HIPAA News & Updates 

As the leading provider of release of information services, HealthPort® is committed to remaining proactive when implementing HIPAA standards in all products that we offer. The purpose of this blog is to provide an informational resource to the healthcare community that includes news, tips and updates on HIPAA related information.

speaker-jmcdavidJan P. McDavid, Esq. - Chief Compliance Officer and General Counsel 
Jan is a seasoned attorney with more than 20 years of experience in corporate law. Jan has served as the Chief Compliance Officer and General Counsel for HealthPort since 1998, handling corporate litigation obligations and managing the regulatory compliance of HealthPort’s business. Jan has also served as legislative Chair for the industry’s trade association, Association of Health Information Outsourcing Services (AHIOS), from 1998 to 2011. She is a frequent speaker on release of information, HIPAA, HITECH, and the state law environment, including appearances for many state branches of American Health Information Management Association (AHIMA) and at AHIMA annual meetings. Jan has memberships with the State Bar of Georgia, Association of Corporate Counsel, AHIMA, Health Care Compliance Association (HCCA), and American Health Lawyers Association. She has a Bachelor of Science degree from Georgia State University and a Juris Doctor degree from Georgia State University’s College of Law.

HIPAA News and Updates Blog
Speaking Engagements

  • 2015 was a banner year for healthcare – healthcare breaches, that is!

    Dec 31, 2015

    According to data from HHS, the records of more than 102 million Americans were accessed inappropriately or misused in 2015. Eight of the 10 largest provider “hacks” occurred this year - the largest from an insurer whose hack covered 78.8 million people.

    HealthPort monitors such information and works in collaboration with our clients to avoid breaches and misuse of PHI. Although it’s impossible to stop every hack and every breach, there are a few ways to protect your patients’ information.

    With your organization’s HIT systems likely designed to allow external communication, data transmission, and remote connectivity, here are some precautions to keep in mind:

    •  Keep/make information security a priority - largely through encryption, guarding employee physical and cyber access, and maintaining cyber insurance
    • Make sure your staff or IT staff gets alerts, through constant monitoring and escalation, of unusual system activity
    • Phishing emails sent to employees, and pen testing
    • Physical theft/loss of hard drives, flash drives, laptops
    • Training, and putting training into practice (complete with drills)
      Have plans for (i) pre-breach, (ii) once breach is discovered, and (iii) post-breach

     Fall-out when information is not protected:

    • Notices (costs + bad publicity)
    • Credit monitoring (costs)
    • Lawsuits (class actions) by patients, sometimes even before the breach is announced - most courts say actual damages are required in order for a class to recover money, but some do not.
    • Shareholder value; employee recruiting affected
    • Government (feds and states) fines – in state breach reporting laws, Attorneys General, FTC, DOJ, HHS

    One source estimates $305 billion in costs from medical record breaches coming in 2016.  Immediate reporting to HHS is required along with mandatory reporting to individuals in the case of a breach incident involving 500 or more people and potential fines. HIPAA and related laws have real “teeth” now. Be prepared.

     You may also want to read:


  • Measuring the true costs of data breach

    Sep 22, 2015

    Data breach. Those two words alone can evoke nightmarish visions. But actually quantifying a data breach — measuring its true cost — is a complex science, inexact at best, especially in the healthcare industry.

    Underscoring the subjective nature of this issue are two recent studies by prominent researchers Ponemon and Verizon. The Ponemon Institute estimated a data breach impact of $217 per record in its 2015 Data Breach Study, while Verizon estimated just 58 cents per record in its 2015 Data Breach Investigation Report (DBIR).

    Why the huge difference? It turns out it’s all about how the data is collected.

    Methods differ

    Some experts say this night-and-day disparity is due to conflicting data-collection methods. In this case, one method took into account the “soft costs” of the breach, while the other did not. These subordinate costs may include damage to reputation, loss of trust and funding sources, decreased customer loyalty, and increased staff turnover. When all of these ancillary costs are included, their sum can have a huge economic impact.

