Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

OCR’s HIPAA Compliance and Data Breaches Annual Report

The Department of Health and Human Services (HHS) Office for Civil Rights has sent its annual reports to Congress regarding compliance with the HIPAA Privacy, Security, and Breach Notification Rule and exposure of unsecured protected health information (PHI) for 2022. HIPAA Compliance in 2022 OCR details in the yearly report that large data breaches have increased 107% from 2018 to 2022. Concerns concerning possible HIPAA violations...

Read More

Cyberattack Leader Faces 40 Years Imprisonment and LockBit RaaS Infrastructure Operations Disrupted

Leader of Gang Responsible for the Attack on University of Vermont Medical Center Looking at 40 Years Imprisonment A Ukrainian male charged with being the leader of groups who attacked thousands of enterprise computers by using malware has admitted in federal court in Nebraska to one count of conspiracy to do wire fraud and one count of conspiracy to violate U.S. anti-racketeering rules. One victim, the University of Vermont Medical...

Read More
Is Stripe HIPAA compliant?
Dec11

Is Stripe HIPAA compliant?

Stripe does not have to be HIPAA compliant to provide payment processing services to HIPAA covered entities and business associates because payment processing services are exempted from HIPAA with regards to uses and disclosures of PHI. However, if any of Stripe’s other services are intended to be used by a covered entity or business associate to create, collect, maintain, or transmit PHI, it is important to know is Stripe HIPAA...

Read More
What does the HIPAA Omnibus Rule Mandate?
Dec08

What does the HIPAA Omnibus Rule Mandate?

The HIPAA Omnibus Rule mandates changes to the Privacy, Security, Enforcement, and Breach Notification Rules to implement some –  but not all – of the privacy provisions required by Subtitle D of the HITECH Act. The HIPAA Omnibus Rule also mandates changes to the Privacy Rule to prohibit health plans from using genetic information for underwriting purposes. What is the HIPAA Omnibus Rule? The HIPAA Omnibus Rule is a Rule...

Read More
HIPAA Changes 2024
Dec02

HIPAA Changes 2024

HIPAA changes – and changes to other Rules that impact HIPAA compliance – happen more frequently than many people appreciate; but, because they have a limited impact on covered entities and business associates, they are often overlooked. This article looks at some of the recent changes to HIPAA and HIPAA compliance, and looks ahead to potentially more substantial HIPAA changes in 2024. Since the publication of the HIPAA Omnibus Final...

Read More
What is Considered PHI?
Nov17

What is Considered PHI?

PHI is considered to be health, treatment, or payment information – or any associated identifying information – that is created, received, maintained, or transmitted by a HIPAA regulated entity. PHI is an acronym for Protected Health Information – a term used in the healthcare and health insurance industries to describe individually identifiable health information subject to the privacy and security regulations of the Health Insurance...

Read More
Why Was HIPAA Created?
Nov14

Why Was HIPAA Created?

HIPAA was created to help individuals with health problems obtain health insurance and to make it easier for employees who change jobs or lose their jobs to maintain adequate coverage. The Act also enabled group purchasing by small businesses to increase their purchasing power in the health insurance market. The Background to HIPAA When Bill Clinton won the presidential election in 1992, one of the reasons for his success was a...

Read More
HIPAA Compliance for Home Health Care
Nov11

HIPAA Compliance for Home Health Care

HIPAA compliance for home health care workers can be especially challenging due to working in multiple – and sometimes unfamiliar – environments and often encountering scenarios that do not occur in purpose-built healthcare facilities. Home health care workers provide a valuable service to patients in the community. As well as visiting patients unable to go to a healthcare facility and providing feedback to physicians, home health...

Read More

3 HIPAA Violation Consequences That Are Often Overlooked

The three HIPAA violation consequences most often overlooked affect individuals, healthcare organizations, and the timeliness of care in ways not often considered. HIPAA violations occur more often than many people are aware of because the only public source of information about HIPAA violations is HHS’ Office for Civil Rights (OCR). Complaints made directly to healthcare organizations and sanctions imposed on members of the workforce...

Read More
Who Created HIPAA?
Nov04

Who Created HIPAA?

The people who created HIPAA in the context of the Rules healthcare organizations have to comply with were Donna Shalala and her team at the Department of Health and Human Services. If Donna Shalala is a new name to you, this article explains who she was and her role in the creation of HIPAA. Donna Shalala is the longest-serving Secretary for Health and Human Services (HHS), having been appointed to the role in 1993 by President Bill...

