As the Rules Apply

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

This week in HIPAA news we are shining a light on two rules that display the spectrum of ‘bending’ from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The first, showing flexibility, announced that penalties with regard to HIPAA, as it pertains to the COVID-19 vaccination, will not be imposed when corresponding to online web-based scheduling applications. If used in good faith by covered health care providers and their business associates for the usage of appointment scheduling, this will be retroactive to the activity starting December 11, 2020.

The second bit of news is a display of how enforcement will be upheld if deadlines and rules are not adhered to. This one area that will not be offering leniency is the deadline to report small HIPAA breaches from 2020. Even if ONE person was affected, you must report this to the HHS using the designated portal for breach reporting. Covered entities are required to report any breach of protected health information (PHI) to this office by March 1, 2021. A small breach is one that affects fewer than 500 individuals and has to be reported within 60 days of year-end. While the portal permits a business associate to report its own breach on behalf of a covered entity, the responsibility does fall on the covered entity and this may mean that they would prefer to maintain and own that responsibility so that it is done in a timely fashion and done accurately. If a breach is not reported, or done after the deadline, it can lead to additional fines.

Both of these likely affect you in one way or another. While they show that the OCR has some flexibility in accommodating the unexpected and ensuring that healthcare providers can quickly and effectively provide care, it also is an example of how the patient and their privacy or security will always come first. They’ll bend to ensure that people can be treated quickly when needed, and remain rigid when it comes to ensuring that the healthcare industry does it in the safest way possible.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE