Here are some important Health Insurance Portability and Accountability (HIPAA) reminders and updates.
First, on the Security Rule side of things: this past Thursday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted its latest settlement with a covered entity related to alleged HIPAA violations. This $250,000 settlement, with a Washington-based healthcare provider, followed a ransomware attack and subsequent investigation by OCR.
The risky business at issue here is, in many ways, merely operating in the healthcare industry. According to OCR, ransomware and hacking are the primary threats in healthcare. But a ransomware attack, which will always be disruptive and damaging, and can be challenging to prevent and often results from human error, does not need to result in further payment to the government.
There have been countless ransomware attacks, but only a handful of them result in settlements, and that’s because it’s not the ransomware itself, but the state of your compliance, when OCR comes knocking. This latest settlement was, as many are, a complaint-driven investigation. And when OCR investigated, it found one of the most common HIPAA compliance failures – the lack of a comprehensive, accurate, organization-wide risk analysis. OCR also found insufficient monitoring of activity within the organization’s information systems that housed electronic personal health information (ePHI).
Preparing your organization for that worst-case but sometimes inevitable-feeling attack means you need to get your house in order to make sure that any investigation shows you were meeting your compliance requirements.
Now, compliance with the HIPAA Security Rule is staying more or less status quo, but there are some significant changes to the Privacy Rule that go into effect at the end of this year and will require some additional effort.
The new HIPAA Privacy Rule to Support Reproductive Health Care Privacy goes into effect Dec. 23. This new Rule implements a variety of new requirements, focused on providing further protection for “reproductive healthcare” – a new and very broadly defined term. The Rule, which was published in April, seeks to prohibit covered entities from using or disclosing PHI related to reproductive healthcare to identify a patient or healthcare provider in connection with an investigation or proceeding where the care was provided under lawful circumstances.
Here are some things to consider and make sure you’ve implemented by the end of the year:
- Regulated entities (covered entities and business associates) will be required to obtain an attestation in certain circumstances from the person requesting the use or disclosure, stating that the use or disclosure is not for a prohibited purpose. HHS has posted a model on its website.
- Similarly, regulated entities need to revise their processes for responding to requests for the use or disclosure of PHI for which an attestation is required.
- Regulated entities need to revise policies and train staff, with a particular emphasis on the staff that will be responsible for reviewing and determining the sufficiency of these attestations.
- Covered entities need to review and potentially revise business associate agreements and assess vendor relationships to make sure everyone is aware of their new compliance requirements.
The final requirement is to update Notice of Privacy Practices, but you have until 2026 to do that.
——————————————————
Originally Published On: RAC Monitor
Photo courtesy of: RAC Monitor
Follow Medical Coding Pro on Twitter: www.Twitter.com/CodingPro1
Like Us On Facebook: www.Facebook.com/MedicalCodingPro
