Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation – The HIPAA Journal
The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance
Posted By Steve Alder on May 13, 2025
Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.
Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients. Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.
On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.
The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court. Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.
Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. The HIPAA Journal’s goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.
Subscribe To Weekly
News Digest
HIPAA News
Regulatory Changes
Breach News
HITECH News
HIPAA Advice
Unsubscribe Anytime
Click here to subscribe to free weekly newsletter
The HIPAA Journal is a registered trademark. Copyright © 2014-2025 The HIPAA Journal. All rights reserved.
The provision of refresher training when there is a material change to policies and procedures is necessary to ensure all members of the workforce affected by the change are made aware of it. Refresher training only has to be provided to those the change affects; but, if the training relates to a change in HIPAA policies and procedures, the training must be documented and – where required by state law – attested to by those who attend. In addition, it is a best practice to provide annual refresher training to all members of the workforce so that those not directly affected by material changes to policies and procedures are made aware of them.
It is important that all members of the workforce receive ongoing security awareness training for two reasons. The first reason – that training is provided to all members of the workforce – is because an attacker can infiltrate a network via a device that does not have access to electronic PHI, and then move laterally through the network until they find a healthcare database to attack. The second reason – that training must be ongoing – is due to the evolving nature of cyberthreats. Members of the workforce must be informed about the latest threats, how to recognize them, and how to report them.
HIPAA Authorization Forms have to comply with §164.508 in order to be valid. If a HIPAA Authorization Form lacks the core elements or required statements, if it is difficult for the individual to understand, or if it is completed incorrectly, the authorization will be invalid and any subsequent use or disclosure of PHI made on the reliance of the authorization will be impermissible. For this reason, members of the workforce responsible for obtaining valid authorizations must be trained on the implementation specifications of this standard. HIPAA Authorization Forms must be stored for a minimum of 6 years.
The requirement to have a security management process is the first standard in the HIPAA Security Rule’s Administrative Safeguards. The process must consist of at least a risk analysis, an actioned remediation plan, a sanctions policy, and procedures to regularly review information system activity. All analyses, remediation plans, sanctions, and reviews must be documented. Documentation must be stored for at least 6 years, either physically on paper on via HIPAA compliance software.
There are many examples of when it may be necessary to retrieve documentation within a specific timeframe to comply with HIPAA. The most common is when an individual requests access to their PHI maintained in a designated record set. Less common examples include when an individual wishes to revoke an authorization or when HHS’ Office for Civil Rights requests documentation to resolve a HIPAA complaint. In most cases, the documentation has to be provided within 30 days.
It is necessary to monitor business associate compliance because a covered entity can be held liable for a violation of HIPAA by a business associate if the covered entity “knew, or by exercising reasonable diligence, should have known” of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligations under the HIPAA Business Associate Agreement.
It is important to identify partners and vendors that qualify as business associates because when a service is provided for or on behalf of a covered entity that involves the creation, receipt, maintenance, or transmission of PHI, a HIPAA Business Associate Agreement has to be entered into which stipulates the permitted uses and disclosures of PHI by the business associate, both parties’ compliance obligations, and other terms that may apply.
The application of sanctions is important to ensure members of the workforce do not take compliance shortcuts “to get the job done”, and the shortcuts deteriorate into a culture of non-compliance. The sanctions applied should be relevant to the nature of the violation. For example, a verbal warning and/or refresher training may be appropriate for a minor violation, while repeated or more serious violations should attract harsher sanctions. The application of sanctions must be documented and records stored for at least 6 years, either physically in paper records or with HIPAA compliance software.
A HIPAA Notice of Privacy Practices advises patients and plan members of their privacy rights, how the organization can use or disclose PHI, and how an individual can complain if they believe their privacy rights have been violated or their PHI has been used or disclosed impermissibly. Notices must be reviewed and amended as necessary whenever a material change affects either an individual’s rights or how PHI can be used or disclosed. They must then be re-distributed and/or re-displayed in accordance with §164.520.
Members of the workforce must know how to respond to patient access and accounting requests – even if it is to direct the request to the HIPAA Privacy Officer – because the primary reason for complaints to HHS’ Office for Civil Rights in recent years has been the failure to respond in the time allowed with the information requested. At present, the majority of HIPAA enforcement activities focus on non-compliance with the patients’ rights standards of the HIPAA Privacy Rule.
