End of Support for Windows 10

/in /by

In 2021, Microsoft announced that support for Windows 10 will end on October 14th, 2025. This means that technical assistance, feature updates, and security updates will no longer be provided for Windows 10 operating systems. Devices running on Windows 10 after this date will become increasingly vulnerable as Microsoft will no longer release security updates to protect against new cybersecurity threats.

It is strongly recommended that all devices be updated to Windows 11, which is the current, supported version of Windows. If you are not sure which version of Windows your organization’s devices are using, work with a qualified IT vendor to determine which devices will need updating. If a device cannot be updated for any reason, you should work with your IT provider to segment that device from the rest of your network.

The HIPAA Security Rule requires covered entities to take reasonable steps to ensure the technical security of EPHI. This includes ensuring that all devices are running on up-to-date, supported operating systems. Eagle Associates is hosting an upcoming webinar to assist clients in completing a Security Risk Analysis, which will cover requirements related to technical security.

Please register for the Security Risk Analysis 2025 webinar on Sep 25, 2025 1:00 PM EDT at:

https://attendee.gotowebinar.com/register/2919148845628053848

After registering, you will receive a confirmation email containing information about joining the webinar.

Update on Vacated Reproductive Health Care Privacy Rule

/in /by

In the July Advisor® issue, we included a note that the U.S. District Court for the Northern District of Texas issued a nationwide order vacating most of the HIPAA Rule to Support Reproductive Health Care Privacy. The Department of Health and Human Services (HHS) has not yet published next steps concerning the court decision. Although HHS is not expected to appeal the decision, it is hoped that specific guidance will be provided regarding the Notice of Privacy Practices (NPP) modifications that were unaffected by the court decision. Since the Rule required covered entities to comply with NPP modifications by February 16, 2026, we do not anticipate that earlier revision will be necessary. Therefore, if you have not yet updated your NPP with our revised version, please do not do so at this time.

It is important to note that several states have enacted privacy laws concerning reproductive health care. These “shield” laws limit the disclosures that covered entities may make to out of state law enforcement about abortion services lawfully provided in their own state. As in most other instances where state law provides for greater patient privacy, covered entities must heed the more stringent state law. It is expected that these laws will be more actively enforced in the absence of the federal reproductive health care privacy protections.

For more information, please visit the following website to determine whether your state has any shield laws in place: https://law.ucla.edu/academics/centers/center-reproductive-health-law-and-policy/shield-laws-reproductive-and-gender-affirming-health-care-state-law-guide

HIPAA Compliance System Subscribers

An update will be made available in the Member Services area of our website on September 3, 2025, that includes revised Notice of Privacy Practices templates.  As noted in the article, a Notice of Privacy Practices must include a description of prohibited disclosures, now only in regard to Part 2 records. Any statements regarding Federal reproductive healthcare privacy protections should be removed according to the court ruling. 

We are providing this update well ahead of the February 16, 2026, deadline to allow you time to get the new copy posted in your workplace and on your website, if applicable. You will not be required to distribute copies of the revised Notice to patients but should provide a copy to new patients at the time of their first service, and to existing patients upon request. 

The November 2025 Compliance Training module on HIPAA’s Privacy Rule will ensure that workforce members are made aware of the regulatory changes. Policy revisions that reflect the regulatory changes will follow as part of the regular 2026 updates.

Patient Right of Access

/in /by

Note for Eagle Associates HIPAA Compliance System subscribers:

Upcoming Webinar:

HIPAA and the Right of Access

August 7, 2025 12:00 PM EDT

This 45-minute webinar will cover the patient’s right of access to their designated record set, forms to use for records requests, form and format of access, fees for providing copies of records, unreasonable measures that are prohibited, records from other providers, methods of transmission, the difference between authorizations and records requests, and the right to inspect.

Click here to register

Can’t attend the live event? Go ahead and register and we will send you the recording after the webinar. 

Form and Format

Some organizations receive a large volume of records requests. Processing these requests involves a considerable amount of labor.  Questions often arise regarding the form and format of providing access to a patient. HHS guidance states:

“The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual.  See 45 CFR 164.524(c)(2)(i). If the individual requests electronic access to PHI that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format, or if not, in an agreed upon alternative, readable electronic format. See 45 CFR 164.524(c)(2)(ii). The terms “form and format” refer to how the PHI is conveyed to the individual (e.g., on paper or electronically, type of file, etc.) Thus:

Requests for Paper Copies – Where an individual requests a paper copy of PHI maintained by the covered entity either electronically or on paper, it is expected that the covered entity will be able to provide the individual with the paper copy requested.

