Dont Miss these HIO-301 Exam dumps

All of us now have legitimate and Approved Certified HIPAA Security test prep. gives the majority of species and the majority of recent HIO-301 free pdf which almost comprise all exam topics. With the particular database in our HIO-301 free pdf, there will be no need in order to risk your opportunity on reading research books and certainly need to burn off thru 10-20 hrs to ace our own HIO-301 test prep and answers.

Exam Code: HIO-301 Practice test 2022 by team
Certified HIPAA Security
HIPAA Certified learning
Killexams : HIPAA Certified learning - BingNews Search results Killexams : HIPAA Certified learning - BingNews Killexams : Medical Assistant Training
Medical Assistant Student

The Medical Assistant certificate program prepares students for a career as a medical assistant. Skills sets gained are medical assisting, clinical skills, clerical and administrative procedures including reception and scheduling, medical terminology, electronic charting, clinical testing, basic pharmacology, HIPAA training, first aid, and CPR certification.

  • Basic medical terminology
  • Basic Anatomy and Physiology
  • Basic Pharmacology
  • Clinical procedures and skills
  • Healthcare Law and Ethics; HIPAA
  • Medical office skills
  • Customer service
  • Communication skills
  • Medical math
  • Computer skills: Microsoft Office, Electronic Health Records
  • Professional Development: resumes, cover letters, job searching and practice interviews
  • Individual learning plans
  • Individual employment counseling with a case manager

An internship in a healthcare setting is included. Job search, coaching, and support services are provided to employee and employer.

Classes offered twice annually

Program Schedule:

Monday-Friday, 9am - 3pm
Includes 720 training hours (30hrs/week for 24 weeks) and 120 hour minimum internship

Who is eligible?
  • Applicants 18 years or older, who have a high school diploma or equivalent
  • Unemployed, underemployed, and dislocated workers
  • Students who are motivated to learn new skills and secure employment

All course materials included with tuition.

Medical Assistant Training Plus

This program is available for students needing English as a Second Language and/ or remediation classes.

This program prepares students for entry level clerical and bookkeeping positions with job titles such as accounting clerk, posting clerk, accounts receivable clerk, payroll clerk, or bookkeeper.

This program is designed for advanced level ESOL speakers who seek training in the bookkeeping & accounting field. The PLUS program includes an additional contextualized instructional material that is designed to enhance comprehension and retention for ESOL students. Additional supports are provided based on the individual learning plan.

The course will provide students who have minimal or no previous knowledge of accounting a basic understanding of accounting / bookkeeping principles and procedures used to record, classify, and summarize financial data. Students will become familiar with accounting terminology, financial records, forms, and statements currently used by industry. In addition, the program includes in-office training and computer skills, business math, and job development skills.

Program Overview

The Bookkeeping and Accounting certificate program teaches skills in manual and computerized accounting and bookkeeping functions, including preparation and maintenance of ledgers, journals, and adjusting closing entries, basic financial statements, cash and banking procedures, payroll, and accounts payable and receivable.

Comprehensive training includes:

Manual and computerized accounting procedures includes extensive training in QuickBooks and Excel accounting programs

Business writing and communication skills

  • Northstar computer literacy certification
  • Microsoft Office and typing skills

Work readiness skills include: business etiquette, cover letters, resumes, job search techniques, mock interviews, job placement and reference assistance

  • A 120-hour minimum internship in an accounting office will get you real work experience and have you well prepared to enter the workforce
  • Financial literacy seminar
  • Food and Nutrition Education seminar
  • Independent learning plans
  • Individual counseling and job coaching
  • Case management and tutoring
Sat, 26 Feb 2022 18:33:00 -0600 en text/html
Killexams : HHS Issues Guidance on Post-Dobbs Protections Under HIPAA Privacy Rule

Wednesday, July 13, 2022

Many states have enacted or revived statutes limiting or barring access to abortion in the wake of the Supreme Court of the United States’ ruling in Dobbs v. Jackson Women’s Health Organization and further legislative or regulatory initiatives on this subject are likely. However, enforcement of these limitations will generally require state officials to obtain information on abortion-related health services from the parties that are most directly involved, and the protections provided by the privacy requirements adopted under the Health Insurance Portability and Accountability Act (HIPAA) may significantly complicate that task.

In response to concerns about the impact of the Dobbs decision on healthcare privacy, on June 29, 2022, the U.S. Department of Health and Human Services (HHS) issued guidance addressing how the HIPAA privacy requirements (the Privacy Rule) will limit access to private medical information relating to abortion and other sexual and reproductive healthcare held by HIPAA-covered entities like hospitals and clinics and the vendors that assist them in providing healthcare services.

The Privacy Rule states that covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and entities that perform certain services on their behalf may use or disclose an individual’s protected health information (PHI) without the “individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.” The HHS guidance outlines the types of non-healthcare disclosures of PHI that are permitted without an individual’s authorization. The guidance also describes how the Privacy Rule applies to such disclosures in the context of PHI that contains abortion and other sexual and reproductive healthcare information. For each such disclosure, HHS emphasizes that covered entities are permitted, but not required, to disclose the PHI.

Types of Permitted Disclosures

Disclosures Required by Law

The Privacy Rule permits the disclosure of PHI, including information related to abortion and other reproductive healthcare, when the disclosure is required by another law that is enforceable in a court of law, and if such disclosure complies with the requirements of the other law. The guidance provides that where abortion prohibitions do not impose an express reporting requirement, the Privacy Rule would not permit disclosure under this exception.

Disclosures for Law Enforcement Purposes

Disclosure of PHI is permitted for law enforcement purposes “pursuant to process and as otherwise required by law” such as via a court order, subpoena, or warrant. For example, the Privacy Rule would not permit disclosure of abortion records requested by a law enforcement official without a valid warrant or other legally enforceable mandate.

Disclosures to Avert a Serious Threat to Health or Safety

Disclosure of PHI is permitted “if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.” Such disclosure must be made in accordance with applicable law and standards of ethical conduct. For many healthcare professionals, it is inconsistent with ethical and professional standards of conduct to disclose reproductive healthcare information for law enforcement or other non-healthcare purposes without an authorization from the individual involved or valid court order.

Mobile Devices

HHS also issued guidance addressing the extent to which PHI is protected on mobile devices such as cell phones and tablets. Although the HIPAA Privacy Rule and Security Rule (protecting PHI when maintained or transmitted electronically) provide protections for the use and disclosure of PHI held or maintained by covered entities and their business associates, they do not address PHI accessed through or stored on personal devices owned by individual patients. For example, although PHI maintained on electronic devices owned by a covered entity would be protected from disclosure by HIPAA, once a patient downloads that information to a personal device, HIPAA would no longer protect it. The guidance does provide tips to help individuals protect their own PHI, such as:

  • avoiding downloads of unnecessary or random apps to personal devices; and

  • avoiding (or turning off) permissions for apps to access an individual’s location data. (This reduces information about a person’s activities that can be used by the app or sold to third parties, such as the name and address of healthcare providers a person visits.)

Key Takeaways

The HHS guidance does not change the requirements under the Privacy Rule but does provide clarity on how those requirements will be applied with respect to the use and disclosure of abortion information and other sexual and reproductive healthcare information. In light of these developments, covered entities may wish to review their existing HIPAA policies, procedures, and training materials to assess whether updates are desirable, especially for permissive disclosures for public policy and law enforcement purposes.

The HHS guidance is also an important reminder for covered entities that if PHI is used or disclosed in violation of the Privacy Rule, breach notification and remediation requirements are likely to be triggered, potentially resulting in adverse publicity and fines and penalties under HIPAA’s tiered civil penalty structure starting at $120 per violation due to lack of knowledge and increasing to up to $60,226 per violation for uncorrected violations due to willful neglect and that are not corrected within thirty days.