The documentation and record keeping of every HIPAA training session is important for two reasons – so that covered entities can keep up to date with which members of the workforce have received what training in the event of transfers or promotions, and so that covered entities can demonstrate the training has been provided in the event of an OCR compliance investigation. Workforce attestation is also required by some state laws with more stringent privacy protections than HIPAA.
The healthcare sector and healthcare records in particular is often targeted by hackers due to the billing details contained in medical records and ransomware value of the personal information in Protected Health Information. Email is one of the most common attack vectors. It is important healthcare staff know how to identify malicious software and phishing emails because the detection capabilities of security software are often limited to how the software is configured and how frequently it is updated. Even the best security software can allow threats to evade detection and, when this happens, users need to be able to identify the threat and report it so other users do not (for example) open a malicious attachment or interact with a phishing email.
The Administrative Requirements of the Privacy Rule (§164.530) requires covered entities to train all members of their workforces on the policies and procedures developed to comply with the Privacy and Breach Notification Rules. Naturally, the sooner training is provided, the less chance there is of an inadvertent impermissible disclosure due to a lack of knowledge. It is important to note that training must be provided even if a new member of the workforce has held a similar role in a previous position and that some states have mandatory time frames within which training must be provided (for example, in Texas, training must be provided within 90 days).
It is necessary to prove the breach notification requirements are complied with to ensure covered entities and business associates do not overlook notifying individuals in the required timeframe when submitting an annual breach report to HHS’ Office for Civil Rights for breaches affecting fewer than 500 individuals. Some organizations have delayed notifying individuals about data breaches, increasing the risk of individuals’ data being used to commit identity theft or fraud before individuals have the opportunity to protect themselves from such events. The burden of proof standard mitigates the likelihood of individuals being overlooked.
While many types of impermissible uses and disclosures, data thefts, and unauthorized access events are clearly notifiable breaches, there are also many types that are not. If it can be determined that an impermissible use or disclosure does not qualify as a notifiable breach by using the exclusion criteria in §164.402, it will not be necessary to comply with the breach notification requirements – saving organizations time and money, and a potential compliance review by HHS’ Office for Civil Rights.
Although it is not a requirement of HIPAA to provide an anonymous reporting channel, members of the workforce should be encouraged to speak out when they believe a violation of HIPAA has occurred in order that the incident can be investigated and corrected if necessary. It is felt (although cannot not proven) that anonymous reporting channels generate more reports because members of the workforce feel protected against retaliation. However, if an anonymous reporting channel is provided, it needs to be used in compliance with HIPAA, and any PHI contained within the anonymous report has to be safeguarded against unauthorized access, loss, and theft.
It is important to execute HIPAA-compliant Agreements with business associates because if an Agreement does not comply with the relevant standards it is invalid. If an Agreement is invalid, covered entities are not permitted to disclose PHI to the business associate, and any disclosure of this nature would represent a violation of HIPAA.
It is important for organizations to monitor changes to transaction code systems for two reasons. The first is that using out-of-date transaction codes can result in delays to (for example) authorizations and payments. The second reason is that organizations who persistently use out-of-date transaction codes can be reported to CMS – which has the authority to enforce Part 162 of HIPAA via corrective action plans and financial penalties.
The National Provider Identifier identifies your organization or subparts of your organization in Part 162 transactions. It is important that NPIs are used correctly in (for example) eligibility checks and authorization requests to prevent delays in responses to requests for treatment. It is also important that NPIs are used correctly in claims and billing transactions to make sure payments are received on time.
Automatic logoff capabilities are important to prevent unauthorized users from accessing ePHI when a device is unattended. Additionally, if a device is lost or stolen, the device cannot be used to access ePHI without the login credentials being known and used.
It is important that login credentials and passwords are not shared for systems that contain ePHI because, if multiple users are using the same access credentials, it will be impossible to determine when specific users access ePHI. As well as eliminating the usefulness of audit logs and access reports, if a system has been configured to reject multiple logins using the same credentials, it could result in users being blocked from accessing ePHI when necessary, or the system being corrupted.
