The Office for Civil Rights (OCR) announced on Monday, November 28, 2016, that is was a victim of a sneaky phishing episode. And OCR published a clarification on Wednesday, November 30, 2016. The phishing email disguises itself as an official communication from OCR. It directs recipients to a non-governmental website marking a firm’s cyber security […]

The Internet has now been around for 40 years, with email as a core application. The Internet is used in many enterprises to enable computer networking and facilitate electronic communications. In the early years, the security of email communication was not an issue, but it surely is now! The use of the Internet and email […]

In early October 2016, the Office for Civil Rights (OCR) published an extensive guidance document on Cloud Computing that takes the form mostly of FAQs at http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html. Basically, it states that that covered entities (CEs) and business associates (BAs) must protect and secure protected health information no matter where it is stored or maintained … […]

The Office for Civil Rights (OCR) guidance: “FACT SHEET: Ransomware and HIPAA”[1] defines ransomware as: “Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who […]

The Office of Civil Rights' (OCR) second round of audits began on Monday, July 11, 2016, when selected covered entities received email notification letters on that day. The letter asks for a response within 14 days from the date on the letter (July 25, 2016) confirming your organization’s email information with a Yes or No. […]

Cybersecurity insurance is an insurance policy that is designed to help with the losses from a variety of cyber incidents, such as data breaches, business interruption or network damage. Each cybersecurity insurance policy, while similar to another policy, is never exactly the same as other insurance policies. Cybersecurity insurance is only one arrow in your […]

OCR’s interest in Business Associates is not new but they are much more active in this area lately. For example, Business Associates: Are directly responsible for their own security incidents and all HIPAA breaches per the HITECH Act; Will be audited by OCR per the HITECH Act; Are the subject of the OCR's April 2016 […]

The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) Risk Analysis requires a covered entity or business associate to “Conduct an accurate and through assessment of the potential risks an vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” In the new Audit Protocols published […]

Phase 2 of the proactive HIPAA Audits mandated by the HITECH Act of 2009 began in earnest in March 2016, when OCR sent out emails to survey a number of covered entities. The thumbnail sketch of the new audits includes the following information: 200 covered entities will be audited by December 31, 2016 All these […]

As you may know, there are more than a few federal agencies that impact HIPAA and its compliance. Two or the most important are the Office for Civil Rights, known by its acronym OCR, and The Office of the National Coordinator, its acronym is ONC. OCR writes and enforces the HIPAA Privacy, Security and Breach […]