Posts Tagged "HIPAA"

According to a recent article from Health IT Security, the 2016 shooting at an Orlando nightclub prompted Office for Civil Rights to release a clarification on aspects of the Patient Health Information disclosure as it relates to a patient’s loved ones. The office cited Supreme Court rulings on same-sex marriages and stated that the provisions are not limited by the sex and gender identity of a person when it comes to the determination of who is, by law, considered a family member.

The PHI disclosure in the HIPAA privacy rule allows a patient’s health status to be shared by covered entities with an individual’s family member, other relative, or close personal friend as it relates to that person’s ability to act on behalf of the patient in making decisions regarding healthcare, if that person is directly involved in the patient’s care or payment of that care. The clarification states that it left to the covered entity’s professional judgement to decide if the disclosure is proper or not, and recommends that — whenever possible — the covered entity should attempt to get verbal direction from the patient regarding PHI disclosure.

As you well know, HIPAA compliance is about more than who one can disclose patient information to. It is also about safeguarding the information about your patients or clients that you store within your data and data centers. Our Senior Solutions Consultants are ready to work with you on developing a solution that includes firewalls, encryption tools, and processes to help you prevent security risks. For more information, contact us.

The HIPAA, or Health Insurance Portability and Accountability Act, was put into place in 1996 to protect sensitive patient data. It’s standards preserve medical health records and other personal health information so that people can continue to hold health insurance coverage, as well as their privacy. Still, HIPAA standards are not just devoted to the health industry. So, who should be HIPAA-compliant?

Generally, if a business handles protected health information, they need to be HIPAA-compliant. Protected health information can include anything from billing information, discussions between a patient and a doctor, and any medical data on file. HIPAA law describes these businesses as covered entities or business associates.

Covered entities includes U.S. health plans, health care clearinghouses (generally billing and data collection), and health care providers, but these trickle down even further. For instance, if your employer submits any personal health information to their health plan for you, they need to be compliant.

Business associates covers vendors of any of the above organizations who have access to the personal health information of patients. A couple of examples of business associates affected by the Health Insurance Portability and Accountability Act would be medical transcription companies, independent accountants, and data storage companies like has been verified as HIPAA compliant by an independent auditor. Its cloud-based infrastructure is apt to handle any and all patient information with the utmost in security and privacy.

Contact today to see how they can help your firm customize and configure your own private cloud environment.

There’s only one thing worse than a serious HIPAA breach: having one and not providing the required notifications.

Entities covered by HIPAA, as well as their business associates, may need to report breaches. If an event compromises the privacy or security of protected health information which a covered entity holds, that constitutes a breach. The presumption is that an improper disclosure or use of PHI constitutes a breach, unless a risk assessment shows that the likelihood of compromised information is low. For instance, if printed records sent out for secure disposal fall off the truck, that counts as a breach unless all the records are recovered before anyone else can get to them.

If a breach does occur, a covered entity has to provide notifications without unreasonable delay (60 days at most) to:

  • The Secretary of Health and Human Services. A reporting form for this purpose is available online.
  • Individuals affected by the breach. The notice can go out by regular mail, or by email if the people affected have agreed to receive notices that way. If it isn’t possible to reach all affected people by mail or email, a public notice is required.
  • The news media, if the breach affects more than 500 residents of a state or jurisdiction.

It’s a legal requirement to document all notifications sent out. If an event falls short of being a breach, the assessment supporting that conclusion has to be documented.

It’s embarrassing to let people know that their confidential medical data may have gotten into the wrong hands, but it gives them a chance to protect themselves from identity theft, and embarrassment is better than the penalties the Office of Civil Rights can assess.

Best of all, of course, is not to have a breach in the first place. The secure cloud service from provides strong security, complying with all HIPAA and HITECH requirements. Contact us to learn more about our service.

© 2018 All rights reserved.