Read More
HHS Settles its First-Ever Ransomware Investigation for $100,000
Nov03

HHS Settles its First-Ever Ransomware Investigation for $100,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first-ever ransomware settlement. The investigation of the ransomware attack on Doctors’ Management Services uncovered multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) and a $100,000 settlement was agreed upon. The healthcare industry has been extensively targeted by ransomware gangs over the past 5...

Read More
How Long Does It Take to Get HIPAA Certified?
Oct20

How Long Does It Take to Get HIPAA Certified?

The length of time it takes to get HIPAA certified depends on who is getting certified, the reason for getting certified, the criteria for certification, and how much of the criteria already exists. Consequently, there is no definitive answer to how long does it take to get HIPAA certified. Taking these variables one-by-one, if an individual takes a HIPAA training course to improve their job prospects, and a certificate of achievement...

Read More
How to Conduct an Effective HIPAA Security Risk Assessment
Oct10

How to Conduct an Effective HIPAA Security Risk Assessment

An effective HIPAA security risk assessment enables covered entities and business associates to identify threats to the confidentiality, integrity, and availability of electronic PHI, and to implement policies and procedures that prevent, detect, contain, and correct security violations. The requirement to conduct a HIPAA security risk assessment appears in the Administrative Safeguards of the Security Rule (45 CFR §164.308). When...

Read More
HIPAA and Social Media Policies
Oct06

HIPAA and Social Media Policies

There are no specific HIPAA and social media standards because the HIPAA Administrative Simplification Regulations were published years before most people had access to social media. Consequently, healthcare organizations must develop and enforce social media policies that comply with HIPAA based on a risk assessment to identify potential threats to PHI. Under §164.306(a) of the Security Rule, covered entities and business associates...

Read More

Why is HIPAA Training Important?

HIPAA training is important because it equips healthcare professionals with the knowledge and skills needed to protect patient privacy, prevent data breaches, ensure legal compliance, foster ethical healthcare practices, and maintain trust in the healthcare system, thereby upholding the integrity and security of sensitive health information. HIPAA training serves as a guardian of patient privacy, ensuring that healthcare professionals...

Read More

HIPAA Compliance Training for Employees

HIPAA compliance training for all employees, including medical staff, healthcare administrators, and IT staff, is important because it equips these diverse professionals with the knowledge, skills, and ethical principles necessary to collectively protect patient privacy, uphold the confidentiality of sensitive health information, ensure legal compliance with the HIPAA, and foster a culture of trust and integrity within healthcare...

Read More

Pros and Cons of HIPAA

HIPAA compliance offers benefits such as safeguarding sensitive data, empowering patients with rights, ensuring data security and confidentiality, fostering standardized healthcare transactions, and maintaining insurance coverage portability, but its implementation involves administrative burdens, costs, potential hindrance to innovation and research, complexities in patient communication, legal consequences for violations,...

Read More

Benefits of HIPAA Compliance

HIPAA compliance yields benefits including enhanced patient data security, privacy protection, improved trust through transparent handling of personal health information, standardized and efficient healthcare transactions, patient empowerment through control over their data, and the preservation of health insurance coverage portability during job transitions or life events. HIPAA compliance has brought about a series of significant...

Read More
Is Microsoft OneDrive HIPAA Compliant?
Jun13

Is Microsoft OneDrive HIPAA Compliant?

Many organizations in the healthcare industry take advantage of cloud storage services because of their convenience and cost-effectiveness. Microsoft OneDrive is one of the most popular cloud storage services as it is included in all Microsoft business subscriptions; but is OneDrive HIPAA complaint and suitable for storing Protected Health Information in the cloud? The answer to the question is OneDrive HIPAA compliant is that no...

Read More
Is WhatsApp HIPAA Compliant?
May29

Is WhatsApp HIPAA Compliant?

WhatsApp is widely used in healthcare organizations to accelerate workflows and improve patient outcomes, but is WhatsApp HIPAA compliant and can the messaging platform be used to send and receive Protected Health Information? In 2016, WhatsApp announced the implementation of end-to-end encryption across all web and mobile apps. Not only are chat messages encrypted, but also images, attachments, and voice calls. In theory, this would...

Read More
What Does it Take to Make Microsoft Teams HIPAA Compliant?
May05

What Does it Take to Make Microsoft Teams HIPAA Compliant?

To make Microsoft Teams HIPAA compliant, it is necessary to select a plan with the capabilities to support compliance, configure the platform to meet the requirements of the Security Rule, and train members of the workforce how to use Microsoft Teams in compliance with HIPAA. It is also necessary to accept the terms of Microsoft’s Business Associate Agreement. Many businesses in the healthcare industry take advantage of Microsoft...