Requests for Electronic Copies – Where an individual requests an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically (e.g., the covered entity can readily scan the paper record into an electronic format) and in the electronic format requested if readily producible in that format, or if not, in a readable alternative electronic format or hard copy format as agreed to by the covered entity and the individual.

Where an individual requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format. When the PHI is not readily producible in the electronic form and format requested, then the covered entity must provide access to an agreed upon alternative readable electronic format. See 45 CFR 164.524(c)(2)(ii). This means that, while a covered entity is not required to purchase new software or equipment in order to accommodate every possible individual request, the covered entity must have the capability to provide some form of electronic copy of PHI maintained electronically.; It is only if the individual declines to accept any of the electronic formats readily producible by the covered entity that the covered entity may satisfy the request for access by providing the individual with a readable hard copy of the PHI.”

Some organizations have wondered whether they can discontinue provision of records in certain formats, such as on CD.  Because the HHS guidance states that you should provide access in the requested form and format if you are able to do so, it is not advisable to deny a patient’s requested format.  However, you may charge a cost-based, reasonable fee for providing records.

The fee charged can include labor costs for transferring data to the requested media and for executing a mailing if applicable, media costs, actual postage costs, and supplies such as envelopes.  You may not charge any compliance fees, infrastructure fees, etc.  Essentially you will just be recouping actual costs involved in preparing and providing the record.

You may not tell patients that the only way to obtain a copy of their record is to use the patient portal. You can encourage it and explain that it is convenient and secure, but it is considered an unreasonable measure to tell patients that the portal is the only option to obtain a copy of their record.

Technical Network Assessments

/in /by

Both HIPAA’s Security Rule and the Merit-based Incentive Payment System (MIPS) program require documentation of periodic Security Risk Analyses.  A Security Risk Analysis assesses compliance with standards within the Rule.  Many times, information within a Security Risk Analysis is anecdotal, meaning the person completing it is simply typing in information to the best of their knowledge.

Background

HIPAA’s Security Rule requires covered entities to implement written policies and procedures to prevent, detect, contain, and correct security risks to the electronic protected health information (EPHI) that they have created, collected, and maintain.  In simple terms, the Rule provides a list of instructions that require written policies and procedures which, when implemented, should limit the risk to your EPHI. 

Technical Review

A Technical Network Assessment (TNA) is a documented snapshot of your practice’s IT infrastructure with regard to specific Security Rule requirements. The TNA will verify technical aspects of your Security Risk Analysis (SRA) and provide documentation to support information collected as part of the SRA.

The purpose of a TNA is to evaluate the risks and vulnerabilities of EPHI that is created or stored on your practice’s computer network, and to provide objective documentation concerning the security protections that have been implemented.  A key aspect is that a TNA produces factual reports from your network demonstrating that protections are in place rather than a strictly anecdotal response.

Reports from a TNA will enable your organization to determine whether any corrective actions need to be implemented to mitigate or reduce risks to EPHI on the network.  A repeat or periodic TNA should be performed to address environmental, technical or operational changes affecting the security of EPHI. 

A TNA should be conducted by qualified IT staff.  You could have your existing IT vendor/staff perform a TNA, or contract with an outside entity.  Using an outside entity will provide your practice with an independent confirmation that key technical security requirements have been met.

Completing an SRA can be likened to having a physical exam by your primary care provider.  The provider asks questions and you provide anecdotal information about your health. A TNA can be likened to blood tests, EKGs or other diagnostics that produce factual reports to document your good health or, in some cases, identify conditions that may require corrective actions such as medication and further treatments. 

Elements of a TNA

A TNA should evaluate technological risks and vulnerabilities including, but not limited to:

  • Open Port Security
  • Identify internal and external User IDs
  • Identify User IDs that have been inactive for a period of time (i.e., 30 days or more)
  • Identify network devices and implementation of current security updates or patches
  • Identify current network protocol for complexity and frequency of password changes by users
  • Verify installation of antivirus/malware protection and a firewall
  • Verify automatic logoff and the period of inactivity to activate logoff
  • Verify activation of lockout protections (a predetermined number of allowable unsuccessful login attempts).
  • A vulnerability scan
  • Penetration testing

Documentation of TNA results should be available in network-generated reports as outlined below (note that the names and types of reports will vary depending on the tools used to generate the TNA):

Computer Identification Report: A list of the active and inactive computers found in the Active Directory. It should show the machine name, its enabled status, operating system, last login date, and should include columns to indicate whether the machine contains any EPHI.