Additional developments in this area are possible following the July 8, 2022, executive order issued by President Biden outlining a number of federal initiatives supporting reproductive health rights. Among other things, the executive order directs HHS to consider additional guidance under HIPAA to protect the privacy of information relating to reproductive healthcare and to bolster protections for patient-provider confidentiality.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume XII, Number 194

Wed, 13 Jul 2022 05:29:00 -0500 en text/html
Killexams : They're Real and They're Here: The New Federally Regulated Privacy Rules Under HIPAA

Q. I am a public health nurse and we frequently have to fax questions to the private physicians taking care of our patients. What can be done?

A. Faxing health-related questions to private physicians is allowable under the Privacy Rules if it is for treatment of the patient. Treatment is defined as the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another. However, the nurse should first confirm that the fax number is correct and make sure the fax is in a secured location to prevent unauthorized access.

Q. I work in a nursing home, and we have to fax patient records to doctors' offices all the time or have them fax orders to us. What are the limitations on this practice?

A. This is considered treatment and use and disclosure by fax is allowable, but proper administrative, technical, and physical safeguards must be provided to protect the individual's privacy.

Q. Can I fax information to pharmacies/MD offices from our hospital or physician offices such as patient lab values, and notes from other health care providers such as physical therapy, or consultants called into the case?

A. As long as the disclosures are being made for treatment purposes for the patient, the necessary disclosures are allowed to be faxed to other treating entities, including pharmacies. The Privacy Rules permit a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rules, such as treatment of the patient. However, the minimum necessary rule is always in play. The minimum necessary rule is based on the practice that protected health care information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.

Q. We work in the doctor's office and are always asked to fax information to the local hospital or other physician offices. What can we fax without worry?

A. As long as the requested information is for "treatment," "payment," or "heath care operations" of the patient, the requested information should be appropriate to fax. However, the minimum necessary rule is always in play. It is also necessary to ensure the appropriate administrative, technical, and physical safeguards.

Sun, 05 Jun 2022 12:00:00 -0500 en text/html
Killexams : 4 Tips For Effective Multilingual Compliance Training

By Salvador Ordorica. CEO of The Spanish Group LLC, a first-class international translation service that translates over 90 languages.

Even as the day-to-day workflow of business is changing to meet evolutions in technology, the backbone of a successful company remains an appropriately trained and engaged workforce. At the same time, we are seeing our employees become more diverse, often located in entirely different countries. While these diverse individuals bring numerous intangible and tangible benefits that companies have come to cherish, they also come with a new set of compliance challenges.

Today’s companies struggle to keep current with constantly changing laws and emergent social concerns within their training; with added layers of complexity due to linguistic barriers, many businesses are hesitant to bring on board the best employees for the job, concerned that they will be unable to provide adequate training and meet compliance regs.

Practical multilingual compliance training helps employees from diverse backgrounds stand on equal footing in both the hiring and onboarding processes.

When you have effective multilingual training solutions for workplace health and safety, OSHA, HIPAA, etc., you can more comfortably bring on more skilled employees with more unique backgrounds. The following are some tips I have picked up helping companies diversify their workforce and training systems.

Typically speaking, you should aim to have all relevant training and compliance materials available in the major languages that your employees speak. But even this basic rule is not as simple as it may seem. The following steps can provide you a basic outline for creating a more effective multilingual training strategy.

1. Correctly identify the languages being spoken.

The very first thing, of course, is to figure out which languages you need your materials translated into. You want to ensure you have your materials translated into the official languages of the countries in question, but you also want to take the time to make sure you have training and essential lessons available in the languages your employees speak at home and are most comfortable with.

Don’t make assumptions based on region or ethnic background. In many cases, your employees may be speaking a particular dialect that differs from the one you expect. For example, suppose you have several native Thai employees. In that case, there is a chance that they will only speak one of the regional Thai dialects like Isan and may have difficulty understanding your materials even though you have translated them into a more standard form of Thai.

The closer you can get to the languages your employees are most comfortable speaking, the more you can encourage interaction while learning, and the more your employees will be able to understand and retain quickly.

2. Have a system for conducting and following up on training.

Figure out if you can have instructors to help facilitate your training in various languages or if you need to opt for some form of interpreting service to help you. What the training looks like can heavily dictate what needs to be translated and how it should be translated. Simply put, have some form of plan in place before you commit to creating your materials. It is not rare for companies to translate materials into three different mediums before deciding on their final approach.

3. Translate materials with the audience in mind.

A word-for-word translation of something often fails to properly convey the intended meaning and nuances involved. The term "transcreation" refers to the process translators often have to go through to recreate the intention of statements. We will often use metaphors or cultural phrases that simply do not make sense or do not convey the same meaning in another language or culture. Transcreation takes the intended meaning and reconveys it into the new language with the proper cultural and linguistic considerations. Often translators will need to create a whole new sentence to get the intended meaning across. This is a complex skill set and one that needs to be employed in full when it comes to training materials.

You need to understand your employees' education, culture and linguistic backgrounds and have your translator create messaging that speaks directly to them. Aim for clarity and simplicity, but localize the materials as closely as possible to the real-world experiences of your workforce.

You may also want to take the time to go through your parent documents and do your best to remove any Western cultural phrases or idioms and ensure all phrasing is culturally sensitive. This can help speed up the process for future translations and will require you to rely less on the abilities of various translators (as it makes for a more straightforward and standardized process).

4. Edit, review, test and track.

While most companies think about editing and reviewing training materials, they rarely think to put them to the test before finalizing them. This ties in with the first tip of having a proper plan in place. A good strategy is one that you have tested and that you know works. Pay careful attention to any software you may be using to underpin your training efforts and how people in other cultures can adapt to it.

It is a challenge, but you should also have a system for staying abreast of relevant laws and ensuring that you keep materials like employee guidebooks and standard operating procedures constantly updated in all necessary languages. Companies can often reduce fines for things like FCPA violations by showing that they provided all the proper training in the correct languages.

Lastly, track your effectiveness. We have a million data points at our fingertips these days. Figure out how to measure the quality of your training through these initiatives and over time. This can be especially helpful if you are testing different approaches.

If you follow these tips, you will likely find that you can more easily bring on, train and work with employees from a wide range of cultural and linguistic backgrounds.

Tue, 28 Jun 2022 23:47:00 -0500 YEC en text/html
Killexams : Get Ahead of New Healthcare Cybersecurity Standards

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required hospital networks, clinics, and research institutes to meet strict healthcare cybersecurity standards. But complying with the new Strengthening American Cybersecurity Act may be a whole new level of challenge.

The bill, enacted on March 15, takes a carrot and stick approach to security. It comprises three distinct acts. The Federal Information Security Modernization Act of 2022 and the Federal Secure Cloud Improvement and Jobs Act of 2022 could be described as carrots. They encourage covered entities to be proactive in improving their resilience to attacks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is more of a stick. It stipulates harsher sanctions for breach notifications.

The rulemaking process, conducted by the Cybersecurity and Infrastructure Agency (CISA), is yet to begin in earnest. Accordingly, the extent of the law’s coverage is unclear. Currently only federal agencies and operators of critical infrastructure are definitely covered. However, the “Healthcare and Public Health Sector” is one of CISA’s 16 previously earmarked critical sectors. So the Strengthening American Cybersecurity Act will likely usher in new healthcare cybersecurity standards. The sooner they come, the better, given how the threat landscape is evolving.

