Tag: HIPAA

HIPAA Compliance is Not A Choice

 Author: Seymore Bones  Published Date: July 1, 2025  Leave a Comment on HIPAA Compliance is Not A Choice

The HHS Office for Civil Rights (OCR) just sent another clear message: HIPAA compliance isn’t optional no matter your practice size.

The OCR has reached a resolution with Vision Upright MRI, a small California imaging provider, after a breach of unsecured protected health information (PHI) impacted 21,778 patients. The breach originated from an unsecured server that housed radiology images and lacked proper risk analysis, audit controls, and breach notification procedures.

What happened:

  • No HIPAA risk analysis ever conducted
  • Breach notification wasn’t sent within the required 60-day timeframe
  • ePHI was stored on an unprotected PACS server

As a result, the total settlement cost was a $5,000 fine plus 2 years of monitoring in addition to mandatory corrective actions including:

  • Risk analysis 
  • Mandatory training 
  • Updated policies and procedures
  • Encryption and audit protocols  

Why this matters to you:

Whether you’re a solo provider or part of a large system, OCR expects every HIPAA-covered entity to:

  • Identify where ePHI resides
  • Conduct and update risk analyses regularly
  • Encrypt ePHI in transit and at rest
  • Provide HIPAA training tailored to roles
  • Maintain up-to-date breach response protocols
  • Monitor audit logs and respond to anomalies

What is the Security Rule Anyway?

 Author: Seymore Bones  Published Date: February 28, 2025  Leave a Comment on What is the Security Rule Anyway?

The Security Rule specifically sets out to ensure the “confidentiality, integrity,
and security” of electronic protected health information (ePHI). What does that mean?
• Confidentiality: ePHI is not available or disclosed to unauthorized persons.
• Integrity: ePHI is not altered or destroyed in an unauthorized manner.
• Availability: ePHI is accessible and usable on demand by an authorized person.

Security Rule

Don’t Be Caught Unaware

 Author: Seymore Bones  Published Date: February 27, 2025  Leave a Comment on Don’t Be Caught Unaware

Key HIPAA Security Rule components:

  • Appoint a security officer: Assign someone responsible for overseeing HIPAA security compliance, which
    includes managing risk assessments, audits and staff training.
  • Implement access controls: Limit access to ePHI to authorized personnel only, and use strong password
    policies, multi-factor authentication (MFA) and user role-based access
  • Conduct regular risk assessments: These are explicitly required for HIPAA compliance.
    Covered entities and business associates are required to “conduct an accurate and thorough
    assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and
    availability of electronic protected health information (ePHI).” This is often referred to as a “risk
    assessment” or “risk analysis.”
    ♦ A one-time risk assessment is not enough. Risk assessments need to be ongoing and
    periodic to ensure that new threats, vulnerabilities and changes to systems are consistently
    evaluated. This should be annually or as dictated by your organization’s risk profile.
    Document all risk assessment processes and results to meet HIPAA audit
    requirements.
  • Schedule regular security audits: While a risk assessment identifies threats and
    vulnerabilities, security audits go deeper into validating whether your safeguards and
    controls are both in place and effective.
    Administrative safeguards: Audits check for proper security policies, workforce
    training, and contingency planning.
    ♦ Physical safeguards: Audits assess physical controls around facility access and device security.
    Technical safeguards: Audits evaluate technical controls such as encryption, access controls and
    network monitoring.
    By conducting these audits on a scheduled basis (e.g., annually or quarterly, depending on the
    organization’s size and risk profile), you can detect and address any areas of non-compliance before they
    become liabilities.
  • Establish data backup systems: Regularly back up ePHI and store backups securely offsite
  • Enable audit logs: Activate and monitor audit logs for all systems handling ePHI.

What are the Security Requirements for HIPAA Compliant Emails?

 Author: Seymore Bones  Published Date: January 30, 2025  Leave a Comment on What are the Security Requirements for HIPAA Compliant Emails?

Security Rule (§164.306)

(a) ENCRYPTION: Securing email containing PHI from end to end. You may visit “The National Institute of Standards and Technology” for advice on the latest and most suitable standards for email services.

(b) Email Phishing Protection: Technology can include email filters and spam protection systems that help detect and block phishing emails before they reach the user’s inbox. Anti-phishing software solutions can detect and block phishing attempts by analyzing web traffic and identifying malicious websites designed to steal user credentials.

(c) Spam Protection: Email spam protection is a system designed to detect and block unwanted or potentially harmful email messages from reaching a user’s inbox.

(d) Virus Protection: Installed on email servers and user devices, virus protection solutions scan emails, including attachments and links in emails for viruses. The software is automatically updated with the latest virus definitions to protect against new threats and provide continuous monitoring and real-time protection of email traffic. 

(e) Ransomware Protection: Ransomware security protection involves a range of measures and tools designed to prevent, detect, and respond to ransomware attacks. In addition to antivirus software, phishing detection, spam filters, and email filtering discussed above, ransomware includes endpoint protection which monitors and secures individual devices against ransomware attacks along with the entire network of devices.

For more content follow this link to "The HIPAA Journal"

Security Training Tips for Frontline Employees

 Author: Seymore Bones  Published Date: September 13, 2024  Leave a Comment on Security Training Tips for Frontline Employees

The shift towards digital solutions has had a profound impact and benefit. However, it has also introduced new challenges, particularly concerning security, which is why your frontline employees need to be properly trained to ensure your business and customers are protected.

