The conference will explore the history and recent changes of 42 CFR Part 2, review common definitions, and how the changes may affect integrated medication-assisted treatment (MAT) and Screening, Brief Intervention, and Referral to Treatment (SBIRT) programs, and discussion on LifeLong Medical Care’s experience.

The timely exchange of health information between behavioral health providers and physical health providers to support care coordination is a critical element of the National Quality Strategy and health reform efforts. However, privacy and confidentiality concerns are currently limiting the inclusion of behavioral health data in electronic health information exchange efforts.

Is it acceptable/recommended for health centers to adopt the new password policy guidelines under NIST Special Publication 800-63B and will that still uphold the HIPAA security rule? This question had been posed to the HITEQ Center asking whether we had any guidance or recommendations on implementing the new NIST Guidelines regarding password security.  New Digital Identity Guidelines under NIST Special Publication 800-63-B presents new guidelines regarding password security that are much more user-friendly and consequently more likely to be observed by health center staff since constantly changing, complex password on multiple systems can be a source of frustration for the end user. 

From the OCR: The Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur. These pages address the release of protected health information for planning or response activities in emergency situations.  In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.

The HHS Office for Civil Rights has started its next phase of audits of covered entities and their business associates. The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. 

It is of critical importance to motivate and educate healthcare professionals on current critical privacy and security concepts and methods for defense of health data. Aspects of security awareness training, breach protection, incident response, and related topics all play a role toward organization-wide information protection. Healthcare cybersecurity is the ultimate team sport. The responsibility goes beyond the IT staff and includes front and back office staff, doctors and nurses, patients, executives, and the board of directors. The attached presentation is directed to all levels of the healthcare organization so that they may be proactive and aware.

In March 2019, the Office of the National Coordinator for Health Information Technology (ONC) issued a Proposed Rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program. ONC released a final rule in March 2020, published in the Federal Register on May 1, 2020. The Final Rule on Information Blocking prohibits actors from blocking the exchange of electronic health information and seeks to increase the ease and choices available for patients to access their data. 

The HIPAA Security Rule establishes the requirements for protection of electronic patient health information. The safeguards identified are made up of three domains that include administrative, physical, and technical safeguards that need to be addressed. The technical safeguards as defined within 45 CFR §164.312 of the HIPAA Security Rule can be some of the most difficult to comprehend and implement for smaller Health Centers with lower levels of IT and security staffing. Resources and tools that help Health Centers better process and implement these security requirements are much needed and require well-documented methods for planning and maintaining critical security controls.

Fact Sheet outlining a three-step process to make sure you’re in compliance with HIPAA and if not, the steps that can be taken to make sure you are. This fact sheet also includes questions to ask potential business associates and things to keep in mind in case there is a breach.

This decision tree, developed through funding from the  Substance Abuse and Mental Health Services Administration (SAMHSA) helps organizations determine if Part 2 of CFR 42 applies to them. It should be noted that FQHCs will always be designated as “federally assisted” due to certified status as Medicaid providers and/or federal funding.