February 28, 2024 For practices offering treatment for a substance use disorder (SUD), some major compliance changes have been rolled out. The Substance Abuse and Mental Health Services Administration, or the much easier-to-remember SAMHSA, and the Office of Civil Rights, or OCR, have announced changes to 42 CFR Part 2. 42 CFR Part 2 is a document that rules how substance use disorder patient records need to be handled. Some major changes include: One OK: A single consent is valid for all future uses, forgoing repeated permissions and simplifying the process for your practice. Sharing with Care: Information about a patient can be shared with public health authorities without specific consent. However, the documents need to be revised to make the patient anonymous. Enforcement Streamlined: Previously, 42 CFR Part 2 had separate penalties. Now, it adopts the same civil and criminal enforcement as HIPAA violations, ensuring consistency and clear expectations. Breach Notification and Patient Notice: Will follow the same Breach Notification Rule and Patient Notice of Privacy Practices as standard HIPAA requirements. Safe Harbor: The Safe Harbor rule in the 42 CFR Part 2 creates a limit on the liabilities investigative agencies that follow proper procedures can face. So, simply put, if an investigative agency has accessed protected health information about someone in substance abuse treatment by following the proper procedures, they will be protected. What this means for your Practice If you work for a practice that offers treatment for substance use disorder, knowing the changes to this legislation is imperative. With Abyde, we’re here for you to simplify compliance, with our revolutionary software keeping you up to date and accountable. Review your organization’s risks and vulnerabilities with our variety of resources, including our state-of-the-art Security Risk Analysis (SRA) which can be completed in minutes. To learn more about how your practice can be compliant, email us at info@abyde.com and schedule a consultation today.
Understanding the New HHS Resources on Telehealth Privacy and Security: A Guide for Healthcare Providers and Patients
October 20, 2023 The telehealth usage surge has revolutionized healthcare delivery, particularly amid the COVID-19 pandemic. While the technology offers numerous benefits, it also raises questions about the privacy and security of Protected Health Information (PHI). Addressing this, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released two essential resources to educate healthcare providers and patients. In this article, we delve into the key takeaways from these resources and discuss their implications for HIPAA compliance. What Has Been Released? OCR has issued two resource documents: For Healthcare Providers Although HIPAA doesn’t mandate healthcare providers to educate patients about the risks involved in telehealth, the new resource provides valuable guidelines for those who choose to do so. Topics covered include: For Patients Patients are provided with recommendations to protect and secure their health information, such as: Why Is This Important? “Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” says OCR Director Melanie Fontes Rainer. By educating patients and providers about privacy and security risks, OCR aims to build confidence and encourage the responsible use of telehealth technologies. Practical Tips for Health Care Providers Recommendations for Patients Final Thoughts The newly released resources by OCR offer a comprehensive guideline for navigating telehealth’s privacy and security aspects. Healthcare providers should seize this opportunity to improve their practices and educate their patients, enhancing the telehealth experience. For more information on how to stay compliant with HIPAA and other regulations in the healthcare sector, feel free to contact Abyde, your trusted partner in HIPAA and OSHA Compliance.
What is the New HIPAA Safe Harbor Law?
January 14, 2021 There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place. What Changed HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements. Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one? What Else to Know So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives: The next question – what does “recognized cybersecurity practices” mean? What to do NOW To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control. What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.