The requirements to implement and test a data backup plan, an emergency mode operations plan, and a disaster recovery plan fall within the contingency plan standard of the Security Rule (§164.308). These requirements are designed to ensure the integrity and availability of ePHI in the event of a natural or manmade disaster.
Information access policies should make sure that the right people have access to the right level of ePHI at the right time. This means the policies have to be sufficiently flexible to support changing roles, promotions, and time off due to (for example) a suspension or maternity leave. The policies should also include procedures for terminating access to ePHI when a member of the workforce leaves so the departing individual cannot access the organization’s ePHI remotely.
The reason it is necessary to have procedures in place to respond to patients exercising their HIPAA rights is that some rights are susceptible to exploitation. For example, procedures should be in place to verify the identity of patients, review confidentiality requests, and determine if a request is being made to support an abusive, deceptive, or harmful activity.
The minimum necessary standard (§164.502(b) and §164.512(d)) requires that only the minimum necessary information is used or disclosed to achieve the purpose of the use or disclosure. This is to better protect the privacy of individually identifiable health information. However, the standard does not apply in every circumstance, and covered entities that apply the standard too rigidly could encounter communication challenges or, in some cases, be in violation of other HIPAA regulations.
Although covered entities and business associates have many similar HIPAA compliance obligations, some regulations apply differently to each type of organization depending on the nature of their activities. If you qualify as a covered entity, and you also provide services to other covered entities as a business associate, it will be necessary for you to complete the assessment twice.
Wait… Don’t Leave Empty-Handed!
Get the FREE
HIPAA Compliance
Checklist
The best resource to view
your compliance requirements
and avoid HIPAA violations.
Wait… Don’t Leave
Empty-Handed!
Get the FREE
HIPAA Compliance Checklist
View your compliance requirements and avoid HIPAA violations
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
For Individuals
Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion
Your Privacy Respected
HIPAA Journal Privacy Policy
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Please enter correct email address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Your Organization HIPAA Compliant?
Find Out With Our Free HIPAA Compliance Checklist
source
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
Posted By Steve Alder on May 13, 2025
Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.
Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients. Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.
On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.
The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court. Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.
Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. The HIPAA Journal’s goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.
Subscribe To Weekly
News Digest
HIPAA News
Regulatory Changes
Breach News
HITECH News
HIPAA Advice
Unsubscribe Anytime
Click here to subscribe to free weekly newsletter
The HIPAA Journal is a registered trademark. Copyright © 2014-2025 The HIPAA Journal. All rights reserved.
The provision of refresher training when there is a material change to policies and procedures is necessary to ensure all members of the workforce affected by the change are made aware of it. Refresher training only has to be provided to those the change affects; but, if the training relates to a change in HIPAA policies and procedures, the training must be documented and – where required by state law – attested to by those who attend. In addition, it is a best practice to provide annual refresher training to all members of the workforce so that those not directly affected by material changes to policies and procedures are made aware of them.
It is important that all members of the workforce receive ongoing security awareness training for two reasons. The first reason – that training is provided to all members of the workforce – is because an attacker can infiltrate a network via a device that does not have access to electronic PHI, and then move laterally through the network until they find a healthcare database to attack. The second reason – that training must be ongoing – is due to the evolving nature of cyberthreats. Members of the workforce must be informed about the latest threats, how to recognize them, and how to report them.
HIPAA Authorization Forms have to comply with §164.508 in order to be valid. If a HIPAA Authorization Form lacks the core elements or required statements, if it is difficult for the individual to understand, or if it is completed incorrectly, the authorization will be invalid and any subsequent use or disclosure of PHI made on the reliance of the authorization will be impermissible. For this reason, members of the workforce responsible for obtaining valid authorizations must be trained on the implementation specifications of this standard. HIPAA Authorization Forms must be stored for a minimum of 6 years.
The requirement to have a security management process is the first standard in the HIPAA Security Rule’s Administrative Safeguards. The process must consist of at least a risk analysis, an actioned remediation plan, a sanctions policy, and procedures to regularly review information system activity. All analyses, remediation plans, sanctions, and reviews must be documented. Documentation must be stored for at least 6 years, either physically on paper on via HIPAA compliance software.
