Tag: Office of Civil Rights (OCR)

HIPAA Compliance is Not A Choice

 Author: Seymore Bones  Published Date: July 1, 2025  Leave a Comment on HIPAA Compliance is Not A Choice

The HHS Office for Civil Rights (OCR) just sent another clear message: HIPAA compliance isn’t optional no matter your practice size.

The OCR has reached a resolution with Vision Upright MRI, a small California imaging provider, after a breach of unsecured protected health information (PHI) impacted 21,778 patients. The breach originated from an unsecured server that housed radiology images and lacked proper risk analysis, audit controls, and breach notification procedures.

What happened:

  • No HIPAA risk analysis ever conducted
  • Breach notification wasn’t sent within the required 60-day timeframe
  • ePHI was stored on an unprotected PACS server

As a result, the total settlement cost was a $5,000 fine plus 2 years of monitoring in addition to mandatory corrective actions including:

  • Risk analysis 
  • Mandatory training 
  • Updated policies and procedures
  • Encryption and audit protocols  

Why this matters to you:

Whether you’re a solo provider or part of a large system, OCR expects every HIPAA-covered entity to:

  • Identify where ePHI resides
  • Conduct and update risk analyses regularly
  • Encrypt ePHI in transit and at rest
  • Provide HIPAA training tailored to roles
  • Maintain up-to-date breach response protocols
  • Monitor audit logs and respond to anomalies

Don’t Tell My Insurance Company

 Author: Seymore Bones  Published Date: July 18, 2024  Leave a Comment on Don’t Tell My Insurance Company

“you can also ask your health care provider or pharmacy not to tell your health insurance company about care you receive or drugs you take, if you pay for the care or drugs in full and the provider or pharmacy does not need to get paid by your insurance company.” 

This is a direct quote from The Office for Civil Rights Flyer, "Your Health Information Privacy Rights"

If you would like to read this flyer or print it for your patients:

Click here

Physicians Can Delegate Breach Notifications to Change Healthcare

 Author: Seymore Bones  Published Date: July 1, 2024  Leave a Comment on Physicians Can Delegate Breach Notifications to Change Healthcare

However, this delegation is only allowable if Change Healthcare or UHC are business associates of the covered entity. OCR made clear that the ultimate responsibility for ensuring such notifications occur remains with the covered entity, meaning physicians may still need to provide breach notifications under those circumstances. 

For the full TMA Article, Click here

UHC Responsible for Breach Notifications

 Author: Seymore Bones  Published Date: June 5, 2024  Leave a Comment on UHC Responsible for Breach Notifications

The Health and Human Services (HHS) Department announced Friday (May 31, 2024), United HealthCare must take responsibility for informing people about privacy breaches resulting for the the Change Healthcare cyberattack. 

UnitedHealth Group previously disclosed that the ransomware attack exposed personal information of a “substantial portion” of Americans. 

That “substantial portion” turns out to be 1 in 3 Americans.

“OCR must affirm its position that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes them a covered entity under HIPAA and thus responsible for the breach of any [protected health information] which it processes or facilitates the processing of,”

Under HIPAA, UnitedHealth Group must provide affected individuals with descriptions of the incident, what data were compromised, how the company responded to the attack, how the company can be reached and what individuals can do to protect themselves.

Feds Clarify HIPAA Enforcement When PHE Ends

 Author: Seymore Bones  Published Date: August 22, 2022  Leave a Comment on Feds Clarify HIPAA Enforcement When PHE Ends

New federal guidance clarifies that relaxed HIPAA enforcement will end at the conclusion of the COVID-19 public health emergency (PHE), while offering instruction on how physicians and others covered by HIPAA can continue to use remote communication technologies to provide audio-only telehealth services.

Back at the start of the pandemic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) said it would not “impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

In the new guidance, OCR reiterated that this discretion remains in effect only until the HHS secretary determines the PHE no longer exists or when it expires, whichever occurs first. Congress previously granted a five-month extension for other COVID-related waivers following the conclusion of the PHE..

OCR issued the guidance in direct response to a December 2021 presidential executive order intended to help ensure patients can continue to benefit from audio-only telemedicine and telehealth services with protection of their personal health information.

The new guidance elaborates on types of technologies, business associate agreements with vendors, and ensuring HIPAA compliance when using audio-only technologies.

The Texas Medical Association has numerous resources designed to help physicians adopt and effectively use telemedicine. Visit TMA’s telemedicine page for more information.

Click on the blue highlighted text within the article for more information. 

OR

Head to the Business End File and view articles on Telemedicine,  and Telemedicine Policy, Procedure, and Form Templates