    Steps to take

    It’s important to recognize the differences between soft and hard costs, while simultaneously understanding the potential impact of both. This process is aided by three critical steps:

    • identify emerging threats
    • develop and implement strategies to reduce risk
    • assess technology, people and processes

    Furthermore, any worthwhile discussion of recovery costs should include the costs of credit monitoring, call center, mail house, advertisement in certain media (as required by HIPAA), legal advice, compliance with laws, public  relations impact, and defense costs.

    Internal assessments are imperative

    In order to make informed decisions that will help determine the level of protection required to protect patient data, healthcare organizations must conduct their own risk assessments to estimate potential costs. Outside studies can augment this data and offer helpful information for measuring the costs of breach and calculating risk exposure. Any list of best practices for conducting solid risk assessments should include technology requirements, monitoring policies, mediation steps, and effective security procedures.

    Vigilance is key

    When it comes to information security, healthcare organizations should take a proactive stance, ideally in order to understand, assess and avoid the costs of a breach before it occurs. Furthermore, remaining vigilant means that an organization will be more likely to have the proper tools in place to deal with a data breach if one should occur.

    This means being able to follow these steps:

    1. Recognize and justify the cost of protection — including technology, multidisciplinary training, security policies and procedures.
    2. Apply best practices to help ensure cost-effective, efficient response in case of breach — proper notification to government agencies, individuals, and legal counsel, along with remediation planning.
    3. Assess recent incidents, emerging issues, relevant research and unique risks associated with breaches in healthcare.
    4. Discover resources for predicting costs of cyber-attack and develop tactics for prevention.
    5. Identify and describe the hard and soft costs of breach — differences between direct and indirect costs, and examples of the impact on your specific type of organization and populations served.
    6. Define a strategy for conducting internal risk assessments to identify security gaps, address leaks, project potential costs and support investment in prevention.

    At the end of the day, healthcare organizations must be able to construct both hard- and soft-cost summary tables and conduct internal risk assessments. This data will help to build a best practices handbook and a critical checklist for managing a breach.

  • Healthcare data breaches surge—along with higher risks, remediation costs

    Jun 29, 2015

    With new threats emerging every day, all healthcare organizations, regardless of size, are at risk for data breach. The industry has seen 16 breaches—with more than 500 individuals in each incident—in the last 16 months. Of those 16, some were from hacking, some were from theft of equipment (portable items such as external hard drives, flash drives, and laptops), two were “unauthorized access” incidents, and at least one was a compromise of paper.

    As the number of data breaches in healthcare surges, so does the cost of remediation, according to the latest Ponemon Institute study, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data sponsored by ID Experts®. In fact, the report shows 91 percent of healthcare organizations had at least one data breach. Healthcare data breaches are costing the industry $6 billion annually—startling statistics to say the least.

    This year, the study was expanded beyond healthcare provider organizations to include business associates (BAs) to show the impact that third parties have on the privacy and security of healthcare data. Over the past two years, 65 % of healthcare organizations and 87 % of BAs experienced electronic information-based security incidents. Here’s a summary of other key takeaways:

    • Criminal attacks are the new leading cause of data breach in healthcare, up 125 % compared to five years ago, replacing “lost laptops” as the leading threat. As the root cause shifts from accidental to intentional, more breaches are attributed to a “trusted insider.”
    • Most organizations are unprepared to address new threats and lack adequate resources to protect patient data. One third of respondents have no incident response process in place, and most have not performed a risk assessment, despite the federal mandate to do so.
    • The threat of medical identity theft to breached individuals is growing—up by 22 % from last year—yet certain harms are not being addressed. According to the Ponemon/Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft has nearly doubled in five years, from 1.4 million adult victims to more than 2.3 million in 2014.

    Personal health information will continue to be a lucrative business for cyber criminals until healthcare providers invest in processes and technologies to protect healthcare data and prevent attacks. Media coverage of mass breaches and the focus on information governance in healthcare are pushing toward this goal. Otherwise, organizations are at high risk of being the next day’s headline news.

    Other News and Updates

    Phase 2 HIPAA audit questionnaires have been sent out to selected healthcare providers, signaling that the Office for Civil Rights (OCR) is finally preparing for the long-delayed audits. However, it’s still anyone’s guess when the next round will actually begin. According to one OCR official, a variety of new HIPAA-related guidance is in the works. Once again, stay tuned.