Read More
How to Make Google Forms HIPAA Compliant
May02

How to Make Google Forms HIPAA Compliant

HIPAA Covered Entities and Business Associates need to know how to make Google Forms HIPAA compliant before using the Workspace service to collect, store, or share Protected Health Information (PHI). Google Forms is a web-based service that is part of the Google Workspace suite of productivity and collaboration tools. The service can be used by healthcare organizations to create surveys and obtain feedback from employees and patients...

Read More
HB 300 Training Requirements
Apr21

HB 300 Training Requirements

Information on the HB 300 training requirements for companies, organizations, and individuals that do business with Texas residents that involves access to protected health information and/or sensitive personal information. What is Texas HB 300? HB 300 – Texas House Bill 300 – was passed and signed into law by Texas Governor Rick Perry in June 2011 and took effect on September 1, 2012. The bill amended existing state laws such...

Read More
Healthcare Providers, Google Meet and HIPAA Compliance
Apr12

Healthcare Providers, Google Meet and HIPAA Compliance

For the past few years, the good faith use of Google Meet and HIPAA compliance has not been an issue for healthcare providers due to OCR’s Notice of Enforcement Discretion for telehealth during the COVID-19 pandemic. However, with the COVID-19 public health emergency about to expire, healthcare providers will have to start using Google Meet in compliance with HIPAA. During the COVID-19 pandemic, the use of chat, phone, and video...

Read More
What Makes an Electronic Signature HIPAA Compliant?
Mar10

What Makes an Electronic Signature HIPAA Compliant?

The Department of Health and Human Services has not issued specific guidance about what makes an electronic signature HIPAA compliant other than stipulating “any electronic signature used will result in a legally binding contract under applicable State or other law”. However, this may soon be about to change. In the original text of the Health Insurance Portability and Accountability Act (HIPAA), the Secretary for Health and Human...

Read More
HIPAA Security Rule Failures Land Banner Health with $1.25M Financial Penalty
Feb07

HIPAA Security Rule Failures Land Banner Health with $1.25M Financial Penalty

Banner Health has agreed to settle alleged violations of the HIPAA Security Rule with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and will pay a $1.25 million financial penalty. Banner Health will also adopt a corrective action plan to ensure full compliance with the HIPAA Security Rule and will be monitored by OCR for two years. The OCR investigation into HIPAA Security Rule compliance was...

Read More
Does HIPAA Apply to Employers?
Jan26

Does HIPAA Apply to Employers?

The answer to the question does HIPAA apply to employers is complicated for, although the Health Insurance Portability and Accountability Act impacts around half of employers, only a small percentage of employers are required to comply with the Privacy, Security, and Breach Notification standards of the Administrative Simplification provisions. According to a September 2022 report compiled by the Bureau of Labor Statistics, 70% of...

Read More
Does HIPAA Apply to Schools?
Jan20

Does HIPAA Apply to Schools?

In most cases, HIPAA compliance is not applicable to education institutions as they are not deemed HIPAA covered entities, but in some instances a school can be classified as a covered entity if healthcare services are given to students. At such times, HIPAA may still not apply because any student health information obtained would be included in the students’ education records and education records are not governed by the HIPAA...

Read More
What is HIPAA Email Archiving Compliance?
Jan15

What is HIPAA Email Archiving Compliance?

HIPAA email archiving compliance is an alternative way to describe HIPAA compliant email archiving. However, there is more than one way to archive emails; and different compliance requirements apply depending on whether emails are archived on-premises, in the cloud via an email service provider, or in the cloud via a third-party service provider. It is also important to be aware the requirements for HIPAA email archiving compliance...

Read More
HIPAA Waiver Form
Jan11

HIPAA Waiver Form

A valid HIPAA waiver form is required whenever a Covered Entity wants to use or disclose Protected Health Information for a purpose not otherwise required by the General Provisions of the Administrative Requirements or permitted by the HIPAA Privacy Rule. Generally, Covered Entities are required to disclose Protected Health Information (PHI) when requested to do so by the Department of Health and Human Services (HHS) or by an...

Read More
How Often is HIPAA Training Required?
Dec28

How Often is HIPAA Training Required?

The text of the HIPAA Privacy Rule and Security Rule related to training doesn´t help answer the question how often is HIPAA training required. However, by reviewing other areas of HIPAA, it is possible to establish that the frequency of HIPAA training should be as often as it is required. Considering the importance of HIPAA and the severity of the penalties for noncompliance – fines of more than $1.9 million can be imposed per...

