Dedicated to providing the latest
HIPAA compliance news

Roger Severino Named New Director of HHS’ Office for Civil Rights
Mar27

Roger Severino Named New Director of HHS’ Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights. Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015....

Read More
Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule
Mar20

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient. The patient, Clara Aragon-Delk, underwent a series...

Read More
Updated HIPAA Compliance Audit Toolkit Issued by AHIMA
Mar07

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities. At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1,...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow –...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations...

Read More
Small Healthcare Data Breach Notification Deadline: March 1, 2017
Feb23

Small Healthcare Data Breach Notification Deadline: March 1, 2017

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights. While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the...

Read More
New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough
Feb22

New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year. Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement...

Read More
Onsite HIPAA Audits Could Be Delayed by a Year
Feb21

Onsite HIPAA Audits Could Be Delayed by a Year

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed. It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow...

Read More
Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation
Feb21

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI...

Read More
Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System
Feb17

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification...

Read More
Will HHS Secretary Tom Price Ease HIPAA Regulations?
Feb13

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights. The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is...

Read More
High Costs are Preventing Many Patients from Accessing their Medical Records
Feb02

High Costs are Preventing Many Patients from Accessing their Medical Records

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare. The...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit,...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA...

Read More
UMass to Pay OCR $650K to Resolve HIPAA Violations
Nov23

UMass to Pay OCR $650K to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure...

Read More
Recent Cases of Device Theft Highlight Importance of Data Encryption
Nov04

Recent Cases of Device Theft Highlight Importance of Data Encryption

Since January 1, 2015, HIPAA-covered entities have reported 102 cases of loss or theft of unencrypted devices to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have exposed the ePHI of more than 1.5 million individuals and could have been prevented had data encryption been employed. The Health Insurance Portability and Accountability Act (HIPAA) does not require covered entities to use data...

Read More
Do Your HIPAA Authorizations Violate the FTC Act?
Oct25

Do Your HIPAA Authorizations Violate the FTC Act?

The Department of Health and Human Services’ Office for Civil Rights (OCR) has been vigorously providing guidance for covered entities on HIPAA Rules. Now, the Federal Trade Commission (FTC) has issued a reminder to covered entities of the need to comply not only with HIPAA Rules, but also the FTC Act. Under HIPAA, covered entities are permitted to share PHI with other covered entities or their business associates for treatment...

Read More
EHNAC and HITRUST Streamline Accreditation Processes
Oct20

EHNAC and HITRUST Streamline Accreditation Processes

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) have announced a new collaboration. The aim is to reduce – and hopefully eliminate – redundant assessments and their associated costs. It is hoped by streamlining the organizations’ accreditation and certification programs the benefits for industry stakeholders will be preserved, while much of the complexity of...

Read More
St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case
Oct19

St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case

The Department of Health and Human Services’ Office for Civil Rights has announced it has agreed to settle potential violations of the HIPAA Privacy and Security Rules with St. Joseph Health (SJH). SJH is required to pay $2.140,500 to OCR and adopt a corrective action plan (CAP) to bring policies and procedures up to the standard demanded by HIPAA. SJH is a not-for-profit integrated Catholic health care delivery system sponsored by...

Read More
OCR Laser-Focused on Data Breaches Says Samuels
Oct18

OCR Laser-Focused on Data Breaches Says Samuels

Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) explained OCR’s role in enforcing HIPAA Rules in a recent blog post and confirmed where enforcement activities will be focused over the coming 12 months. Samuels said OCR is “laser-focused on breaches occurring at health care entities, and any issues that lead to them” and that will not change. In the post, Samuels spoke of the...

Read More
Guidance on HIPAA and Cloud Computing Issued by HHS
Oct10

Guidance on HIPAA and Cloud Computing Issued by HHS

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs). Cloud service providers that are legally separate entities from a HIPAA-covered entity are classed as business associates under HIPAA regulations if the CSP is required...

Read More
EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI
Sep29

EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI

Yesterday, Office for Civil Rights (OCR) issued guidance for EHR vendors and other business associates of HIPAA covered entities explaining the need to ensure electronic protected health information (ePHI) is always available to covered entities. The guidance, which takes the form of a FAQ, also clarifies how the HIPAA Rules apply to the blocking or termination of access to ePHI maintained by a business associate. OCR has confirmed...

Read More
$400,000 HIPAA Settlement for BAA Failures
Sep26

$400,000 HIPAA Settlement for BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Care New...

Read More
WakeMed Health and Hospitals Fined for Patient Privacy Violations
Sep19

WakeMed Health and Hospitals Fined for Patient Privacy Violations

Raleigh-N.C-based WakeMed Health and Hospitals has been ordered to pay a fine of $70,000 by a North Carolina Bankruptcy Court for violating the privacy of patients. The privacy violations occurred when submitting proofs of claim to the bankruptcy court. Documents were submitted electronically; however, they contained the protected health information of debtors, including names, Social Security numbers, bank account numbers, and dates...

Read More