    These issues will be addressed along with other featured topics—information governance, audit management, compliance and legal issues, risk assessment and more—at the upcoming HealthPort HIM Educational Summit, July 26-29. Hope to see you there!

  • Healthcare Class Actions, Breaches and Fines on the Rise: Five Steps to Take Now

    Jan 02, 2015

    The current upsurge in healthcare class actions, breaches and fines is alarming for everyone in healthcare. Here are a few statistics to know.

    • 63 percent of healthcare organizations have had breaches within the past two years that required patient notification, according to the Ponemon Institute’s May 2013 report on “Economic and Productivity Impact of IT Security on Healthcare”. 
    • Over 260 million records of all types have been breached since 2005. Virginia, California, Florida and New York have the highest number of affected patients. 
    • 92,975 patient complaints have been filed with the OCR.

    With Phase II of HIPAA audits starting, and state attorneys general trained and ready to file suit, I predict that 2015 will be the year of state-level privacy and security enforcement in healthcare. Is your organization ready? 

    Here are five best practices to mitigate your organization’s privacy and security risks in the year ahead.

      Healthcare Class Actions, Breaches and Fines on the Rise: Five Steps to Take Now
    1. Encrypt all electronic information using the NIST standard for data at rest and data in motion. This is the easiest and most effective step to take today. If an unencrypted device, drive or piece of data is stolen or misplaced, OCR automatically presumes a HIPAA breach. Encryption equals security and safe harbor—breach notification is not required because the information can’t be accessed without a key.
    2. Use technology to detect and prevent unauthorized use and transmission of electronic data. A plethora of applications is available to continually monitor your organization’s software applications and system hardware for outside threats and security risks. Enterprise-wide use of anti-virus and security breach detection software is no longer an option; it’s a necessity.
    3. Purchase cyber insurance for your organization. This is another step that helps mitigate financial risk when a breach occurs. Be careful to understand from the insurer what is covered and for what price. Here are five tips on purchasing cyber insurance from Healthcare Info Security.
    4. Conduct self-assessments and rolling audits. Identify gaps in privacy and security and use self-audit results to continually improve processes, procedures, technology, and staff education curriculum mitigation of gaps in employee understanding.
    5. Train and document your educational efforts for both new and existing staff members. All new employees must receive job-specific training to help them understand the intricacies of handling protected health information (PHI). Testing should be ongoing, and staff members should take regularly scheduled refresher courses. Upon completion of each training program, have employees take an assessment to assure that they understand the course content. Do your best to make sure the assessment reflects real-life situations.

    The year 2015 is OCR’s and the states’ year of increased privacy and security enforcement. It should be your year of better HIPAA compliance.

  • Staying Onboard with Omnibus in 2014

    Apr 21, 2014
    Preparations in 2013 for the HIPAA Omnibus Rule may not have effectively insulated organizations from the fault and financial penalty of audits for healthcare covered entities (CEs) and business associates (BAs). CEs and BAs must remain engaged and onboard with protecting patients’ health information. Staying abreast of Omnibus rule updates and key issues will help ensure protected health information stays protected.

  • Three Privacy Enforcement Trends to Watch and Steps to Take in 2014

    Mar 04, 2014

    The Department of Health and Human Services has been unusually active with data breaches. There were 70 health data breaches affecting more than 500 individuals alone during the month of January. This doesn’t include smaller breaches of patient information, those affecting fewer than 500 individuals. We expect the real number of breaches occurring in covered entities (CEs) and business associates (BAs) may be much higher.
    In fact, 2013 was a historic year for Health Insurance Portability and Accountability Act (HIPAA) violations, with more than 5.7 million patients affected, according to HHS’s online database. Five ‘‘mega-breaches’’ accounted for 90 percent of the 2013 incidents according to the HHS site. According to the Ponemon Institute December 2012 report, breaches cost health organizations close to $7 billion annually.
    While HHS is quick to state that ‘‘numbers fluctuate’’ on its popular breach reporting site, the trends are evident. Most breaches aren’t related to electronic information hacking—like those recently reported by Target and other consumer retailers. Instead, they involve three long-standing privacy compliance problems in health care:

    • lack of physical safeguards;
    • unauthorized employee access into records; and
    • accidental commingling of patient information.