Read More
What are the HIPAA Password Requirements?
Dec18

What are the HIPAA Password Requirements?

Before answering the question what are the HIPAA password requirements, it is important to note that passwords are not a requirement of HIPAA if Covered Entities use an alternative authentication method to “verify that a person or entity seeking access to ePHI is the one claimed” (Security Rule Standard §164.312(d)). According to the Department of Human Services´ Guide to the Technical Security Standards there are three ways in which...

Read More
HIPAA and Pictures – The Challenge of Compliance
Dec11

HIPAA and Pictures – The Challenge of Compliance

The relationship between HIPAA and pictures is a challenging area of compliance – especially for healthcare providers who may often receive unsolicited images that do not qualify as Protected Health Information, or who have to contend with patients and visitors taking photos and videos in healthcare environments that can reveal the identities of other patients. Pictures play an important role in the provision of healthcare. They can...

Read More
Criminal Prosecutions for HIPAA Violations by Ohio Hospital Employee
Dec10

Criminal Prosecutions for HIPAA Violations by Ohio Hospital Employee

Criminal prosecutions for HIPAA violations made by hospital employees are a relatively uncommon occurrence; but the recent spate of HIPAA prosecutions over the past few years suggests that has now changed. Another case of improper accessing of PHI has resulted in criminal charges for HIPAA violations being brought against an employee, this time a healthcare provider that worked at the ProMedica Bay Park Hospital in Oregon, Ohio....

Read More
What Does Pharmacy HIPAA Compliance Consist Of?
Dec03

What Does Pharmacy HIPAA Compliance Consist Of?

Pharmacy HIPAA compliance consists of meeting the requirements of the HIPAA Administrative Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, some pharmacies may be subject to more stringent federal and state laws whose requirements pre-empt HIPAA, while some may not be HIPAA Covered Entities at all. Pharmacies qualify as healthcare providers under HIPAA when they “dispense drugs, devices,...

Read More
HIPAA Compliance for Dental Offices
Dec01

HIPAA Compliance for Dental Offices

HIPAA compliance for dental offices is not as straightforward as complying with the standards of the Privacy, Security, and Breach Notification Rules because there are instances when federal or state laws can pre-empt HIPAA, when exemptions can apply, or when dental offices do not qualify as HIPAA Covered Entities. Judging by the volume of news stories covered by this website relating to data breaches and HIPAA violations, HIPAA...

Read More
What are the HIPAA Rules for Medical Devices?
Nov15

What are the HIPAA Rules for Medical Devices?

Following the introduction of the HITECH Act and the passing of the HIPAA Privacy and Security Rules, Pharmaceutical companies and medical device manufacturers have had to navigate HIPAA Rules for medical devices, and this has caused some of those companies a number of problems. For any company required to record, store or transmit electronic Protected Health Information (ePHI) there are a number of considerations, the most important...

Read More
Are Pagers HIPAA Compliant?
Oct16

Are Pagers HIPAA Compliant?

Many healthcare providers are asking the question “are pagers HIPAA-compliant?” The simple answer to the question is no, pagers are not HIPAA-compliant, but they can be used without violating HIPAA Rules, but only if electronic Protected Health Information (ePHI) is not transmitted via pagers, or that data is encrypted. Unfortunately, just like unencrypted emails and SMS text messages, information sent via pager can be intercepted,...

Read More
Using a Business Password Manager to Share ePHI in Compliance with HIPAA
Sep23

Using a Business Password Manager to Share ePHI in Compliance with HIPAA

Using a business password manager to share ePHI in compliance with HIPAA is a viable alternative to other secure forms of communication if your organization implements a business password manager and the vendor is willing to sign a Business Associate Agreement. One of the most challenging requirements of HIPAA compliance is communicating ePHI in compliance with the Security Rule safeguards. Familiar channels of communication such as...

Read More
Is the Use of Mandrill by Healthcare Organizations HIPAA Compliant?
Sep10

Is the Use of Mandrill by Healthcare Organizations HIPAA Compliant?

The leading automated email marketing platform Mandrill is a transactional email service that MailChimp provides. This software allows companies to automatically broadcast emails to customers and people that interact with their web apps and links to MailChimp via an API. Transactional emails are the same as marketing emails in that they are programmed to be initiated by events including password resets, confirmation of placement of...

Read More
Meta Facing Class Action Lawsuit over Use of Health Data for Serving Targeted Advertisements
Aug02

Meta Facing Class Action Lawsuit over Use of Health Data for Serving Targeted Advertisements

Another lawsuit has been filed against Meta by a patient who claims her private healthcare information was collected without consent and was used to serve targeted advertisements related to her medical condition. The plaintiff, Jane Doe, was a patient of UCSF Medical Center and the Dignity Health Medical Foundation, who have also been named in the lawsuit. The case stems from the inclusion of Meta Pixel on web pages behind a login on...

