associate to ensure HIPAA survival.

Other challenges

wordpress-2017-SEO

A new challenge has come up. For 2017, the federal government is set to increase the Office of Civil Rights (OCR)’s budget by 10 percent with the intention of increasing the OCR’s resources for carrying out HIPAA audits and to also reinforce the OCR’s efforts towards HIPAA audits.

Also, the OCR now requires Business Associates and Covered Entities to show compliance with around 180 areas as part of Phase 2 of HIPAA with a response window of just 10 days. The OCR has also clearly stated that its audit protocol is no longer going to be satisfied with general and vague references to policy documents from Covered Entities and Business Associates when they are required to furnish documents to corroborate their work. They have to furnish the specific and exact documents that the OCR asks for during a HIPAA audit.

So, to ensure HIPAA survival, Covered Entities and Business Associates need to put a process in place and make sure they control and implement it with the maximum assiduousness and thoroughness. This is to be ensured all the time, every time.

Learning on what it takes for HIPAA survival

Learning on what it takes for HIPAA survival

A proper grasp of the art of HIPAA survival will be the expert guidance a two-day seminar from GlobalCompliancePanel, a highly popular provider of professional trainings for the areas of regulatory compliance, will be offering. Want to benefit from it? Then, please enroll for it by visiting Knowing what to expect in a HIPAA audit is the key to passing it

The Director of this two-day seminar is Brian L Tuttle, a senior Compliance Consultant & IT Manager at InGauge Healthcare Solutions. The aim of this seminar is to arm regulatory compliance professionals with total guidance on how practice managers need to prepare for HIPAA audits. Since many changes have been suggested for 2017 for HIPAA; Brian will throw light on what changes can be expected under the Omnibus Rule and any other applicable updates for 2017.

The Director will bust the various misconceptions and myths about HIPAA, which are a major obstacle to ensuring HIPAA survival. He will explain real life audits conducted by the Federal government to explain HIPAA survival from his experience of having been in over a thousand risk assessments during his career.  He will also illustrate which the highest risk factors for being sued for wrongful disclosures of PHI are, and the manner in which patients are now using state laws to sue for wrongful disclosures.

During the course of this seminar, Brian will cover the following areas:

History of HIPAA

HITECH

HIPAA Omnibus Rule

How to perform a HIPAA Security Risk Assessment

What is involved in a Federal audit and how is it conducted

Risk factors for a federal audit

EHR and HIPAA

Business Continuity/Disaster Recovery Planning

Business Associates and HIPAA

In depth discussions on IT down to the nuts and bolts

BYOD

Risk factors that can cause an audit (low hanging fruit)

New rules which grant states ability to sue citing HIPAA on behalf of a patient

New funding measures