February was a busy month for Health and Human Services (HHS) and the Office for Civil Rights (OCR). Here’s a recap.
2-3-2016: HHS Administrative Law Judge (ALJ) ruled that Lincare, Inc. (Lincare) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring Lincare to pay $239,800 in civil money penalties (CMPs) imposed by OCR.
2-16-2016: Complete P.T., Pool & Land Physical Thnd required payment of $25,000, adoption and implementation of a corrective action plan, and reporting of compliance efforts for a one-year period.
2-24-2016: The OCR released a crosswalk that was developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC). The crosswalk identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. The press release from the OCR stated “in addressing security, many entities both within and outside of the healthcare sector have voluntarily relied on detailed security guidance and specific standards issued by NIST.”
2-25-2016: The Director of the OCR, Jocelyn Samuels, release the second set of FAQ’s addressing fees for copies of health information and the right to have health information sent directly to a third party. The press release states, “At the Office for Civil Rights (OCR), we believe strongly that every individual should be able to easily exercise their right to access their health information, allowing them to be fully engaged in their care and empowered to make the health care decisions that are right for them. The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans. But this right has not always been well-understood, and far too often individuals face obstacles accessing their health information, even from entities required to comply with HIPAA.”
It appears that the OCR has started to increase their education efforts as recommended in September’s study by the Office of Inspector General (OIG). One of the five recommendations by the OIG stated, “continue to expand outreach and education efforts to covered entities.” It appears that education can come in many forms and sizes.
Judith is the CEO of JAL Consult and holds the accreditation of Certified HIPAA Professional (CHP). As a consultant, Judith provides guidance for organizations within the HIPAA framework. Judith develops and implements reasonable and appropriate compliance programs, develops employee training programs and participates in compliance presentation and speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.