Stricter Reporting Is Likely

Among the most stringent compliance requirements in the new Act is the focus on making cyberattack reporting faster and more detailed. The law requires covered entities to notify CISA within 72 hours of a breach occurring. When ransom payments are made, organizations must tell CISA within 24 hours. (Read The Life-Threatening Rise of Ransomware in Healthcare.) Reports to CISA must be detailed and provide information about how the incident happened and which security controls were in place.

Healthcare providers are familiar with the need to report certain types of HIPAA breaches. Indeed many have been busy instituting procedures to notify Protected Health Information (PHA) exposure within 60 days to comply with the most recent version of the law. However, few organizations are likely ready for the swift response reporting stipulated by the Strengthening America Cybersecurity Act.

HIPAA is designed to secure PHA only. The reporting requirements in the Strengthening America Cybersecurity Act are much broader. And the new law’s definition of a cybersecurity incident is still unclear. What is clear is that covered organizations must respond to cyberattacks much faster than they do now.

Unfortunately, when responding to security incidents healthcare organizations perform exceptionally poorly. A cross-sectoral study by Immersive Labs found health care organizations received an average cyber incident performance score of only 18 percent. This was the worst of any sector in the study. (Read The Top Three Weaknesses in Healthcare Cybersecurity.)

Stopping Attacks Is the Best Way to Beat Reporting Requirements

The best way to reduce the stress of reporting requirements is to stop breaches in the first place. Regrettably, preventing attacks is also something healthcare organizations are poor at. Last year almost 1 in 2 residents in many US states had their personal healthcare information exposed by a cyberattack.

Tighter healthcare cybersecurity standards may bring increased risk of legal action. And the average healthcare data breach already costs over $9 million and takes 75 days to contain.

Healthcare’s poor record at stopping and reporting attacks is partly a product of culture. Cybersecurity has traditionally been under-prioritized. Even in 2021, with ransomware attacks on healthcare soaring, a ComputerWeekly report showed barely 1 in 10 hospital executives prioritized cybersecurity.

Another part of the recently passed law, the Federal Information Security Modernization Act of 2022, sets out a framework for changing this status quo. This act requires covered organizations to implement a range of preventive cybersecurity measures. Implementing zero-trust architecture may soon become mandatory.

The Case for Zero-Trust in Healthcare

Taking a zero-trust approach to security essentially means no network entity is automatically assumed to be safe, even after initial verification. This approach is urgently required within healthcare.

Providing care to patients means healthcare organizations offer threat actors an immense range of attack vectors. These are both technological and human. With endpoint numbers soaring, it’s chilling to note more than half of healthcare IoT devices host a known unpatched vulnerability. No less unsettling is that almost a quarter of healthcare staff have not received any security awareness training.

Healthcare organizations can’t overcome these inherent and long-standing vulnerabilities by plastering over cracks. Instead of trusting Verified endpoints and devices, organizations need a security strategy that never trusts anything or anyone connected to its network. Making this happen is part technological and part cultural.

The obvious challenge of implementing zero-trust in healthcare is how to balance healthcare professionals’ operational requirements with tighter security controls. Healthcare professionals and hospital staff need to access patient data effortlessly. In many cases, security controls that get in the way can be dangerous to patient health.

Security teams must work with practitioners and administrators to develop authentication procedures and policies that fit real-world scenarios to overcome these obstacles.

In healthcare, an effective zero-trust strategy is one that strikes a balance between accessibility and security.  Zero-trust technology protects hospital networks from malicious code execution and provides deterministic protection without impacting performance or straining networks.

With Regulation Looming, Don’t Delay Security Improvements

We don’t yet know precisely what the Strengthening American Cybersecurity Act requires of healthcare organizations. By the time the rulemaking process finishes, CISA may choose to apply a different version of the law’s current statutes.

However, it’s clear regulators will ask more of healthcare organizations’ cybersecurity. Zero-trust architecture is a central part of the security improvements federal regulators will require for healthcare organizations.

Learn more about how zero-trust architecture and Moving Target Defense protects against the advanced cyberthreats healthcare needs to defend against. Read the white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.

Tue, 12 Jul 2022 01:21:00 -0500 en-US text/html
Killexams : Sinch secures HIPAA compliance validation on security for voice, fax and UCaaS Sinch secures HIPAA compliance validation on security for voice, fax and UCaaS

PR Newswire

CHICAGO, June 29, 2022

BDO USA confirms HIPAA compliance for Sinch security over voice, fax and UCaaS services

CHICAGO, June 29, 2022 /PRNewswire/ -- Sinch, a leading provider of cloud communications platform solutions for voice, messaging, and emergency services, today announced it has successfully achieved third-party validation of its compliance with the Health Insurance Portability and Accountability Act (HIPAA) for its security over voice, fax and UCaaS services. HIPAA accreditation was gained through an in-depth security assessment completed by BDO USA.

Sinch has successfully achieved third-party validation of its compliance with HIPAA for its security over voice, fax and UCaaS services.

Achieving this compliance milestone demonstrates that Sinch's administrative, physical, and technical safeguards meet the required standards of control and security for their cloud and remote solution infrastructure, network protection, and operational practices.

HIPAA has established regulatory standards governing the security, privacy and integrity of data requiring vendors encountering this sensitive data to be HIPAA-compliant. The goal of an assessment is to evaluate how compliant an entity is with HIPAA rules and regulations protecting customers by keeping their data safe, protecting providers from data breaches to uphold their reputations, and helping providers invest their time and resources most effectively to assure maximum security.

"We have a solid track record of protecting client data and security to safeguard against potential data breaches," said Maher Rahman, vice president of information security, Voice Business Unit, Sinch. "Completing the security assessment with BDO allows us to continue to maintain the highest standards of cybersecurity and data integrity."

Rahman added, "Achieving this compliance certification allows us to further enhance the security provided to partners and clients who utilize our extensive voice solutions including SIP trunking, voice termination, UCaaS, and fax services. It also expands our current compliance suite related to ISO 27001, ISO 9001, PCI-DSS and SOC 2 Type II reporting across these product offerings."

BDO's rigorous process to evaluate firms for HIPAA certification required Sinch experts to host over a dozen workshops and provide extensive documentation of policies and procedures that decisively attest to HIPAA maturity. The BDO auditors and principals were highly impressed with Sinch process, procedure and documentation, related to handling electronic personal health information (ePHI), and awarded overall rating and individual domain scores among the highest they have issued in past years.

BDO is the fifth largest global public accounting, tax and audit firm internationally employing over 8,500 consultants in the U.S. across 70+ locations. BDO has been performing HIPAA security and privacy assessments for several years with qualified engagement resources that have experience managing HIPAA compliance requirements.

About Sinch

Sinch's leading cloud communications platform lets businesses reach everyone on the planet, in seconds or less, through mobile messaging, email, voice and video. More than 150,000 businesses, including many of the world's largest companies and mobile operators, use Sinch's advanced technology platform to engage with their customers. Sinch has been profitable and fast-growing since its foundation in 2008. It is headquartered in Stockholm, Sweden, and has local presence in more than 60 countries. Shares are traded at NASDAQ Stockholm: XSTO:SINCH. Visit us at


Cision View original content to get multimedia:


Tue, 28 Jun 2022 23:12:00 -0500 en text/html
Killexams : When HIPAA is Outpaced by Technology and the Cyber-Elephant We Need Confront: Exclusive with CEO of VigiTrust

Mathieu Gorge is the author of The Cyber-Elephant in the Boardroom, as well as CEO and founder of VigiTrust, which provides Integrated Risk Management SaaS solutions to clients in 120 countries across various industries. He helps CEOs, CxOs, and boards of directors handle cyber accountability challenges through good cyber hygiene and proactive cybersecurity compliance programs. He is a multi-award-winning CEO and an established authority on IT security, information governance, and risk management, with more than 20 years of international experience.

