HIPAA

Q: Is it considered a HIPAA violation for facilities to keep patient charts outside of exam rooms or at a patient's bedside? Most providers prefer to have the charts handy to review just before seeing the patient. However, anyone could walk by the room and potentially get a glance at the information. Would this be considered an incidental disclosure?

Cybercrime is up in the healthcare industry, and it’s a good idea to make sure you’re ready to respond to cyber incidents. The key to speedy mitigation is to have a security incident response plan, test the plan, and make sure it works as you exercise it. Having a plan is also a HIPAA Security Rule requirement.

As ransomware attacks and phishing attempts persist in the age of the coronavirus (COVID-19), healthcare organizations have correctly poured many resources into combatting these attacks. However, as always, cybercriminals are finding new ways to access protected health information (PHI).

One year into the coronavirus (COVID-19) pandemic, phishing attacks against healthcare organizations remain a chief concern. Threat actors are constantly finding new vulnerabilities to exploit. It’s like a game of whack-a-mole: When healthcare organizations swat away one problem, another pops up.

The Office for Civil Rights (OCR) announced on March 24 the 17th settlement of an enforcement action in its HIPAA Right-of-Access Initiative.

Q: If an individual provides authorization for a disclosure, can the individual later revoke the authorization? Is the covered entity (CE) then required to “take back” or demand the erasure of any documentation by third parties that may have been made following the original authorization?

Q: Is it safe to immediately shred charts that have been scanned into the electronic medical record system? Should we keep a paper backup?

Q: Do companies such as FitBit (and others that sell wearable devices that track and store health information) need to abide by HIPAA regulations? Should I be concerned with how these companies are viewing and sharing my health information?

Q: If we work with a business associate (BA) that enters into agreements with BA subcontractors, are we required to obtain copies of these agreements and review them?

Q: Are we allowed to use case studies involving real incidents that occurred at our facility as part of our HIPAA training? We’ve always been told that real-life examples will resonate with staff, but wouldn’t this be a HIPAA violation?