Breaking Compliance News Blog

Download MPA's HIPAA, COVID-19 & Social Media Roadmap

Posted by Margaret Scavotto & Scott Gima on 7/8/20 8:38 AM

The rise of social media has revolutionized the way people connect. In the health care workplace, social media also brings countless opportunities for employees to violate HIPAA. Balancing this new landscape of increased sharing through technology and unchanged patient privacy rights is a minefield for healthcare providers.

Without education and policies from their employers, health care employees can easily get into trouble, quickly putting their employers at risk for HIPAA penalties, lawsuits, and devastating PR consequences. The pandemic has only exacerbated the privacy challenges associated with social media. MPA’s HIPAA, Social Media & COVID-19 Roadmap tells you what you need to know about this challenge, and what you can do about it.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't - than to do nothing and wait to hear it from the patients (or the media).

Click here to download.

Read More

Topics: HIPAA, COVID-19

HIPAA News: Who Leaked Ezekiel Elliott’s COVID-19 Results?

Posted by Margaret Scavotto, JD, CHC on 7/2/20 9:30 AM

It’s not often that I cite a Sports Illustrated article in a HIPAA blog – but last week, the compliance and sports worlds collided when Dallas Cowboys Running Back Ezekiel Elliott’s COVID-19 results went viral

Elliot issued his official, one-word response to the news on twitter: “HIPAA ??” Elliot went on to deny reports that his own agent leaked the news about his COVID-19 status, tweeting that his agent confirmed the information AFTER it was leaked to the media.

We do not know how this happened, but healthcare providers should think through the possibilities and look inward.

  • Did an employee of a healthcare provider treating (or testing) Elliott leak the information? Could this happen within your organization?
  • Are your employees trained about the consequences of breaching patient information in this way? What would your employees find more compelling – your HIPAA policies, or a bribe from a reporter? (To be clear, we have no knowledge that this is what happened here – but it is a possibility).
  • Are your employees trained to understand that COVID-19 status is sensitive PHI – with higher stakes for the patient?
  • Does your organization segregate patient records access to minimize the likelihood of a breach?
  • When your organization treats high-profile patients, are extra precautions taken to protect their PHI (for example, admitting/treating them under an alias)?
  • Do you conduct regular information system activity review audits, to both prevent and detect unauthorized records access?

We don’t know how Zeke Elliott’s records were leaked – but we know it’s wrong, and healthcare providers should take all steps to avoid a similar problem. Keep in mind that breaches of high-profile individuals will continue to be a challenge after COVID-19. As the 4th of July approaches, you might remember Jason Pierre-Paul, the NY Giants player who sued ESPN after a reporter tweeted a picture of his medical record when he was treated for a fireworks injury to his hand.

MPA can help with HIPAA training. We offer interactive, customized Zoom training sessions with current real-world examples and pre- and post-testing.



Read More

Topics: HIPAA, COVID-19

Sign up for MPA's Upcoming Free Compliance Webinars

Posted by Margaret Scavotto, JD, CHC on 6/30/20 5:45 AM

Sign up for the next two webinars in MPA's Free Compliance Webinar Series:


July 21 at 10 a.m CST: Compliance Lessons from NBC's The Office:

While this webinar is based on a TV comedy, I assure you we will cover lots of serious compliance lessons! There is much to learn about compliance culture - good and bad - from Michael Scott.

Sign up here.

August 11 at 11 a.m. CST: HIPAA & PR Pitfalls

OCR has entered multiple HIPAA settlements with healthcare providers who violated HIPAA with public relations campaigns and media communications. Learn what happened and how to stay on the good side of the news.

Sign up here.

Read More

Topics: HIPAA, Culture of Compliance, compliance

HIPAA News: Contacting COVID-19 Patients about Blood & Plasma Donation

Posted by Margaret Scavotto, JD, CHC on 6/18/20 10:41 AM

On June 12, the OCR published the following guidance: OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities.

This guidance explains when PHI can be used to identify and contact patients who had COVID-19 about donating blood and plasma to help treat other COVID-19 patients:

  • Covered entities (or their business associates) CAN, under HIPAA, use PHI to identify and contact patients who have recovered from COVID-19 to provide information about donating blood and plasma that could help other COVID-19 patients. The COVID-19 antibodies found in blood and plasma of recovered patients could help treat other COVID-19 patients.
  • This use of PHI is considered health care operations, because it involves “population-based activities related to improving health, and case management and care coordination activities that do not meet the definition of treatment….”
  • Covered entities should limit the use or disclosure of PHI to the minimum necessary.
  • Providers must be careful here – the way they reach out to patients must not constitute marketing. (With some exceptions, uses or disclosures of PHI for marketing require a signed HIPAA authorization).
    • Covered entities should NOT receive any direct or indirect payment from or on behalf of a blood and plasma donation center.
    • Covered entities should refrain from encouraging patients to use a particular blood and plasma center.
    • Covered entities cannot disclose PHI about recovered COVID-19 patients to a blood and plasma donation center for the purpose of soliciting blood and plasma donations – without a signed patient authorization.