Mr. Gorge is also a prominent member of the international cybersecurity community and served as President of the French Irish Chamber of Commerce. He is the current Vice President of the Irish section of the French Trade Foreign Advisor, appointed by the French Government. He previously served as the Chairman of Infosecurity Ireland and was an Official Reviewer for ANSI.

We had the pleasure of talking to Mr. Gorge about what happens when regulations and habits cannot keep pace with the times and evolution of technology, especially as cybersecurity applies to COVID vaccine passports and other sensitive data being handled currently.

This is the situation we are seeing right now in the healthcare industry, where HIPAA covers most consumer personal health information, but has some significant gaps. For example, it does not cover data from Fitbits and other wearable technology, or DNA used in ancestry kits for sites like 23andMe.

Alice Ferng, Medgadget: Please tell us more about yourself, your background, and VigiTrust.

Mathieu Gorge, CEO & Founder of VigiTrust: I’m Mathieu, CEO and Founder of VigiTrust. We are a provider of software as a service (SaaS) integrated risk management (IRM) software that enables our clients to prepare for validation and to manage continuous compliance with legal and industry frameworks and regulations like PCI, GDPR, HIPAA, NIST, ISO, and many others. In fact, we are told that it covers about 150. The tool is called VigiOne; it’s in use in about 120 countries primarily in retail, healthcare, hospitality, government, semi state, higher education, and to a lesser extent, the transportation industry—primarily airports and airlines. We run an advisory board which is a not-for-profit think tank that has 150 plus science members who are C-level Board of Directors, law enforcement regulators, researchers, security bloggers in office. The not-for-profit think tank – when you sign the charter, you get access to a portal – you can put that on your LinkedIn. In fact, we’re doing a lot of updates on that at the moment as part of our own governance. And we also have a community of about 700 security professionals that are invited guests to some of the events.

I also created a methodology called the “Five Pillars of Security” about 12 years ago, and it’s based on the idea of whenever you look at any information governance, security regulation framework anywhere in the world, any industry, you always dial back to five common denominators: 1) people’s security, 2) physical security, 3) data security, 4) infrastructure security – which is your wider infrastructure – your third parties, first parties, your franchisees, your subsidiaries, your cloud, your applications, your remote workers, and so on, and then finally, 5) crisis management – what do you do when something goes wrong.

We use the five pillars of security specifically for education of board-level and C-level, folks. And in fact, it was suggested to me by members of the advisory board that I should write a book about the topic. And that’s how “The Cyber Elephant in the Boardroom” came about. So that’s my background in in a nutshell. And obviously, as you can hear from my accent, I’m French, but I’ve been living in Ireland for 25 years.

Medgadget: How or why did you get into cybersecurity? Was it something you were always interested in?

Mr. Gorge: I started working in project management, and then as part of the work that I was doing selling project management training, I started selling training to IT organizations. And then I started working in in sales in network security back in the day, back in the late 90s. And I kind of, you know, “got the bug: I thought it was an interesting, interesting industry. After working in that industry, for other people, for about four years, I felt around 2002 and 2003 – in fact, I started VG trust in 2003 – that there was a requirement for security, education, and education in data protection. Now, today, it’s common ground, and everybody understands the concept of data protection. But back then it was a new thing. And so even though I started VigiTrust to do data protection training, the first few years, when I went back to my old clients they always said, “Well, look, you’re nice, but your business is young, and you’re trying to sell something new. But we’d like to help – you can you sell us a firewall,” or something like that. Within three years, we were in Ireland a reasonably big value added reseller when we started doing assessments, and eventually, we went back to clients and started doing training on data protection, up until about 2012, when we productized the training. And then in around 2016, we stopped doing consulting, and pivoted into what is now VigiTrust: a provider of SaaS based integrated risk management tools. So that that’s the background.

I’ve always been really passionate about it, because I believe in protecting your data. Data is the new currency and is the new oil. But it’s also something that at some stage, some of the data becomes you. And in fact, the whole idea of having to tell your employer that you’ve been vaccinated, and suddenly you provide your employer a copy of your COVID details and health information. It’s crazy, because the amount of the amount of information that we share with parties has gotten to a stage where there’s very little personal information that you don’t share. And I’ve always been fascinated by that.

Medgadget: This is a very important and fascinating topic, as that touches on my main professional worlds of tech and healthcare. We’re often talking about HIPAA or GDPR, and the amount of personal data that is willingly or tacitly given away without much further thought from patients or consumers of products. When doing clinical research, one of the first things we’re so careful about is de-identifying everything and making it pretty much impossible to link the data with a specific individual, yet we see many holes in data handling procedures and protocols these days. Please elaborate more on data handling related to the COVID vaccine passport propositions and the main issues that you see with that as a professional in cybersecurity. I think a lot of folks don’t understand what data is actually getting handed over and who handles the data and how that’s stored, or what the consequences long-term may be.

Mr. Gorge: Yes, this goes back to education around the value of your personal data, right? So everybody tends to understand the value of your credit card data. But equally, they don’t really pay too much attention to it because if something goes wrong, they contact the credit card provider and 90% of the time, they get their money back within the same day, and 99% of the time, they can get the money back. So, they’re not too thinking about it.

But your health information is very unique, and you can’t go to another hospital and get a different set of health data – your health data is what it is. If you’ve got whatever medical condition you’ve got, even if it’s something small, such as asthma, or if you get tired when you do XYZ, you can’t change that it’s part of who you are.

You cannot get a second health identity, and your health identity is unique to you. It’s very important that we convey as security professionals – or medical professionals in your case – the value of that data to people that go to a hospital or to a physician or wherever. Unfortunately, most people are not really aware. And when they become aware of that, it’s when they’re in the hospital and they’re sick, and their primary concern is to get better.

I think that the hospitals have a duty to inform people as to what data they’re going to collect, and typically do so in the fine print, but nobody really understands that so it is a challenge. And in regards to HIPAA, if I’m not mistaken, HIPAA was enacted in August 1996, and so it’s an old framework, which has advantages and disadvantages. The main advantage is that there’s a lot of data as to what works and what doesn’t work, and how you apply the five rules. There’s a lot of best practice. And there’s enough jurisprudence out there that says, “Well, you know, there’s a hospital that owns the most expensive laptop in the world, and because the practitioner had a laptop with information covered under HIPAA and that laptop was stolen, they had to pay $3.5 million in fines.” People get that, and the university is the one that gets the attention. But HIPAA is a lot more unannounced and nuanced, and I do you think that it’s one of the things that HIPAA doesn’t cover well, and is why it needs to be modernized – the whole idea of software security.

HIPAA is very good at disaster recovery and making sure that entities keep the most up to date information, such that if there’s a problem, we can bring that up. And it will be accurate, and it will be as recent as possible. And that’s great. HIPAA is good at covering for parties, business, associates, and so on, and it’s good at requiring policies and procedures. Where I think HIPAA is falling down is where it’s an old regulation around software security. The part that I feel is missing, or, at least in my experience of dealing with health systems, is the whole idea of: if a hospital is using custom made software or if they’re integrating with custom made software – that we’re not necessarily putting in place the right checks in the right controls around – such as, has that software been checked for security architecture, or has there been secure coding reviews, and that kind of stuff. Right now, you see a lot of attacks going deep into code, and I think that that’s an area HIPAA needs to be modernized in.

Medgadget: So let’s say I’m one of these hospitals, and I’ve just created my own new program. And, actually, there’s so many spinning off right now related to the even the COVID data, and they’re trying to track personal health data or contact tracing in all sorts of ways. Many of these are not necessarily well built, because they were built in haste and often with limited resources where the actual coder isn’t a professional coder, or at least, a coder that is more familiar with security protocols. What would be your recommendations here?

