Cybersecurity Attacks: The Importance of Compliance With the Standards

Recent ransomware attacks illustrate the importance of compliance with the HIPAA required and addressable security standards. In its December 2, 2019 Fall 2019 Cybersecurity Newsletter, the Office of Civil Rights (OCR) discussed ransomware attacks and ways to recognize, prevent, mitigate and recover from an attack. Read More ›

Office of Civil Rights Fines Dental Practice for Disclosure of PHI on YELP

The Office of Civil Rights of the Department of Health and Human Services (“OCR”) settled a HIPAA violation with a Texas-based dental practice based on the practice’s inappropriate disclosures of PHI on YELP. Read More ›

DHHS Issues Proposed Rule Amending 42 CFR Part 2

On August 22, 2019, the Substance Abuse and Mental Health Services Administration of the United States Department of Health and Human Services (“SAMHSA”) issued a proposed rule amending the Confidentiality of Substance Use Disorder Patient Records regulations set forth at 24 CFR Part 2. These regulations were initially implemented to provide heightened protection of patient records covering the treatment of substance use disorder (“SUD”) provided by certain federally funded programs (“Part 2 programs”). Read More ›

OIG Okays Complimentary Care to Patients in Recent Advisory Opinion

The OIG, in Advisory Opinion 19-03 issued on March 1, 2019, found it acceptable for a medical center to provide follow-up care in patients’ homes at no charge for individuals with congestive heart failure and chronic obstructive pulmonary disease who are considered to be at high risk of readmission to the medical center (the “Program”). Specifically, the OIG determined it would not impose sanctions based on the Program under the civil monetary penalty provision prohibiting inducements to beneficiaries. Read More ›

Getting Ready to Text Patient Information? Think Twice!

Text messaging is the new email and is common in health care. Providers are texting both patients and other providers about patient care. While texting offers benefits in terms of ease, quickness and flexibility, text messages that include protected health information (PHI) raise concerns about the privacy and security of the information. Is the texted information secure and HIPAA compliant?

Both OCR and CMS have raised concerns about texts with patient information. HIPAA permits transmission of PHI by electronic means provided that the transmission is secure. OCR has acknowledged the benefits of texting by health care organizations, but has identified concerns and has indicated that it intends to issue guidance on texting in the near future. In late 2017, CMS issued a memorandum to State Survey Directors providing that texting patient information among health care team members is permissible if conducted on a secure platform, but that texting of orders by health care providers is not permissible. Specifically, the CMS memorandum states that health care providers must use systems or platforms for texting that are “secure, encrypted, and minimize the risks to patient privacy and confidentiality” per HIPAA regulations and conditions of participation or conditions for coverage. Read More ›