MPA has updated its HIPAA & COVID-19 Tool Kit to address this guidance. The following documents have been updated:

  • HIPAA & COVID-19 Update
  • Permitted Uses and Disclosures Policy

Providers who previously purchased the HIPAA & COVID-19 Tool Kit have received these updated downloads by email. To purchase the HIPAA & COVID-19 Tool Kit, click here.

Read More

Topics: HIPAA, COVID-19

MPA, Blue M&Ms, and Toy Story: Great Things Turning 25 in 2020

Posted by Margaret Scavotto, JD, CHC on 6/16/20 12:08 PM

MPA turns 25 in June 2020, and we're in good company.

MPA is officially as old as Craigslist and MPA started helping healthcare providers in 1995 – the same year Kramer began sculpting with pasta on Seinfeld.

We are proud that we have been helping healthcare providers for a quarter century, and we appreciate that we have earned your trust. We wish we could invite each and every one of you to a party to celebrate, but the pandemic has other ideas. Instead, we are saying thank you for 25 years of business with a giveaway.

This June, we are giving away a 12-month license to a Compliance Toolkit, ($1,750). We are also giving away our HIPAA Tools ($995).

Click here to enter. We’ll announce the winner by email at the end of June.


Read More

Topics: Compliance Basics, HIPAA

Enter MPA’s 25th Birthday Compliance Giveaway!

Posted by Margaret Scavotto, JD, CHC on 6/2/20 10:00 AM


MPA turns 25 in June 2020!

That’s right, we are as old as eBay, and Kendall Jenner. In 1995, the first Honda CR-V was made, and so was MPA. Braveheart began its legacy in 1995 and so did we.  

We are proud that we have been helping healthcare providers for a quarter century, and we appreciate that we have earned your trust. We wish we could invite each and every one of you to a party to celebrate, but the pandemic has other ideas. Instead, we are saying thank you for 25 years of business with a giveaway.

This June, we are giving away a 12-month license to a Compliance Toolkit, ($1,750). We are also giving away our HIPAA Tools ($995).

Click here to enter. We’ll announce the winner by email at the end of June.

Read More

Topics: Compliance Basics, HIPAA

HIPAA reminder: Is your workforce changing?

Posted by Margaret Scavotto, JD, CHC on 5/19/20 10:44 AM

Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.

With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”  45 CFR 160.103

HIPAA training reminders:

  • Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
  • The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
  • The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
  • Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
  • All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).

Read More

Topics: HIPAA, Social Media, security, breach notification, COVID-19, privacy

OCR issues guidance on media access to patients

Posted by Margaret Scavotto, JD, CHC on 5/6/20 2:35 PM

On May 5, the OCR issued guidance addressing media access to PHI during the pandemic: OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities. The OCR’s purpose in issuing this guidance is: “reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information (PHI) will be accessible without the patients’ prior authorization.” 

During COVID-19, providers are still required to obtain HIPAA authorizations from patients BEFORE the media is given access to patient PHI. This includes film crew access, and access to parts of the facility where patient PHI is accessible to the media in written, electronic, oral, or other visual/audio form. The OCR makes clear that every patient who will be in an area accessed by the media must sign a HIPAA authorization BEFORE the media has access.

Providers CANNOT require a patient to sign a HIPAA authorization as a condition of receiving treatment.

Masking or blurring patient faces or voices (which occurs AFTER the media has access to patients) is NOT enough to comply with HIPAA, unless a HIPAA authorization is obtained BEFORE the media has patient access.

If HIPAA authorizations are obtained in advance, and the media is given access to your facility, the OCR recommends safeguards to protect PHI:

  • Use computer monitor privacy screens
  • Install opaque barriers to block film crew access to PHI of patients who did not sign an authorization

This new guidance elaborates on prior OCR guidance about communicating with the media, including film crews.

Prior to the pandemic, the OCR entered two settlements with providers who allowed film crews access to patients without a proper HIPAA authorization:

  • In 2016, New York Presbyterian Hospital entered a $2.2 million settlement for what the OCR called an “egregious disclosure.” The hospital allowed the ABC TV show NY Med to film two of its patients in the emergency room, without obtaining their authorization. One of the filmed patients was dying; the other was in distress. Filming continued after a medical professional objected. One of the patients filmed was Mark Chanko, a gentleman who was taken to the hospital after he was hit by a garbage truck. When NY Med aired, Mr. Chanko’s voice was muffled and his face was blurred – but he was still recognized by his widow
  • In 2018, the OCR entered a $999,000 settlement with three Boston hospitals who allowed film crews from ABC to film on the premises without obtaining HIPAA authorizations. 