Mr. Gorge: COVID is a great example of people rushing to market with applications that allow you to collect data and use the data for surveillance purposes that add value from a traceability or contact tracing perspective, from access to data to help cure people or look after them. But unfortunately, it’s a case of rushing to market versus risk assessment versus actually making sure that the solution is not increasing your risk surface.

And so rushing to markets, for data that’s going to be COVID related, is inherently going to be linked to my – to me – to my personal information, which means that if it’s not done the right way and if there’s no security checks, I am majorly increasing my risk exposure as a health system. So the recommendation would be to, of course, implement tools that allow you to do those things, but to make sure that the applications are pen tested, that the code is being reviewed, and that the applications are scanned on a regular basis, and that they’ve been risk assessed. And if there’s an issue, that they’re potentially suspended for a couple of days to fix the issues, because otherwise, it’s just creating a nightmare.

And I will say that using basic stuff, like the checks from OWASP or SANS, it should be second nature to those people that actually create those applications. But unfortunately, it’s not. And I think it’s not because HIPAA is not really focused on that, but HIPPA is focused on other important areas where things are already consistent.

When I look at the way that a health system is run: if you want to simplify “health system” to maybe a group of hospitals – there will be physicians, there might be clinics, there might be even potentially a nursing home that links to the hospital, and so on. So you’ve got all of these interconnected, little business units that exchange information, but are they exchanging information in a secure way of exchanging information in a way that I can say, this is not you?

The patient was admitted that day, we took that information, we checked his insurance, we asked him a few questions, we did a COVID test, and the tests came back positive. We did another test the next day, and it came back negative. So we had a false positive and so on. And so I mean, do I really want all of that data going from one business unit to another? Maybe I do, maybe I don’t, and maybe it has to go to another business unit within the health system so that I can be treated the right way. But I now have copies of all of my data in various business units. And traditionally, HIPAA requires some good controls around there. But with COVID, we’re essentially dealing with something that is just so topical and so sensitive, that we need to pay attention to it.

Now going back to the idea of the COVID passport: Let’s say I go into the health system and I come out, and I’m COVID free, and I go to get my vaccine somewhere in the hospital, and am given a CDC card, and then I’m told to go fill out an application. I go on to the application and and I upload all of my information – now that application has my date of birth, my name, where I live, my COVID status, the type of vaccine that I got. So if you look at Johnson & Johnson, which was halted recently in some places – imagine that I have a vaccine passport that says, “has been vaccinated by Johnson & Johnson – and now somehow somebody gets ahold of that, and starts saying, “Well, no, actually, you can’t hang out with Mathieu anymore, because he got he got that vaccine. That doesn’t work.” Well, from what I understand it’s one in a million, apparently, but you can see the ramifications of all that.

I think that right now, it seems since beginning of COVID, we’ve been reacting, and we’ve been taking a short-term approach towards cybersecurity, versus a long-term security goal to make sure that all of the additional information that we collect, is actually collected the right way. That it is stored the right way and disposed of the right way. But we’re just not really doing that, you know, and I fear that we’ve seen a rise in phishing, we’ve seen a rise in ransomware, and we’ve seen a number of groups using the information immediately. We’ve also seen a number of well-known criminal groups that are actually probably playing the long game, by infiltrating critical infrastructure, like hospitals, because hospitals are overwhelmed. Cybersecurity right now is extremely important, but they’re literally overwhelmed, and criminals have no hearts and I dread they’re going after those targets.

Medgadget: Yeah, it’s awful, and there’s definitely an upward trend of schemes to steal data from folks. I also agree with you and think that hospitals and healthcare data are most vulnerable right now. What would be your recommendations for healthcare systems and healthcare professionals? Clinical researchers or other hospital staff? How do they even start to learn about this? And what should they immediately implement?

Mr. Gorge: There’s a high chance that there’s some related COVID-19 cyber-storm that’s brewing because we’ve expanded our risk surface tremendously. Whether it’s a health system or any other organization, you will find that there’s a majority of the staff that is now working from home, probably using their own devices. And suddenly, you’ve increased your risk surface by double or triple since and sometimes even multiplied it by 10.

I think you need to go back to mapping your ecosystem. How many business units do you have? What kind of data is each business unit collecting, storing, and manipulating for whatever reason? What is it tracking? And then what’s the data flow between all of the different business units? And how is that data flow protected? Once you have done all of that, you can go back to the five pillars of security that I mentioned to you, whereby you can essentially say, “Okay, I want I want to know, within this health system environment, how am I doing for physical security? Can somebody just walk in and steal a computer, maybe steal the hard drive of a multifunctional printer, and then get access to all of that data that you provide? When you check in? At the hospital? How’s the people security? Who has access to what and who’s coming in? Who’s coming out? Where are they going? Can I trace everything? How’s the data security? What kind of data am I dealing with?”

So obviously, any type of normal PHI (protected health information), but in addition to that, any type of COVID vaccine information with any type of PII (personally identifiable information), or even payment data, because where things are going with modern hospitals, it’s like a five star hotel where you can pay to get access to the internet, you can pay to have additional services, and everything is done by credit card or tokes or so on, so everything is interconnected. So where is that data? From the infrastructure perspective: is my infrastructure bulletproof? How much of it is run by third parties or first parties? And then finally, crisis management. What are we going to do if the list of patients in the COVID worlds makes it to the dark web? Many have identified as a potential scenario. My guess is that not all health systems have done that as much as they can, and this is potentially an opportunity for health systems to get their house in order, right? Because if you listen to Bill Gates and other visionaries, there will be more pandemics, and there will be more crisis.

We need to learn from the mistakes that we weren’t completely ready for – for that type of game changing event, right? We need to look at architecture. If you look at the IT architecture of any business, whether it’s a hospital, bank, or hotel, it’s completely been turned upside down. So what you believe to be the right architecture, and the right model before, may have been the right model at the time, but today, you can’t anymore, because 90% of people are working from home. And even if we go back to working to the office, we’re going to have to reorganize and re-engineer the physical space. And therefore, that means reorganizing the logical access to systems and traceability, and so we’re opening up a lot of new doors. We need to be on our A-game.

Medgadget: Taking the conversation back to any individual out there – what should folks be thinking about? Most folks don’t think about things the way a cybersecurity professional does, and many don’t realize that they’re being directly or indirectly pressured to provide different sorts of data for all sorts of reasons as they go about their day.

Mr. Gorge: So I mean, I can provide you the risk professional answer, which will be long drawn answer with: be careful with your data, don’t share data with people you don’t know, make sure that you, if it’s an application that looks odd that you Google it, make sure that you look at the reviews, if you know don’t use 15 different applications to do the same thing, because you’re multiplying copies of the data.

But I think that the easiest answer to that is: if an application related to COVID at the moment is asking you to share data that you wouldn’t share with your stylist or with your best friend – be extra vigilant, do you really need to share it? Do you really need that application? Is it really adding value to you and to protecting your health? Because if the answer is “Eh, not sure,” then you shouldn’t do it. If on the other hand, the answer is, “Yeah, I really need it,” then at that stage, you need to dig a bit deeper, and, you know, nobody’s going to read the privacy policy unless we need to, but maybe now would be a good time to do that and potentially check that you’re happy to share that data. This is not crying wolf, but you have to ask yourself: if that company is hacked, and my data ends up in the public domain, what is going to be the impact. Okay, so my date of birth, well, I can probably get your date of birth anywhere on Google. My address – it’s annoying – but I can probably get it too. My health status — that’s really annoying – and I don’t want anyone to know, because it’s very, very personal. And as I said, there’s no health status “B,” and you only have one, and you need to protect it. So I’m not trying to scare people, I’m just trying to say that the real value of health data is tremendous. And yes, there’s HIPAA, and yes, it’s putting in a lot of good controls and it’s dealing with most of the attacks. But, COVID has generated loads of new attacks, and criminals have absolutely no mercy whatsoever. So now is the time to be cautious, I would say.