Read More
NIST Releases Updated HIPAA Security Rule Guidance
Jul26

NIST Releases Updated HIPAA Security Rule Guidance

The National Institute of Standards and Technology (NIST) has refreshed its HIPAA Security Rule compliance guidance. The guidance was last updated in 2008 and a lot has changed in the past 14 years ago, including the release of the NIST Cybersecurity Framework. The new guidance serves as a practical guide for the healthcare industry to help with the implementation of the HIPAA Security Rule, to better protect healthcare data from...

Read More
HIPAA Compliance and Dropbox: What You Need to Know
Jul16

HIPAA Compliance and Dropbox: What You Need to Know

Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However,...

Read More
Does Amazon Web Services Comply with HIPAA?
Jul16

Does Amazon Web Services Comply with HIPAA?

Under the Healthcare Insurance Portability and Accountability Act, all providers of a product or service that ‘touches’ PHI are deemed to be business associates and are required to comply with HIPAA Rules. That means appropriate safeguards must be implemented to ensure the confidentiality, integrity, and availability of any PHI that is available through their products or services. Any healthcare entity or vendor obligated to comply...

Read More
Web Server Hacking Incident Results in $875,000 HIPAA Fine for Oklahoma State University
Jul15

Web Server Hacking Incident Results in $875,000 HIPAA Fine for Oklahoma State University

On January 5, 2018, Oklahoma State University – Center for Health Sciences (OSU-CHS) reported a web server hacking incident to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The subsequent OCR investigation determined multiple areas of noncompliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA). Yesterday, OCR...

Read More
Is Calendly HIPAA Compliant?
Jun16

Is Calendly HIPAA Compliant?

Is the scheduling service Calendly HIPAA compliant? The service streamlines how businesses can organize meetings – saving time and improving productivity by eliminating the confusion that results from lengthy email chains. This makes Calendly a popular service across a variety of sectors, but can it be used in the healthcare industry in a HIPAA-compliant manner?  The Calendly platform integrates with a number of other...

Read More
Sharing Patient Information with Family Over the Phone
Jun09

Sharing Patient Information with Family Over the Phone

When sharing patient information with family over the phone, healthcare providers need to ensure they verify who they are speaking to, that the patient has not objected to their health information being shared, and that any details disclosed to family members comply with the HIPAA Minimum Necessary Standard. When a patient enters hospital, it is understandable that family members want to enquire about their wellbeing. One of the most...

Read More
Is SharePoint HIPAA Compliant?
Jun09

Is SharePoint HIPAA Compliant?

It may be one of the most popular cloud services worldwide, but is SharePoint HIPAA compliant? Microsoft’s SharePoint Online service offers a collaborative cloud-based platform for the storage, management, and sharing of documents. It allows multiple users to view and edit a document simultaneously from various devices and can be integrated with other popular Microsoft applications in most Microsoft 365 and Office 365 enterprise...

Read More
Mid-Year HIPAA Enforcement Update
Aug25

Mid-Year HIPAA Enforcement Update

The HHS’ Office for Civil Rights has imposed 8 financial penalties on HIPAA-covered entities and business associates in the first 6 months of 2021 to resolve investigations into noncompliance with the Health Insurance Portability and Accountability Act Rules. In the first 6 months of 2020, only 1 financial penalty was imposed; however, OCR ended the year with 19 financial penalties imposed. This year, OCR has continued with its drive...

Read More
2020 Healthcare Data Breach Report
Feb20

2020 Healthcare Data Breach Report

Protenus has released its 2020 healthcare data breach report which shows the past 12 months have been the worst ever in terms of the number of reported breaches. For its 2020 Breach Barometer report, Protenus, in conjunction with databreaches.net, identified more than 572 healthcare data breaches of 500 or more records in 2019, up 48.6% compared to 2018. The number of data breaches affecting the healthcare industry has increased...

Read More
Can Gmail be HIPAA Compliant?
Jan13

Can Gmail be HIPAA Compliant?

In order for Gmail to be deemed HIPAA compliant, Google would have to see to it that the email service is 100% safe and satisfies the basic standards for security as stated in the HIPAA Security Rule. A covered entity would also be obligated to obtain a signed business associate agreement from Google that incorporates Gmail, as Google would be deemed a business associate under the HIPAA Rules. While encryption for email is not an...

Read More