HIPAA media breaches are not limited to film crews:

  • In 2017, a Texas health system entered a $2.4 million settlement with the OCR. A patient presented a fake ID at the system’s OB/GYN clinic. The clinic called the police, which complied with the Privacy Rule’s provisions for reporting a crime on the premises. But, then the health system issued a press release about the arrest – and the press release title included the patient’s name. 
  • In 2013, a medical center entered a $275,000 with the OCR after senior leaders of the medical center “met with media to discuss medical services provided to a patient” and “impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.” 

MPA’s HIPAA & COVID-19 Tool Kit has been updated to include a HIPAA & the Media Policy in response to this guidance.

Read more HIPAA & COVID-19 updates on the blog.


Read More

Topics: HIPAA, compliance, COVID-19, privacy

Protect your organization from skyrocketing COVID cyber scams

Posted by Scott Gima on 4/30/20 11:00 AM

Google’s Threat Analysis Group (TAG) is responsible for identifying online vulnerabilities and threats. The Group released a report on April 22, 2020 that describes their latest information on COVID-19 related threats. This report provides a timely reminder that cybersecurity concerns continue and everyone must remain cautious and vigilant with their email accounts.

COVID-19 Themed Attacks

In April, Google has detected 18 million COVID-19 related malware and phishing Gmail messages per day and more than 240 million COVID-related daily spam messages. If you use Gmail, 99.9% of these messages never reach your inbox. The TAG has found that these attacks are government sponsored. They have identified over a dozen government-backed attacker groups using COVID-19 related topics.

Type of Attacks

The attack tools are no different from what has been used in the past; phishing emails that lure you to click malicious links or download files that contain malware. Google provided the following examples:

Free meals and coupons in response to COVID-19.

Links to malicious websites disguised as online ordering and delivery options, where the recipient is asked to provide their Google account credentials.

Emails that impersonate the World Health Organization:

Emails luring users who may be working from home:

Stimulus package theme:

Best Practices Reminder

These types of attacks are not limited to Gmail and everyone must be vigilant with all email accounts, work and personal. For all your accounts, users should:

  • Never download file attachments - or, verify an email attachment with the recipient by voice or text before downloading – this is an old-fashioned version of two-factor authentication.
  • Don’t click on an email link. An alternative safe option is to go directly to the web-page or google the target described in the link. For example, if it is an email from your bank that could be legitimate, open a new browser page and type in the website or search for the website.
  • If possible, use or activate two-factor authentication.

MPA can help with your HIPAA Security Risk Analysis - contact me today to learn more.

Read More

Topics: HIPAA, security, COVID-19

HIPAA & COVID-19 Toolkit UPDATED for new OCR Business Associate Guidance

Posted by Margaret Scavotto, JD, CHC on 4/2/20 3:08 PM

***To help providers with HIPAA compliance during the COVID-19 pandemic, all MPA HIPAA Tool Kits are now marked down to 50% off. 

Business Associate Disclosures during COVID-19

On April 2, 2020, the OCR issued a Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19

This Notification, effective immediately, announces that the OCR will NOT impose HIPAA penalties against a business associate or covered entity under the following Privacy Rule provisions, in some circumstances. Enforcement is waived for the following Privacy Rule sections:

  • 45 CFR 164.502(a)(3): Business Associates: Permitted Uses and Disclosures
  • 45 CFR 164.502(e)(2): Disclosures to Business Associations: Documentation
  • 45 CFR 164.504(e)(1): Business Associate Contracts
  • 45 CFR 164.504(e)(5): Business Associate Contracts with Subcontractors

Enforcement of these sections will not occur in the following circumstances:

  • A business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); AND
  • The business associate informs the covered entity within 10 calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

If a business associate makes one of these disclosures, and the covered entity and business associate have not had time to update their business associate agreement to allow for such disclosures, OCR will not impose penalties.

An example of how this waiver might apply to you might be:

  • If a business associate is contacted by the local public health department and asked questions during a health investigation related to a COVID-19 patient. The business associate will be permitted to disclose information to the public health department. This type of disclosure is not typically permitted, if it is not specifically outlined in the BAA. However, under this waiver, the business associate may disclose the requested information to the public health department. Within 10 days of the disclosure to the public health department, the business associate must inform the covered entity that the disclosure was made. 

Business associates are STILL expected to comply with the Security Rule. For example, ePHI must be securely transmitted to the public health authority or health oversight agency.

MPA's HIPAA & COVID-19 Toolkit was updated April 2 for the new OCR guidance on business associates.

HIPAAtrek and MPA are here to help navigate and guide HIPAA compliance. Our priority is you – our clients, our healthcare providers, and healthcare administrators. We understand that this is a confusing and scary time. Now more than ever, please reach out with your compliance questions. We are here to help alleviate your compliance burden both now and in the future. Stay healthy.


Margaret and Sarah

Check out our other HIPAA & COVID-19 blogs:

Read More

Topics: HIPAA, data breach, security, COVID-19, privacy

    Privacy Policy           Terms of Use