There are many examples of when it may be necessary to retrieve documentation within a specific timeframe to comply with HIPAA. The most common is when an individual requests access to their PHI maintained in a designated record set. Less common examples include when an individual wishes to revoke an authorization or when HHS’ Office for Civil Rights requests documentation to resolve a HIPAA complaint. In most cases, the documentation has to be provided within 30 days.
It is necessary to monitor business associate compliance because a covered entity can be held liable for a violation of HIPAA by a business associate if the covered entity “knew, or by exercising reasonable diligence, should have known” of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligations under the HIPAA Business Associate Agreement.
It is important to identify partners and vendors that qualify as business associates because when a service is provided for or on behalf of a covered entity that involves the creation, receipt, maintenance, or transmission of PHI, a HIPAA Business Associate Agreement has to be entered into which stipulates the permitted uses and disclosures of PHI by the business associate, both parties’ compliance obligations, and other terms that may apply.
The application of sanctions is important to ensure members of the workforce do not take compliance shortcuts “to get the job done”, and the shortcuts deteriorate into a culture of non-compliance. The sanctions applied should be relevant to the nature of the violation. For example, a verbal warning and/or refresher training may be appropriate for a minor violation, while repeated or more serious violations should attract harsher sanctions. The application of sanctions must be documented and records stored for at least 6 years, either physically in paper records or with HIPAA compliance software.
A HIPAA Notice of Privacy Practices advises patients and plan members of their privacy rights, how the organization can use or disclose PHI, and how an individual can complain if they believe their privacy rights have been violated or their PHI has been used or disclosed impermissibly. Notices must be reviewed and amended as necessary whenever a material change affects either an individual’s rights or how PHI can be used or disclosed. They must then be re-distributed and/or re-displayed in accordance with §164.520.
Members of the workforce must know how to respond to patient access and accounting requests – even if it is to direct the request to the HIPAA Privacy Officer – because the primary reason for complaints to HHS’ Office for Civil Rights in recent years has been the failure to respond in the time allowed with the information requested. At present, the majority of HIPAA enforcement activities focus on non-compliance with the patients’ rights standards of the HIPAA Privacy Rule.
The documentation and record keeping of every HIPAA training session is important for two reasons – so that covered entities can keep up to date with which members of the workforce have received what training in the event of transfers or promotions, and so that covered entities can demonstrate the training has been provided in the event of an OCR compliance investigation. Workforce attestation is also required by some state laws with more stringent privacy protections than HIPAA.
The healthcare sector and healthcare records in particular is often targeted by hackers due to the billing details contained in medical records and ransomware value of the personal information in Protected Health Information. Email is one of the most common attack vectors. It is important healthcare staff know how to identify malicious software and phishing emails because the detection capabilities of security software are often limited to how the software is configured and how frequently it is updated. Even the best security software can allow threats to evade detection and, when this happens, users need to be able to identify the threat and report it so other users do not (for example) open a malicious attachment or interact with a phishing email.
The Administrative Requirements of the Privacy Rule (§164.530) requires covered entities to train all members of their workforces on the policies and procedures developed to comply with the Privacy and Breach Notification Rules. Naturally, the sooner training is provided, the less chance there is of an inadvertent impermissible disclosure due to a lack of knowledge. It is important to note that training must be provided even if a new member of the workforce has held a similar role in a previous position and that some states have mandatory time frames within which training must be provided (for example, in Texas, training must be provided within 90 days).
It is necessary to prove the breach notification requirements are complied with to ensure covered entities and business associates do not overlook notifying individuals in the required timeframe when submitting an annual breach report to HHS’ Office for Civil Rights for breaches affecting fewer than 500 individuals. Some organizations have delayed notifying individuals about data breaches, increasing the risk of individuals’ data being used to commit identity theft or fraud before individuals have the opportunity to protect themselves from such events. The burden of proof standard mitigates the likelihood of individuals being overlooked.