Medgadget: Yes, this is just the reality these days, and it’s better to be aware now rather than once it’s too late. Our physiological status and biometrics are definitely unique to us, and this sort of information isn’t something to be trifled with because there can be all sorts of long-term consequences.

Mr. Gorge: Absolutely. And I go back to the analogy with a credit card. It’s a pain if my credit cardholder data is stolen and used, but there’s so much regulation in this, and so much jurisprudence that I am nearly guaranteed to land on my feet within 24 hours. If somebody steals my health data, it’s a whole different ballgame.

Medgadget: What about the other side of this, in terms of risk management – let’s say it’s too late, and somebody has already given out their data and or they’ve enabled access to something or agreed to be tracked. What do you do to backtrack? Is that possible?

Mr. Gorge: Again, I go back to that idea of my five pillars, the fifth pillar being crisis management. So if you work with reputable health systems, and so on, you will definitely have identified a number of scenarios to address the risk, and to take corrective action when something goes wrong. That might be helping you to protect your identity, it might be making sure that it doesn’t happen again, that kind of stuff. But the reality is that you’re hoping that it won’t happen, especially for health data. And that’s why large health systems also have systems that allow them to stratify the type of data that we get, as you know, so they might have one level for generic personal data, and they might have another level for generic health questions, and another level for more in depth questions. And eventually, you end up with stuff that’s highly confidential, and goes back to the idea of data classification, with only people who are accessing the right data on a need to know basis. If you don’t need access to that data, you don’t get access to the data. Why would you have access to the data? You work as a triage officer at the reception at the hospital? You don’t need to see the results of my drug tests. Two days later, you don’t need to see, because your task is done. Somebody else is dealing with that, and they need access to that.

VigiTrust Annual Global Advisory Board – May 27, 2021

The Cyber Elephant in the Boardroom | Cybersecurity Podcast for CxOs (

Thu, 26 May 2022 12:00:00 -0500 Alice Ferng en-US text/html
Killexams : 9 of the best online therapy options

We include products we think are useful for our readers. If you buy through links on this page, we may earn a small commission. Here’s our process.

As the world of online video, messaging, and chat continues to grow, a vast range of online therapy options are available for people to try.

Quick links

Online therapy is a talk therapy service. A person may use online therapy in place of a face-to-face appointment with a therapist or counselor. Some reasons a person may choose online therapy include:

  • finding it difficult to leave their home
  • having a busy schedule
  • living in a remote area
  • feeling safer online

The American Psychological Association advises that online therapy may be a good alternative to in-person appointments.

A 2021 study states that online therapy during COVID-19 was effective in helping with anxiety and depression. A second 2020 study agrees that teletherapy can effectively treat mental health problems such as anxiety, depression, and post-traumatic stress disorders.

Online therapy may benefit those with mild-to-moderate mental health conditions, such as anxiety, depression, and panic disorders. It may also be suitable for those interested in relationship counseling.

People may find online therapy convenient as they can do this from the comfort of their own homes. However, a person must have a reliable internet connection and a private room where they will not be disturbed during therapy sessions.

People may wish to discuss online therapy with a doctor to determine its appropriateness for them.

If a person is in crisis or requires immediate or urgent care, they should call the emergency services on 911.

Is online therapy secure and confidential?

Most online therapy providers have a privacy policy and should offer transparent information on how they store and protect a person’s personal information.

Individuals can ask their intended therapy provider if it complies with rules set out in the Health Insurance Portability and Accountability Act (HIPAA), such as the HIPAA Privacy Rule and the HIPAA Security Rule.

Security and privacy are extremely important, and most companies should have robust protective systems in place. However, as with any online service, there is always a risk of data theft, computer viruses, and hacking.

Best overall: BetterHelp

  • Price: $60–90 per week, depending on the chosen service.
  • App: Yes.
  • Therapy platforms: Live chat, messages, phone calls, and video conferences.
  • Insurance: The company states that health insurance plans do not typically cover its services, but individuals can contact their plan provider to check their benefits.

This counseling program provides access to trained, licensed professionals in a variety of areas. Professionals include psychologists, licensed marriage and family therapists, licensed clinical social workers, and board licensed professional therapists.

The website matches a person to a suitable counselor with who they then interact via live chats, phone calls, and video conferences.

The billing period is monthly.

Read a full review of BetterHelp here.

Best for budgets: Talkspace

  • Price: Between $69–129 per week.
  • App: Yes.
  • Therapy platforms: Messaging and live video.
  • Insurance: Some insurance plans may cover Talkspace services. FSA and HSA cards are also accepted.

Talkspace allows licensed therapists and mental health counselors to meet with clients virtually to provide services for adults, teenagers, and couples.

To access individual therapy, a person takes an assessment and chooses the therapy plan that fits their budget. The site then matches them with a therapist.

The table below shows Talkspace plans and their approximate costs.

The company also has two programs. Its Talkspace Psychiatry program costs around $249 for an initial consultation, with follow-ups costing $125. Their 8-week Talkspace Insomnia Therapy program does not list a price.

Read a full review of Talkspace here.

Best for teenagers: Teen Counseling

  • Price: Around $60–90 per week.
  • App: Yes.
  • Therapy platforms: Messages, live chats, phone calls, and video conferences.
  • Insurance: No coverage.

Teen Counseling, a sister site to BetterHelp, is specifically geared toward people who are 13–19 years old. It offers online therapy for mental health challenges that may be unique to teenagers.

Teen Counseling assures teenagers of confidentiality, and parents or caregivers do not have access to their virtual counseling room. However, the teenager will likely need an adult to oversee their account and handle payment.

Best for couples: ReGain

  • Price: Around $60–90 per week.
  • App: Yes.
  • Therapy platforms: Messages, live chats, phone calls, and video sessions.
  • Insurance: No coverage.

With a focus on relationships and marital issues, ReGain offers both individual and couples counseling.

It says that its professional team comprises licensed psychologists, marriage and family therapists, clinical social workers, and professional counselors.

Two users can share a joint account to talk with a counselor together. Private live sessions are also available. People can choose how they would like to communicate with their therapist.

Payment is due monthly.

Most accommodating: Thriveworks

  • Price: Prices vary depending on location and session type. A membership fee of $39 per month applies in addition to session costs.
  • App: Yes.
  • Therapy platforms: Video or phone.
  • Insurance: Yes, many major insurance companies accepted.

With more than 310 physical locations in the United States, this organization also offers online counseling with licensed counselors.

Online options include individual and couples counseling via either video or phone.

Best for emotional support: 7 Cups

  • Price: Around $150 per month.
  • App: Yes.
  • Therapy platforms: Live chats, chat rooms, and forums.
  • Insurance: Not accepted.

In addition to offering online therapy with licensed therapists, this site provides the option to chat with volunteer listeners for free. 7 Cups is suitable for adults and teenagers.

There are also chat rooms and forums where people can discuss specific issues, such as anxiety and relationships.

The site offers self-help and growth paths that allow people to explore and identify ways to help themselves feel better.

Best for psychiatry services: AmWell

  • Price: Depending on the service, around $109–129 per session. Psychiatry services have an initial cost of $279.
  • App: Yes.
  • Therapy platforms: Video only.
  • Insurance: Yes, many major insurance companies accepted.

AmWell does not focus exclusively on online therapy. Instead, it offers a variety of telehealth services.

