In an alert issued today, the HHS announced that it has come to their attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of the OCR’s Director, Jocelyn Samuels. Specifically, the audits are intended to review the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Banking, Receivership & Creditors’ Rightsīe Aware: Current Phishing Email is Disguised as Official OCR Audit CommunicationĪs many HIPAA covered entities and their business associates are aware, the Office for Civil Rights (“OCR”) division of the United States Department Health and Human Services (“HHS”) has begun a second-round of audits to examine compliance with the HIPAA Privacy, Security and Breach Notification Rules.Once that process has been finished, and OCR has made the document readable again, the new guidance will be published. Much of the guidance has already been completed, although it must now be reviewed by the OCR’s legal team.
The guidance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when determining appropriate financial finees. OCR will be publishing an “Anatomy of a Case,” in which the processes that take place when OCR investigates a healthcare data breach or complaint are explained. OCR looks into all data breaches that have impacted more than 500 people, yet how those investigations take place remains something of a mystery. To enhance transparency, OCR has been working on guidance on what covered groups can expect then OCR investigators come knocking. McGraw also stated that the OCR is attempting to address its FAQ section on its website as many posted answers are ‘horribly out of date.’ While it is obvious to most healthcare workers what is, and what is not, allowable under HIPAA Rules, guidance on the use of social media platforms will be issued with explanations on when prior authorization from a patient is needed. Last year, there were a number of cases where healthcare professionals accidentally shared the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable data. In the published guidance, OCR will go over the use of text messages between physicians, healthcare groups, and the sending of messages to patients, along with the circumstances under which the use of text messages is forbidden under HIPAA Rules. In an interview with Information Security Media Group, McGraw outlined “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.” McGraw has confirmed that in answering many of the questions, OCR will be issuing HIPAA guidance on text messaging later in 2017. OCR receives many queries from physicians and covered groups on the use of text messaging and HIPAA Rules. In late 2016, the Joint Commission partially removed the ban once again, saying the use of a secure text messaging platform was allowable for doctors when communicating with each other, although the use of text messages – regardless of whether a protected, HIPAA-compliant platform was implemented – remained prohibited. In 2016, the Joint Commission removed the ban on the use of text messages for orders, although within weeks of the announcement the ban was reestablished.
OCR may be still trying to assess of the findings of the HIPAA compliance desk audits of healthcare groups and their business associates, but a swathe of new HIPAA guidance is set to be published in 2017. At HIMSS17, OCR’s Deven McGraw revealed some details regarding the HIPAA guidance OCR expects to publish during 2017.
0 kommentar(er)