While many types of impermissible uses and disclosures, data thefts, and unauthorized access events are clearly notifiable breaches, there are also many types that are not. If it can be determined that an impermissible use or disclosure does not qualify as a notifiable breach by using the exclusion criteria in §164.402, it will not be necessary to comply with the breach notification requirements – saving organizations time and money, and a potential compliance review by HHS’ Office for Civil Rights.
Although it is not a requirement of HIPAA to provide an anonymous reporting channel, members of the workforce should be encouraged to speak out when they believe a violation of HIPAA has occurred in order that the incident can be investigated and corrected if necessary. It is felt (although cannot not proven) that anonymous reporting channels generate more reports because members of the workforce feel protected against retaliation. However, if an anonymous reporting channel is provided, it needs to be used in compliance with HIPAA, and any PHI contained within the anonymous report has to be safeguarded against unauthorized access, loss, and theft.
It is important to execute HIPAA-compliant Agreements with business associates because if an Agreement does not comply with the relevant standards it is invalid. If an Agreement is invalid, covered entities are not permitted to disclose PHI to the business associate, and any disclosure of this nature would represent a violation of HIPAA.
It is important for organizations to monitor changes to transaction code systems for two reasons. The first is that using out-of-date transaction codes can result in delays to (for example) authorizations and payments. The second reason is that organizations who persistently use out-of-date transaction codes can be reported to CMS – which has the authority to enforce Part 162 of HIPAA via corrective action plans and financial penalties.
The National Provider Identifier identifies your organization or subparts of your organization in Part 162 transactions. It is important that NPIs are used correctly in (for example) eligibility checks and authorization requests to prevent delays in responses to requests for treatment. It is also important that NPIs are used correctly in claims and billing transactions to make sure payments are received on time.
Automatic logoff capabilities are important to prevent unauthorized users from accessing ePHI when a device is unattended. Additionally, if a device is lost or stolen, the device cannot be used to access ePHI without the login credentials being known and used.
It is important that login credentials and passwords are not shared for systems that contain ePHI because, if multiple users are using the same access credentials, it will be impossible to determine when specific users access ePHI. As well as eliminating the usefulness of audit logs and access reports, if a system has been configured to reject multiple logins using the same credentials, it could result in users being blocked from accessing ePHI when necessary, or the system being corrupted.
The requirements to implement and test a data backup plan, an emergency mode operations plan, and a disaster recovery plan fall within the contingency plan standard of the Security Rule (§164.308). These requirements are designed to ensure the integrity and availability of ePHI in the event of a natural or manmade disaster.
Information access policies should make sure that the right people have access to the right level of ePHI at the right time. This means the policies have to be sufficiently flexible to support changing roles, promotions, and time off due to (for example) a suspension or maternity leave. The policies should also include procedures for terminating access to ePHI when a member of the workforce leaves so the departing individual cannot access the organization’s ePHI remotely.
The reason it is necessary to have procedures in place to respond to patients exercising their HIPAA rights is that some rights are susceptible to exploitation. For example, procedures should be in place to verify the identity of patients, review confidentiality requests, and determine if a request is being made to support an abusive, deceptive, or harmful activity.
The minimum necessary standard (§164.502(b) and §164.512(d)) requires that only the minimum necessary information is used or disclosed to achieve the purpose of the use or disclosure. This is to better protect the privacy of individually identifiable health information. However, the standard does not apply in every circumstance, and covered entities that apply the standard too rigidly could encounter communication challenges or, in some cases, be in violation of other HIPAA regulations.
Although covered entities and business associates have many similar HIPAA compliance obligations, some regulations apply differently to each type of organization depending on the nature of their activities. If you qualify as a covered entity, and you also provide services to other covered entities as a business associate, it will be necessary for you to complete the assessment twice.
Wait… Don’t Leave Empty-Handed!
Get the FREE
HIPAA Compliance
Checklist
The best resource to view
your compliance requirements
and avoid HIPAA violations.
Wait… Don’t Leave
Empty-Handed!
Get the FREE
HIPAA Compliance Checklist
View your compliance requirements and avoid HIPAA violations
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
For Individuals
Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion
Your Privacy Respected
HIPAA Journal Privacy Policy
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Please enter correct email address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Your Organization HIPAA Compliant?
Find Out With Our Free HIPAA Compliance Checklist
source
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