    As health-care executives, privacy officers and legal counselors head into the coming year, proactive breach prevention must go back to the basics. Here are three tips to get it done.


  • Omnibus Rules Update on Required Patient Pricing

    Oct 10, 2013

    The Omnibus Rule’s compliance date of September 23 has passed, and everyone should by now have implemented many new provisions, including the required patient pricing.  The Rule states (in one reference) that only labor costs, plus supplies and postage, can be charged to patients who request that their records be delivered in electronic format.  There are references in the Rule to other types of costs that potentially could be charged, but HealthPort opted to implement the more conservative interpretation of “labor.”  We sought (more than three months ago) guidance from the HHS Office for Civil Rights (OCR), but so far have not received a response (note: OCR was shut down, along with most of the rest of the government, as this was being written). 
    We are asking OCR for clarification on which other components of “labor,” as listed inconsistently throughout the Omnibus Rule, may be included in the patient price for the electronic release of information. Some of those discrepancies in the rule state or imply that both direct and indirect labor can be charged, along with the labor to prepare and transmit the records, various overhead expenses, and the cost of capital.  Watch this space for more information if and when HealthPort receives a response from OCR. 

  • Omnibus Compliance Comes Down to the Wire

    Sep 17, 2013

    In only one week, fines commence for failing to comply with new HIPAA Omnibus rules. Eight months ago, when we all took our first look at the new Final Rule, it appeared to be loaded with changes, and the path to compliance seemed daunting. However, the past months have been filled with a plethora of information and education for both Covered Entities (CEs) and the Business Associates (BAs) that serve them. 

    At this stage of the game, you should have a firm handle on the nuances of HIPAA Omnibus, which you must convey to your staff in advance of the impending compliance deadline. You’ve researched the changes, updated policies and procedures, and educated staff. BA agreements have been refreshed and new Notices of Privacy Practices distributed. (If you’re still a little fuzzy about certain intricacies of the new Final Rule, the American Medical Association provides a nice summary here.) 

    So with one week left, what is the final task to ensure compliance and mitigate risk of OIG fines? It is a thorough check of your I.T. systems. This final hurdle must be overcome within the next week and documentation describing your compliance efforts completed. 

    Patient Requests for Restriction—Check Your Systems

    Unique from other areas affected by HIPAA Omnibus, the management of patient requests for information restrictions to health insurers involves more than just policy change. When you accept a restriction, you have to manage it, and your electronic health record (EHR) is likely your primary means of doing so. Your IT systems need to accommodate restrictions. 
    They must have programmable flags for identifying information that shouldn’t be released or forwarded. These flags need to be obvious and heeded by everyone who accesses the record. Ask yourself the following questions as you fine tune your software in the coming week: 

    • How will the restricted record be prevented from flowing through other systems?
    • How will you intercept a restricted record that may be released within aggregate health plan data, or other sources for which the patient may ask for a restriction that you have accepted?
    • Will removing this data skew the results of critical information that is required for optimum quality of care?
    • How will restriction requests affect situations of managed care and other payer contracts for which you are obliged to provide data?
    • Does your organization allow for the restriction of separable and unbundled healthcare items or services?
    • Finally, the processing of patient requests for restriction must be fully documented, workflow and policies must be updated, and staff must be informed. The plan should answer the following questions:
    • How will the request for restriction be received?
    • Who in particular will receive the notification and start processing the request? 
    • Who will ultimately approve/deny the request? 

    Crossing the Finish Line

    September 23 will be here in one week. Although compliance with HIPAA Omnibus seems an arduous task, many of the required adjustments are policy changes, which must be comprehended and conveyed to staff. But it’s your mastery of restriction management that will go furthest toward satisfying HIPAA compliance. Pay particularly close attention to your EHR—your primary tool for restriction management. Carefully programmed to monitor restrictions, your EHR can prevent the unwanted flow of data, limiting access to that data, and moving you ever closer to the private and secure data environment envisioned by HIPAA.

  • 2014 Update: ABCs of Working with BAs

    Jul 11, 2013

    The Dept. of Health and Human Services (HHS) released its long-awaited HIPAA omnibus rule in mid-January, which significantly amends the original HIPAA privacy, security and breach rules. Nowhere are the changes more impactful than in the relationship between covered entities (CEs) and business associates (BAs).

