Appreciating how to avoid an enforcement action under the Right of Access Initiative, as well as mitigating cyberattacks with HHS’s cybersecurity resource website.
Just in time for the Holiday Season, HHS Office for Civil Rights (“OCR”) announces five separate resolutions as part of its HIPAA Right of Access Initiative. This initiative focuses on providers and health plans who fail to provide individuals with the ability to view and receive copies of their protected health information (“PHI”) within 30 days unless an extension is provided. Importantly, the 30 day timeframe applies under federal HIPAA, states may have shorter timeframes to provide patients with their medical records. Here’s a recap of the five resolutions:
To stay on OCR’s “nice list” providers should have adequate policies and procedures that staff are trained on, log the initial request date, and comply with both state and federal timeframes. If an extension is needed, notify the patient or representative.
Established under the Cybersecurity Act of 2015, the 405(d) program was established. On December 1st, HHS delivered a holiday gift – a new website - 405(d) Aligning Health Care Industry Security Approaches Program, which offers healthcare providers and public health officials cybersecurity and patient safety resources, as well as best practices. “Absence of Cybersecurity is a(n) Enterprise Risk, Patient Risk, Organization Risk, [and] Provider Risk.” Said another way, the 405(d) program’s motto that “Cyber Safety is Patient Safety” provides a variety of different resources, including cybersecurity posters, infographics, and a bi-monthly newsletter.
In sum, to avoid the ransomware Grinch, remain vigilant because ransomware criminals are ramping up.