People can connect with board certified professionals for various health concerns, including mental health conditions. Psychiatry and therapy are two of the services that AmWell offers.

As many insurance companies cover telehealth, people may not have to cover the costs associated with this service. After enrolling, a person can enter their insurance information to check. They can then choose a healthcare professional and set up a telehealth appointment.

Best for behavioral therapy:

  • Price: Around $50–110 per week.
  • App: No.
  • Therapy platforms: Self-guided sessions. Some plans provide users access to video, phone, or text chat.
  • Insurance: Not accepted.

This site focuses on cognitive behavioral therapy (CBT) and uses an online therapy toolbox.

People have contact with a personal therapist and access to a self-help course to find tools and tips for dealing with their individual issues. The site also includes yoga and meditation videos.

Live chat sessions and therapist messaging options come with some subscriptions, but lower-cost plans lack this feature. The following table shows the plans and rough costs:

The company also offers a free option that allows individuals to access worksheets, yoga, and meditation at no cost.

Best self-guided: Bliss Online Therapy for Depression

  • Price: Free.
  • App: No.
  • Therapy platforms: Self-guided CBT sessions.
  • Insurance: Not applicable.

Bliss is a free online program based on CBT that does not include live interaction with a therapist. According to some studies, self-guided online CBT is effective for treating depression.

The program allows users to monitor and manage their moods and practice techniques to Excellerate their mental health.

Individuals can complete the program at their own pace without strict time commitments.

A person should consider their main reasons for visiting a therapist. They should aim to find a person who specializes in the field in which they are seeking help. People may wish to view the therapist’s qualifications if this is available.

A person should ensure their therapist is licensed.

A few different types of therapists include:

  • Psychiatrist: Psychiatrists can provide prescription medication to a person if they feel this is necessary. They are medical doctors in addition to being psychologists.
  • Psychologist: Psychologists cannot prescribe medication. They have training in the mind and behavior and how these two intertwine. They usually specialize in the treatment of mental health disorders.
  • Licensed marriage and family therapist: These professionals specialize in relationship and family counseling.
  • Licensed professional counselor: These are people with a master’s degree, and treat groups or individuals with mental health disorders or substance misuse issues.
  • Licensed clinical social workers: Social workers support people with interpersonal issues and support their well-being. They can refer people to community or government services for support or help them resolve problems by directing them to relevant resources.

Get tips on how to access therapy without insurance here.

They should also consider how they would like to communicate with their therapist. Some services offer one form of communication, whereas others have communication options.

Some services allow a person to provide preferences for their therapist’s gender, age, or even religion.

Many online therapy services allow people to change therapists if they wish.

Various therapy services accept insurance. A person should look for these services and determine which insurance plans cover them. Some insurance policies may also partially cover the cost.

In addition, there are various resources online that are free to access.

Learn about free online therapy here.

A person can also discuss with their doctor to see what kind of financial help they may be entitled to.

Some insurance plans may cover some form of online therapy. A person should contact their plan provider to confirm their benefits.

As of 2019, Medicare plans cover some telehealth services, including mental health services.

Read more about Medicare and mental health services here.

Some of the advantages and disadvantages of online therapy are as follows:

Online therapy may be an effective option for people who would prefer not to meet in person with a mental healthcare professional or are unable to do so.

There are many ways for people to access online therapy. Before using any online therapy service, it is important to clarify the costs and required level of commitment.

Anyone concerned that they may pose a danger to themselves or others should not use online therapy. Instead, they should call 911 or go to the nearest emergency room.

Sat, 25 Jun 2022 12:00:00 -0500 en text/html
Killexams : HIPAA & Telehealth: FAQs from HHS Guidance on Audio-Only Telehealth

Thursday, June 16, 2022

Preparation for operations after the end of the Public Health Emergency (PHE) have commenced. HHS released guidance on using remote communication technologies for audio-only telehealth services in compliance with HIPAA. In March of 2020, HHS stated it would exercise enforcement discretion for noncompliance with HIPAA in connection with the good faith provision of telehealth services using non-public facing audio or video remote communication technologies during the PHE. That enforcement discretion will end when the PHE ends.

In this latest guidance, HHS noted that due to various barriers, such as disability, financial, or language, not all patients are able to access audio-video telehealth technologies and that audio-only telehealth helps to address the needs of these patients. Here are four key FAQs based on the guidance that telehealth providers and platform-providers, covered by HIPAA, should consider when implementing an audio-only telehealth offering:

1.  Are audio-only telehealth services able to be provided in compliance with the HIPAA Privacy Rule when the PHE ends? Yes. Telehealth providers need to implement reasonable safeguards to protect the privacy of protected health information (PHI), such as communicating in a private setting, or using lowered voices and not using speakerphone where a private setting is not feasible in order to comply with the HIPAA Privacy Rule. Telehealth providers must also verify the identity of any patient not known to the telehealth provider.

2.  Is it possible to comply with the HIPAA Security Rule when providing telehealth services over the phone or a mobile app? Yes. Technologies covered under the HIPAA Security Rule include smartphone applications, VoIP technologies, technologies that record or transcribe telehealth sessions, and messaging services that electronically store audio messages. One aspect of complying with the HIPAA Security Rule is that a security risk analysis on the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI must be conducted when using such technologies. The security risk analysis should then be used to assist in the development of a risk management plan to address the identified risks and vulnerabilities.

3.  Does a telehealth provider need a business associate agreement (BAA) with the telephone company and/or wireless carrier? Maybe. Telecommunications service providers (TSPs) are the companies that provide voice and/or data transmissions services such as the telephone company, the wireless carrier, and/or, in some cases, a mobile application provider. Telehealth providers must enter into a BAA with a TSP that creates, receives, maintains, or transmits PHI for or on behalf of the telehealth provider. However, telehealth providers do not need to enter into a BAA with a TSP where the TSP: (i) only has transient access to the PHI transmitted; (ii) does not create, receive, or maintain PHI on behalf of the telehealth provider; and (iii) does not require access on a routine basis to the PHI transmitted on the call. TSPs meeting all of these specifications are known as “conduits.” HHS provided the following examples of scenarios where a BAA is or is not required with a TSP: 


BAA Required?

TSP only connects a call between the telehealth provider and the patient, and does not create, receive, or maintain any PHI from the session.


Telehealth provider wants to conduct audio-only telehealth sessions with patients using a smartphone app that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the telehealth provider’s later use.

Yes, BAA required with developer of smartphone app

Telehealth provider uses smartphone app to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency. 

Yes, BAA required with developer of smartphone app

Also, since the HIPAA Security Rule only applies to electronic PHI, it does not apply to services using a standard telephone line (i.e., landline). In general, telehealth providers should be cautious about relying on TSPs that do not sign BAAs and must conduct due diligence to ensure the TSP does not access or maintain PHI transmitted during the call.

4.  Does a telehealth provider need to ensure that its patients are complying with HIPAA? HHS notes that patients may use any telephone system they choose and telehealth providers are not responsible for the privacy or security of patients’ information once it has been received by the patient’s phone or other device. However, telehealth providers should note that if they provide a mobile app to the patient for use in either accessing telehealth services or storing medical information, the mobile app must comply with the HIPAA Privacy and Security Rule.

The planning and transition from PHE to post-PHE processes should start now for telehealth providers. Conducting risk assessments and diligence on existing vendors and their compliance with privacy and security laws must occur immediately. If a vendor that accesses, views, or maintains PHI refuses to sign a BAA, telehealth providers should immediately look to terminate the relationship with that vendor and consider alternative vendors that will sign a BAA. Developing a strategy for HIPAA compliance now, before the PHE sunsets, will pay dividends in the future.