As frontline sectors continue to embrace technology, the dependency on digital tools and platforms grows. Employees now rely on various devices and software to perform their duties, from processing transactions and managing customer interactions to accessing sensitive information. Point-of-sale systems, digital customer service platforms, electronic health records, and mobile apps are now standard tools in these environments. 

The Importance of Security Training for Frontline Workers

Frontline workers extend beyond emergency responders. It’s an encompassing term to describe individuals who are the first point-of-contact between a company and its customers. They can handle sensitive information, greet patrons as they enter facilities, or provide direct support when needed

Why is front line training so vital?

  1. Direct Customer Interaction
  2. Protecting Sensitive Information
  3. Identifying Threats
  4. Compliance with Regulations
  5. Building Customer Trust

For Additional Helps and Tips Visit:  Vector Security’s Security Blog.

Vector Security Blog

UHC Responsible for Breach Notifications

 Author: Seymore Bones  Published Date: June 5, 2024  Leave a Comment on UHC Responsible for Breach Notifications

The Health and Human Services (HHS) Department announced Friday (May 31, 2024), United HealthCare must take responsibility for informing people about privacy breaches resulting for the the Change Healthcare cyberattack. 

UnitedHealth Group previously disclosed that the ransomware attack exposed personal information of a “substantial portion” of Americans. 

That “substantial portion” turns out to be 1 in 3 Americans.

“OCR must affirm its position that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes them a covered entity under HIPAA and thus responsible for the breach of any [protected health information] which it processes or facilitates the processing of,”

Under HIPAA, UnitedHealth Group must provide affected individuals with descriptions of the incident, what data were compromised, how the company responded to the attack, how the company can be reached and what individuals can do to protect themselves.

Substance Use Disorder Patient Records

 Author: Seymore Bones  Published Date: February 15, 2024  Leave a Comment on Substance Use Disorder Patient Records

HHS Finalizes Rule Changing Regulations

The Department of Health and Human Services (HHS) finalized a rule making changes to the regulations governing the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (Part 2). HHS aligned many Part 2 regulations with HIPAA in accordance with language from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Changes included allowing a single consent for all future uses and disclosures of Part 2 records for treatment, payment, and operations; HIPAA covered entities and their business associates may redisclose records following HIPAA regulations under this consent. The rule aligned Part 2 penalties and breach notification requirements with HIPAA, and restricted the use of Part 2 records in certain civil or criminal proceedings against patients without their consent or a court order.

Click here to be taken to the HHS Website.

Do you need a safe place to get rid of old Technology?

 Author: Seymore Bones  Published Date: February 9, 2024  Leave a Comment on Do you need a safe place to get rid of old Technology?

Contact

Email: [email protected]

Phone: (936) 209-8917

 

5 State and Federal Training Mandates

 Author: Seymore Bones  Published Date: October 25, 2023  Leave a Comment on 5 State and Federal Training Mandates

There are five topics that physicians and their staff must receive training on regularly per state and federal requirements, and the TMA Education Center offers programs to meet those mandates.

All these programs are free to members and their staff as a benefit of membership, saving members $200 or more per program or more than $2,000 combined. Find them in the TMA Education Center under the Opioid and Mandated Trainings topics.  

State:  

  • Human trafficking: Meets all required Texas Health and Human Services Commission (HHSC) Human Trafficking Training Standards, is approved by HHSC in accordance with House Bill 2059 (2019), and addresses how to recognize, screen for, and report suspected human trafficking. 
  • Pain management and the prescribing and monitoring of controlled substances required by the Texas Medical Board: State requirement for a total of 2 hours of formal CME that count as ethics credit and addresses:
    • Best practices, alternative treatment options, and multimodal approaches to pain management that may include physical therapy, psychotherapy, and other treatments;
    • Safe and effective pain management related to the prescription of opioids and other controlled substances, including education regarding standards of care; identification of drug-seeking behavior in patients; and effectively communicating with patients about the prescription of an opioid or other controlled substances; and 
    • Prescribing and monitoring of controlled substances.  
     

Federal: 

  • OSHA: Federal requirement for annual training for all health care workers. 
  • Treatment and management of patients with opioid or other substance use disorders required for all U.S. DEA-registered practitioners: Federal requirement, one-time 8 hours of specified training.   

Federal and state: 

  • HIPAA and Texas medical privacy laws: Federal and state requirements annually, regularly, and/or within 90 days of hiring.   

TMA’s Education Center also has dozens of other courses you can find anytime, available at no cost to members thanks to TMA Insurance Trust. 

Disclaimer: Participation in this program in no way implies the participant has fully met the federally and state-mandated training requirements. Participants are solely responsible for ensuring any mandated training requirements are completed.

Link to Article

Notice of Data Breach Update

 Author: Seymore Bones  Published Date: September 8, 2023  Leave a Comment on Notice of Data Breach Update

Texas physician practices and other health care facilities soon will be required to give more timely and public notice of any breaches of computerized data, including electronic health records (EHRs) and billing information.

During the 2023 regular legislative session, state lawmakers passed Senate Bill 768 by Sen. Tan Parker (R-Flower Mound), which takes effect Sept. 1. The law requires anyone doing business in Texas to notify the state attorney general of computer security breaches involving the sensitive, personal information of at least 250 individuals as soon as possible, and not later than 30 days after discovery, down from 60 days. 

For more information view Emma Freer's article at TMA