User Identification Report: A list of the active and inactive user accounts found in the Active Directory. It should show the username, display name, last login date, last password reset date, password expiration date, and last login time.  It would be helpful if the report included columns to manage the users and note their access to EPHI.

Endpoint Security Status: A listing of all the computers and servers found on the network and lists their status on antivirus, antispyware, firewall, and backup software installed.

External Vulnerability Scan Detail Report: Detailed information on all the external vulnerabilities found during the external IP address scan performed on the IP addresses used by the network.

Security Policy Assessment: The results of a security scan performed internally on the network. This document would highlight your company’s password policies, account lockout policies, audit policies, event log policies, and group policies.

Patch Status: This report will contain a list of each computer and its corresponding patch status.

After the data has been gathered and reports generated, your practice should evaluate the results for possible corrective actions, if any, to mitigate risks and vulnerabilities.  The combined documentation of the SRA, TNA, and implemented corrective actions will enhance your practice’s ability to demonstrate a reasonable effort for protecting EPHI.

If you contract with an IT vendor, that vendor should be able to produce the reports described above.  Some vendors will provide them at no charge as part of your existing maintenance contract (especially if you pay a monthly/regular management fee).  Other IT companies charge exorbitant fees for completing a TNA and providing reports. 

The government agency known as CISA (Cybersecurity and Infrastructure Security Agency) now offers assistance in what they call Cyber Hygiene Vulnerability Scanning.  You can reach out to vulnerability@cisa.dhs.gov to get started.  These assessments are available to both public and private organizations at no cost, but availability is limited.  The service offered includes the following:

  • Target Discovery, which identifies all active internet-accessible assets to be scanned, including networks, systems and hosts.
  • Vulnerability Scanning, which initiates non-intrusive checks to identify potential vulnerabilities and weaknesses.

Employee Records

/in /by

In addition to maintaining patient records, your organization is also required to maintain certain records related to your employees. Read on for an overview of each category of employee records, along with documentation and retention requirements for each.

Training Records

Different agencies require different lengths of retention for training records. OSHA requires that safety-related training records be maintained for a minimum of 3 years. HIPAA training records must be maintained for at least 6 years. The OIG requires fraud, waste and abuse training records and billing and coding training records to be kept on file for 10 years.

Training documentation should include:

  • The dates of training
  • The contents, or a summary of the training information provided
  • The name of the person(s) conducting the training
  • The name and job titles of all persons participating in the training
  • Fraud, Waste and Abuse (FWA) training records should include the start date of each participant’s employment

Training documentation can be accomplished by simply retaining a Compliance Training Test (included with each of Eagle Associates’ training modules) for each participating staff member. These records may be maintained digitally or on paper. You are not required to file training documentation in each individual staff member’s personnel record, though some accrediting organizations may have specific training documentation requirements. If you utilize Eagle Associates’ e-Compliance Training program, your electronic reports can serve as official training documentation.

Employee Medical Records

OSHA requires that employers maintain a medical record for each employee for the duration of their employment plus thirty years. If an employee has been employed less than one year, OSHA permits an employer to provide the employee with their medical record upon termination without having to meet the thirty-year retention requirement. For compliance documentation purposes, is still advised to keep a copy of employee records, even if they were employed for less than a year.

Employee medical records should include:

  • The employee’s name and secondary identifier such as an employee ID number or date of birth. It is no longer recommended to maintain employees’ full social security numbers.
  • If the employee will experience occupational exposure to bloodborne pathogens, a copy of the employee’s hepatitis B vaccination status, including dates of all hepatitis B vaccinations, or a signed hepatitis B vaccine declination statement
  • A copy of any incident, accident or illness records that are applicable to the employee
  • A copy of all results of examinations, medical testing, and procedures required following an exposure incident (if applicable)
  • Baseline tuberculosis test results, and, if your facility’s risk level requires it, results of subsequent skin tests. Documentation of any positive results should be followed by annual symptom screening questionnaires, and any records of examination or treatment for active TB infection.
  • Influenza and COVID-19 vaccination records (if vaccines are offered to employees)
  • Employee medical complaints and any other medical information relevant to their employment

Because they contain protected health information (PHI), employee medical records must be maintained confidentially. Only authorized staff members should be permitted to access employee medical records. Employees have the right to access their medical record, even after their employment ends.

Exposure Records

Employers also must maintain an exposurerecord for employees who may be exposed tohazardous chemicals, bloodborne pathogens,and other occupational hazards.

