Theresa Defino writes: Issue a final rule revising the privacy regulation and write guidance on the information blocking rule. Formalize the fledgling audit program required by Congress more than 10 years ago. Engage with providers and other HIPAA-regulated entities. And by all means, get cracking. In a series of interviews with RPP, two former Office for…
Category: HIPAA
California Breach Regulations Applicable to Health Care Facilities Align “Breach” Definition with HIPAA, Expand Reporting Obligations, and Clarify Penalty Structure
Jennifer Hennessy, Chloe Talbert, and Jennifer Urban of Foley Lardner write: California clinics, health facilities, home health agencies, and licensed hospices required to report breaches to the California Department of Public Health (CDPH) under California’s Health and Safety Code Section 1280.15 (Section 1280.15) are now subject to a new set of regulations. Section 1280.15, which has been in…
Bits ‘n Pieces
Aultman Health Foundation Notifying Patients of Insider-Wrongdoing The Ohio foundation is notifying approximately 7,000 patients that a former employee accessed their records without business need. HOYA Optical Labs of America Notifying Patients of Ransomware Incident As first reported by HealthITSecurity, the Japanese-headquartered firm notified 3,259 U.S. patients of a ransomware incident. The incident occurred in…
Implementing the HIPAA Security Rule: Call for Comments on NIST SP 800-66, Revision 1
Implementing the HIPAA Security Rule: Call for Comments on NIST SP 800-66, Revision 1 The National Institute for Standards and Technology (NIST) is planning to update the NIST Special Publication (SP) 800—66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (“Resource Guide”). NIST is seeking stakeholder input…
21 months after a ransomware attack, a business associate breach first shows up on HHS’s breach tool. Here’s why.
HIPAA Journal reports on an incident that is illustrative of the challenges entities may face in the wake of a ransomware attack — determining whether a breach is a reportable incident or not. It also illustrates what may happen if an entity decides something is not a reportable breach but further investigation by the U.S….
Former Roswell Park nurse pleads guilty to tampering with a consumer product
Articles on breaches involving protected health information (PHI) often raise the specter of what could happen if a patient’s records were misused and the patient’s healthcare suffered as a result. Here’s a case where it reportedly happened. This case also raises some questions about access controls and the value of audits and follow-up on audits….