Want to Learn More?

Thu, 16 Jun 2022 08:12:00 -0500 en text/html
Killexams : No, health data from most period-tracking apps is not protected under HIPAA

HIPAA applies to covered entities, like health care providers that conduct electronic transactions, but not most of the period-tracking apps found in an app store.

Update June 24, 2022: On June 24, the Supreme Court overturned Roe v. Wade, a decades-old decision that federally protected abortion access across the U.S. This story has been updated to reflect their final decision.

Roe v. Wade was overturned by the Supreme Court on June 24, ending constitutional protections for abortion. States can now restrict, ban or protect the right to abortions with their own laws.

The ruling came more than a month after a draft opinion indicating the court was ready to overturn the landmark case leaked

After the draft decision was published, Elizabeth C. McLaughlin, an attorney, activist and author, and Eva Galperin, who serves as the director of cybersecurity at the Electronic Frontier Foundation (EFF), a nonprofit digital rights group, said on social media that people should delete period-tracking apps off their phones. 

Both McLaughlin and Galperin warned that the personal health data shared on these apps could potentially be used against people who are seeking an abortion once Roe v. Wade is overturned. 

Google searches and some news reports indicate that many people are wondering if health data from period-tracking apps are covered under the Health Insurance Portability and Accountability Act of 1996, widely known as HIPAA.


Is health data from period-tracking apps protected under HIPAA?



No, health data from virtually all period-tracking apps is not protected under HIPAA. 

If a person receives an app as a benefit from their health plan, health care provider or insurance company, such as some versions of the Ovia Health app, it may fall under HIPAA.


HIPAA is a federal law that created national standards to protect sensitive patient health information from being shared without the patient’s consent or knowledge, according to the Centers for Disease Control and Prevention (CDC).

A U.S. Department of Health and Human Services (HHS) spokesperson told VERIFY in an email that HIPAA rules “apply only to covered entities and, to some extent, their business associates.” Covered entities include health plans and health care providers that conduct standard electronic transactions, such as billing insurance electronically. 

Pam Dixon, the founder and executive director of the World Privacy Forum, a nonprofit that conducts in-depth research and analysis in the area of data privacy, says most period-tracking apps are not covered under HIPAA. She told VERIFY if a period-tracking app does not include a Notice of Privacy Practices for Protected Health Information in its privacy policy, then the health data shared on the app is not protected by HIPAA. 

“Any kind of healthcare provider that's covered under HIPAA has to have something called a Notice of Privacy Practices. It's a standardized privacy policy that is mandated by the HIPAA rule. It will say the seven rights that you have under HIPAA and it will tell you how you can apply those rights to yourself,” Dixon said.

Alan Butler, the executive director and president of the Electronic Privacy Information Center (EPIC), a nonprofit research center based in Washington, D.C., agrees with Dixon. 

“Typically, apps that individuals might use to track fertility or for other personal health uses that are not billed as part of a medical service, which most of them are not, are not covered under HIPAA, and therefore, the data, even though it's data about your body or data related to your health, it's not health data as the law defines it,” Butler told VERIFY. 

Some period-tracking apps, like Glow, claim they are “HIPAA compliant” on their websites. However, Dixon says a period-tracking app claiming to be HIPAA compliant is a “big red flag.” 

“HIPAA compliant does not mean that a period tracking app is covered under HIPAA. Actually, in terms of HIPAA, it doesn't mean anything — it's kind of a meaningless phrase,” Dixon said. “If you see that in a privacy policy, it's very likely that you're dealing with a period-tracking app that's not covered under HIPAA.” 

VERIFY reached out to Glow but did not hear back by the time of publication. Glow’s current privacy policy can be found here. It does not include a Notice of Privacy Practices for Protected Health Information, nor does it mention the HIPAA acronym or include the phrase: “HIPAA compliant.” 

“In the privacy policy, the main enforcement tool for a health app that is not covered under HIPAA is actually an obscure law, called ‘FTC Act, Section 5.’ What that means is that they can do and say almost anything, as long as they're telling you the truth about what they're doing,” Dixon said. 

“So, if a health app is sharing your data or selling your data, they can use all sorts of weasel words to explain that, and if you don't understand the nuances of those weasel words, it's going to be a real hard thing for you when you realize your data has been shared, or even in some cases, sold,” Dixon continued. 

VERIFY looked into the privacy policies of 20 of the top period-tracking apps found in the Apple App Store and could only find one, Ovia Health, that told VERIFY some of the health data shared in its app may be protected under HIPAA in some circumstances, but not all. In its privacy policy, the company says it may fall under HIPAA “if a person receives the app as a benefit from their health plan or health care provider.”

“When Ovia users gain access to Ovia’s premium enterprise versions of our apps through their health insurer or employer health plan, HIPAA will apply. In that case, Ovia acts as a business associate for the Ovia enterprise customer and is required to protect the data in accordance with its business associate agreement under HIPAA. However, when Ovia users use the free consumer versions of our apps, HIPAA does not apply,” an Ovia spokesperson said in an email. 

In January 2021, the Federal Trade Commission (FTC) issued a complaint against Flo Health Inc., the makers of Flo, a health app that tracks periods, ovulation and pregnancy, saying that Flo shared sensitive health data from millions of users of its app with marketing and analytics firms, including Facebook and Google, despite promising to keep users’ health data private. 

Six months later, in June 2021, the FTC finalized a settlement that required Flo to obtain the affirmative consent of its app’s users before sharing their personal health information with others. The settlement also required Flo to obtain an independent review of its privacy practices. 

In March 2022, Flo completed an external, independent privacy audit, and according to the company, there are “no gaps or weaknesses” in its updated privacy practices. Flo’s current privacy policy, which also doesn’t contain a notice of privacy practices or the HIPAA acronym, can be found here

Flo told VERIFY in a statement that the company “firmly believes women’s health data should be held with the utmost privacy and care,” and says “Flo does not share personal health data with any third party.” 

“Flo will never require a user to log an abortion or offer details that they feel should be kept private. Should a user express concern about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers,” Flo said. 

A spokesperson for Clue, another period and ovulation tracking app, told VERIFY it is a European company obligated under the General Data Protection Regulation (GDPR) to “apply special protections to our users’ reproductive health data.” 

In 2018, the GDPR was drafted and passed by the European Union (EU), and is considered one of the “toughest data privacy and security laws in the world” because it “imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.” 

“We completely understand the anxiety around how data could be used in U.S. courts if Roe v. Wade is overturned. We want to reassure our users that their sensitive health data, particularly any data tracked in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe. We do not sell it, and we never share it with ad networks,” Clue’s spokesperson said in an email. Clue’s current privacy policy can be found here

The FTC released a list of ways people can protect their privacy when using health apps, like period-trackers. These tips include comparing options on privacy, taking control of your information by checking the app’s settings to make sure it lets you control the health data you share with it and knowing the risks that come with sharing your personal health information with an app. The World Privacy Forum also shares the Patient’s Guide to HIPAA on its website. The comprehensive guide includes tips on how to guard your health privacy information.

“We have a long way to go to ensure that people's data is protected and that there is not an inordinate unnecessary data trail left behind just from living our daily lives,” Butler said.  

If you think a period-tracking app shared your data without your permission, you can contact the FTC at

The VERIFY team works to separate fact from fiction so that you can understand what is true and false. Please consider subscribing to our daily newsletter, text alerts and our YouTube channel. You can also follow us on Snapchat, Twitter, Instagram, Facebook and TikTok. Learn More »

Follow Us

Want something VERIFIED?

Text: 202-410-8808

Thu, 19 May 2022 14:05:00 -0500 en-US text/html
HIO-301 exam dump and training guide direct download
Training Exams List