Exposure records may be combined with employee medical records, and would include:

  • Workplace monitoring or measuring of a toxic substance or harmful physical agent (i.e., formaldehyde exposure monitoring, ionizing radiation monitoring), including any forms of sampling, as well as related analytical methodologies, calculations, and other data relevant to the interpretation of results obtained;
  • Biological monitoring results which directly assess the absorption of a toxic substance or harmful agent by body systems, for example, results of testing for levels of an agent in an employee’s blood, urine, breath, etc.;
  • Safety data sheets (SDSs), which indicate that a material may pose a hazard to human health; and/or a chemical inventory or other record that reveals where and when a product was used, and the identity of the harmful ingredient. SDSs and/or chemical inventories may be kept apart from employee medical/exposure records but must be maintained for thirty years beyond last use of the product, so that exposure information is available if needed.

If exposure records are maintained separately from medical records, they must also be maintained for the duration of employment plus thirty years. Exposure records will contain PHI and must be maintained in a confidential manner.

Employment Records

Employment records (also known as personnel records) will include any other documentation regarding an individual’s employment that does not pertain to their medical record or training records. These records may be included with other personnel, or human resource files, etc.

Documentation in an employment record may include:

  • A signed medical records acknowledgement form. You are required to inform employees annually of the existence and availability of their employee medical record.
  • Any records regarding workplace violence or harassment complaints (if applicable);
  • A signed employee confidentiality statement pertaining to HIPAA Rules;
  • A signed Employee Code of Conduct form (for fraud, waste and abuse prevention in Medicare/Medicaid programs, if applicable); and
  • A signed Employee Notice of Privacy Practices form (if the organization meets the definition of a health plan under HIPAA). You may not combine medical and/or exposure records with employment/personnel records.

Access to confidential medical/exposure records should only be provided to staff members that have a legitimate need, such as to verify required testing has been completed.

Disclosures to Law Enforcement

/in /by

HIPAA’s Privacy Rule allows for disclosure of PHI to law enforcement under specific circumstances. Any time a law enforcement official contacts your organization or shows up in person, the Privacy Officer should be alerted so that they may perform identity verification and determine whether any requested disclosures are permitted.

The Privacy Rule was written so that its standards balance the need to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized below.

To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that the legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information.

To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request from a law enforcement official. Because an administrative request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied

by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used.

To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request.

Many questions arise with regard to potential visits from immigration enforcement agents (Immigration and Customs Enforcement-ICE). ICE agents may not enter private areas of your facility without a judicial warrant signed by a judge or magistrate. However, under the current administration, ICE agents may enter public areas of your facility and ask questions about patients.

Be sure that everyone knows to direct agents to your Privacy Officer, who will be prepared to respond with identity verification and other measures. ICE agents are permitted to question people in your waiting room or other public area or look at any information “in plain view,” but patients have the right to remain

silent. You are only required to disclose PHI if there is a judicial warrant signed by a judge or magistrate. General questioning or requests do not require your response if you do not wish to do so. Maintain a calm and courteous manner with agents, and inform them that you must comply with HIPAA privacy laws. Explain the requirement to verify whether disclosures are permitted/necessary.

This same limited information outlined above may be reported to law enforcement:

About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce;

To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act.

To respond to a request for PHI about a victim of a crime, and the victim agrees. If, becauseof an emergency or the person’s incapacity,the individual cannot agree, the coveredentity may disclose the PHI if law enforcementofficials represent that the PHI is not intendedto be used against the victim, is needed to determine whether another person broke thelaw, the investigation would be materially and

adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested.

Where child abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the Rule apply:

Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports, and the agreement of the individual is not required.

Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports:

  • If the individual agrees;
  • If the report is required by law; or
  • If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations.

Notice to the individual of the report may be required.

To report PHI to law enforcement when required by law to do so. For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the Rule permits disclosures of PHI as necessary to comply with these laws.

To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.

Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties.

To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises.

When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime. This provision does not apply if the covered health care provider believes that the individual in need of the emergency medical care is the victim of abuse, neglect or domestic violence; see above Adult abuse, neglect, or domestic violence for when reports to law enforcement are allowed.

When consistent with applicable law and ethical standards:

To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public; or

To identify or apprehend an individual who appears to have escaped from lawful custody.

For certain other specialized governmental law enforcement purposes, such as:

To federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act or to provide protective services to the President and others and conduct related investigations;

To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such PHI is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility.

Minimum Necessary Standard

Except when required by law, the disclosures to law enforcement summarized above are subject to a minimum necessary determination by the covered entity. When reasonable to do so, the covered entity may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for a disclosure you’ve determined is permitted. It is advisable to

obtain regulatory references and review them if a law enforcement official is stating that the disclosure is permitted without a warrant or subpoena.