    BAs are now, for the first time, directly liable for compliance with certain requirements of the HIPAA rules, including the cost of remediation of breaches for which they are responsible. The new rule went into effect March 26, 2013. Covered entities and BAs must comply by September 23 of this year, so there is much work to do. 

    Read more …

  • Final HIPAA Omnibus Rule Released

    Jan 23, 2013

    On Thursday, January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the final HIPAA omnibus rule. It’s a 563-page rule, covering several issues. And while the rule was published a year later than initially promised, covered entities and business associates have only eight months to comply.  

    HealthPort conducted an initial review of the rule. We’ve identified five key areas of change for healthcare providers. 

    • Business Associates (BAs) are now directly liable for the increased penalties for non-compliance based on their own actions, as well as the level of negligence and non-compliance by their subcontractors. 
    • HITECH’s breach notification requirements are strengthened by clarifying when breaches of unsecured health information must be reported to HHS. 
    • There will be stronger limitations on disclosures for providers’ fund-raising efforts. 
    • Patients can request a copy of their EMR in electronic form.
    • When individuals pay by cash, they can instruct their provider not to share information about their treatment with their health plan.
    • It appears the changes in breach notification processing and the elements used to determine “cost” in processing requests from patients will have the greatest impact on HIM professionals. 
    We invite you to visit this blog often for more details and practical advice as we dig deeper into HIPAA’s final omnibus rule. 


    NOTE: The final rule may be viewed in the Federal Register at: https://www.federalregister.gov/public-inspection

  • Healthcare Reform Changes and What HIM Professionals Need To Know

    Sep 13, 2012

    As you know, healthcare reform was upheld by the Supreme Court earlier this year.  Now that it is upon us, it is important that health information management professionals understand which record management workflows will be impacted and what other changes are ahead.  As a guest columnist in this month’s Advance for Health Information Professionals online Privacy Points column, I outline some of the reform changes and discuss what HIM professionals need to know to enhance their knowledge and understanding.  

    Click here to read my column, “Healthcare Reform and HIM: What You Need to Know,” and feel free to comment in the area provided below.

  • Healthcare Reform and HIM: What You Need to Know

    Aug 28, 2012

    Recently, I served as the guest columnist in Advance for Health Information Professional’s enewsletter  Privacy Points column.  Titled, “Healthcare Reform and HIM: What You Need To Know,” my column focuses on the ways that Healthcare reform offers HIM another opportunity to shine.  Now that healthcare reform is inevitable, it is important that health information management professionals understand which record management workflows will be impacted and what other changes lay ahead.

    Click here to read my column in its entirety and I welcome your comments about the changes ahead and their affect on HIM.

  • EMR vs EHR-What is the Difference?

    Aug 03, 2012

    As I browsed the web recently, I came across an interesting article that I wanted to share with my blog readers.  The article titled, “EMR vs EHR-What is the Difference?” was posted on the U.S. Department of Health and Human Services Health IT Buzz online newsletter and authored by Peter Garrett / ONC Office of Communications, and Joshua Seidman, PhD / Director Meaningful Use, ONC. 

    Click here to read the article in its entirety and let me know what you think in the comments section below.

  • HIPAA/HITECT Act Final Rules Delayed

    Jun 27, 2012
    The White House’s Office of Management and Budget (OMB) has extended its review of the rules, although HHS recently indicated that it was targeting July 2012 for release and, at the same time, the Director of OCR stated that the rule was “extremely close” to publication.

    OMB has 90 days to review most proposed and final rules. However, OMB is permitted to extend the review period for an additional 30 calendar days on its own, and, with the agreement of the agency head, for longer periods of time. Of the 19 HHS submissions to OMB currently listed on the federal website that reports on regulations under review by OMB, 11 have extended review periods.

    The omnibus rule is expected to include modifications to:

    • The Breach Notification Rule,
    • The HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act,
    • The Privacy and Security Rules, implementing changes mandated by HITECH, as well as other changes to the Privacy Rule proposed in July 2010, and
    • The Privacy Rule, implementing changes required by the Genetic Information Nondiscrimination Act.