In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information. 

This article will discuss this rule change and why it seeks to address the gaps between HIPAA disclosure and mental health information protections.

Read More

In October of 2015, the Excellus Health Plan suffered what was the largest HIPAA data breach of the year, with some 9.5 million patient records compromised. An investigation concluded in January 2021, stating that Excellus had five critical violations of HIPAA, including a failure to conduct risk analysis, implement sufficient network security measures and enact data security policies around data and access controls. 

The Office of Civil Rights (OCR) settled with Excellus for $5.1 million from the five violations found and after years of audits and investigations. 

Don’t let this become your story if you are working in the healthcare sector. Understand compliance and penalty structures. 

Read More

Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system. 

Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results, in hand, in a USB key that they plug into their computer. 

This, of course, is a considerable risk. HIPAA regulations require that institutions protect PHI in specific ways with straightforward controls, and many threats can undermine physical media. 

So, what’s the issue with using USB thumb drives? 

Read More