OCR stands for Office for Civil Rights, and it’s the governmental agency in charge of HIPAA compliance and enforcement. It’s part of the department of Health & Human Services. I like to jokingly call OCR the “HIPAA Police,” but of course that’s silly business about something that is very real and serious. OCR is the agency where people file their HIPAA complaints, where HIPAA investigators come from, and where penalties are handed down. You do need to care, and here’s why:
Short video, produced by the OCR that gives basic information about how new HIPAA regulations affect providers.
Short video, produced by the OCR that gives basic information about how new HIPAA regulations affect consumers.
Spend a little time teaching yourself about HIPAA security, and you’ll discover that it’s pretty easy to get caught up in confusing, overwhelming technology advice.
It’s smart to have a way (several ways, really) for visitors to your website to contact you. To hide one’s email address from spammers, many therapists choose to have a contact form built into the site. However, some contact forms can be non-compliant with HIPAA regulations, if they are served by a third party with whom you do not have a Business Associate’s Agreement. Those third parties have access to PHI as sent through the form, or worse—occasionally the forms have a default setting that cc’s an administrator for the website every time the form is used.
If you've taken my workshop, you know that not only do you have to have a compliance file with specific items in it, but you also have to maintain that file regularly.
Minnesota is unique in that providers in that state will be required to use an interoperable EHR by January 2015.
I have been contacted by a number of security professionals wanting to partner with me or sell me their product, and they always invariably spout a slew of technical jargon that makes me want to run the other way.
In the HIPAA for Therapists workshop, one of items specifically mentioned for the Risk Assessment is your office printer.