Tag Archives: Health Information Security

HHS/OCR Announces Launch of HIPAA Audit Program Phase 2

Written by
Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist [...] Read more

HHS Issues HIPAA Security Rule Crosswalk with NIST Cybersecurity Framework

Written by
Last week, the HHS Office for Civil Rights (OCR) released a crosswalk between the requirements of the HIPAA Security Rule and the NIST Cybersecurity Framework. The crosswalk – which was developed in conjunction with the National Institute of Standards and Technology (NIST) and the HHS Office of the National Coordinator for Health IT – maps each administrative, physical and technical safeguard standard and implementation specification of the HIPAA Security Rule to the relevant subcategory in the Cybersecurity Framework. HHS notes that, because of the granularity of the NIST Cybersecurity [...] Read more

European Data Protection Supervisor Releases Opinion on Mobile Health

Written by
The European Data Protection Supervisor (“EDPS”), Giovanni Buttarelli, has published an opinion on Mobile Health (“mHealth”); a rapidly evolving sector that stems from the convergence of healthcare and information communication technology.  mHealth includes mobile applications designed to provide health-related services through smart devices by processing personal information about an individual’s health, well-being, and lifestyle. The opinion discusses the growing ubiquity of mHealth, which in large part is due to the proliferation of smartphones and wearable computing devices.  [...] Read more

Paula Stannard Authors Bloomberg BNA Article on Business Associates HIPAA Compliance

Written by
Paula Stannard, one of the practice leaders of the firm’s HIPAA Privacy & Security Team authored, “Business Associates’ HIPAA Compliance: Should Covered Entities Be Concerned?” in Bloomberg BNA’s Health IT Law & Industry Report. The article discusses why HIPAA covered entities (or business associates) should be concerned about the ability of their business associates (or subcontractor business associates) to comply with the applicable HIPAA requirements, outlines a series of questions to help covered entities determine for which (if any) business associates they may want to [...] Read more

Alston & Bird Health Care Advisory: HIPAA Audit Program Phase 2 Update

Written by
We have previously blogged about the U.S. Department of Health & Human Services HIPAA Audit Program, including the Audit Program pilot (November 30, 2011 and March 7, 2012), the release of the Office for Civil Rights (OCR) audit protocols (June 26, 2012), and the status of phase 2 of the Audit Program (February 26, 2014 and September 16, 2014).  Today, Alston & Bird issued a Health Care ADVISORY on the status of Phase 2 of the HIPAA Audit Program, in which we discuss recent guidance from OCR on the HIPAA Audit Program and its status and provide some basic compliance reminders that may [...] Read more

HIPAA Audit Program Phase 2: Delayed

Written by
A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2. Previous Plans for Phase 2 Earlier this year, OCR had announced that phase 2 of the Audit Program would begin this year and would target specific high risk issues.  It had indicated that, beginning this past summer, it would conduct a pre-audit survey of 800 covered entities and 400 business associates, to determine suitability for the OCR HIPAA Audit Program.  [...] Read more

HHS OIG Releases Report Regarding ONC’s Oversight of Testing and Certification of Electronic Health Records

Written by
The HHS Office of Inspector General (OIG) recently issued a report regarding the Office of the National Coordinator for Health Information Technology’s (ONC) oversight of electronic health record (EHR) testing and certification, “The Office of the National Coordinator for Health Information Technology’s Oversight of the Testing and Certification of Electronic Health Records.” ONC was statutorily established by the Health Information Technology for Economic and Clinical Health (HITECH) Act and is the principal Federal entity responsible for coordinating the effort to implement a nationwide [...] Read more

Angela Burnette and Julia Dempewolf Publish Article On Student Privacy and Preventing Campus Violence

Written by
Angela Burnette, Counsel at Alston & Bird, and Julia Dempewolf, an associate at Alston & Bird, have compiled practical guidance for schools and universities to consider regarding student privacy and the prevention of school violence. Their recent article, published by LexisNexis in Health Care Law Monthly, is entitled “Clarity Instead of Confusion: Available Solutions Under the HIPAA Privacy Rule and FERPA To Prevent Student Violence.” Tragic school shootings, such as at Virginia Tech, Sandy Hook Elementary, and Arapahoe High in Colorado, have heightened public discussions regarding [...] Read more

Transmitting PHI by Email

Written by
Email has become an important mode of communication for business operations, with approximately 100 billion business emails sent in 2013 alone. Included in these messages are patients’ personal and health information, such as test results, diagnoses, and social security numbers. The Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulate the transmission of this sensitive information, known as protected health information (“PHI”), by Covered Entities, and in some circumstances, Business Associates. Covered Entities [...] Read more

OCR and ONC Release New Security Risk Assessment Tool

Written by
Late last week, the HHS Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a security risk assessment (SRA) tool designed to help health care providers conduct risk assessments as required by the HIPAA Security Rule.  Under the Security Rule, health care providers must perform risk assessments to evaluate the security of their electronic protected health information (ePHI), and then implement reasonable and appropriate safeguards that may be necessary to reduce and manage the risk and to protect ePHI.  While the Security [...] Read more