Issue link: https://beckershealthcare.uberflip.com/i/1439541
34 CIO / HEALTH IT HIPAA guidelines updated: 7 things to know By Jackie Drees H HS' Office for Civil Rights issued guid- ance Dec. 20 to explain how HIPAA covers healthcare providers who disclose protect- ed health information to support instances of ex- treme risk protection orders. Seven things to know: 1. e U.S. Department of Justice in June published model extreme risk protection order (ERPO) leg- islation that lets states create their own framework for developing laws that let law enforcement, fam- ily members or providers obtain these orders and intervene when an individual is in crisis. 2. An ERPO is a court order that temporarily pre- vents a person in crisis, who poses a danger to themselves or others, from accessing firearms. 3. HHS' Dec. 20 guidance clarifies the requirements of the HIPAA Privacy Rule for healthcare provid- ers in relation to ERPO laws; the agency said the Privacy Rule allows covered providers to disclose protected health information about an individual without their authorization to support an ERPO. 4. HIPAA allows providers to disclose protected health information to support an ERPO in two cir- cumstances: one, when the disclosure is required by law; and two, when the disclosure is in response to an order of a court or administrative tribunal, sub- poena, discovery request or other lawful process. 5. HIPAA allows mental healthcare providers to disclose the minimum necessary protected health information to comply with a subpoena that is not accompanied by a court order or administra- tive tribunal if reasonable efforts have been made to ensure the individual subject of the protected health information request has been notified of the request or efforts have been made to secure a pro- tective order that prohibits use of disclosure of the protected health information for any reason other than support of the ERPO. 6. HIPAA also permits mental healthcare providers to disclose minimum necessary protected health information when the disclosure is vital to pre- vent or reduce a serious or imminent threat to the health or safety of a person or the public. 7. Providers that disclose protected health infor- mation in situations to prevent or lessen a serious or imminent threat are presumed to have acted in good faith. n Telehealth, virtual care or video visit? The nomenclature patients prefer By Katie Adams C are that is provided virtually goes by several different names, and patients respond differently to each of those terms, according to re- search released by branding agency Monigle. In partnership with the American Hospital Association and the Society for Health Care Strategy and Market Development, Monigle surveyed 30,138 respondents who were the healthcare decision-makers for their household. All respondents had received medical care in the past two years and had health insurance, with 70 percent of them having private insurance and 30 percent being enrolled in a government plan, excluding Medicaid. The sur- vey was conducted from November through December in 2020. Telemedicine and virtual care were the terms with which respondents asso- ciated the most value. Respondents associated telemedicine with the words fast, pioneering and convenient. They associated virtual care with the words safety and innovative. Patients associated telehealth with the words scientific and innovative, and they associated virtual visit with safety. Mobile health and video visit were the terms with which respondents as- sociated the least value. Respondents associated mobile health with the words ease and safety. They associated video visit with accessibility. n U of Maryland Medical System faces hourly cyberattack attempts, CIO says By Jackie Drees C yberattacks on hospitals and health systems are escalating, and at University of Maryland Medical System, phishing attempts are com- ing through multiple times a day, according to CIO Joel Klein, MD. Dr. Klein, senior vice president and CIO at the Baltimore-based health sys- tem, told The Democrat Star that he has seen an increase in cyberattacks since the COVID-19 pandemic started. "We are attacked on an hourly, not just daily, basis by phishing attempts and people trying to get into our network in a variety of ways," he said. Healthcare organizations across the U.S. have been grappling with the increase in attacks. Nearly half of chief information security officers at hospi- tals and health systems have said their organizations were hit by a phishing email attack or that business emails were compromised in the past year, ac- cording to an October 2021 survey from the College of Healthcare Informa- tion Management Executives and the Association for Executives in Healthcare Information Security. To mitigate these types of attempts, Markus Rauschecker, director of the University of Maryland's Center for Health and Homeland Security, told the Star that hospitals should implement "full-fledged" cyber incident plans, which establish a clear response in case of a ransomware attack, and strong cybersecurity training for staff. n