Dedicated to providing the latest
HIPAA compliance news

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System
Feb17

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification...

Read More
Will HHS Secretary Tom Price Ease HIPAA Regulations?
Feb13

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights. The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is...

Read More
High Costs are Preventing Many Patients from Accessing their Medical Records
Feb02

High Costs are Preventing Many Patients from Accessing their Medical Records

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare. The...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA...

Read More
UMass to Pay OCR $650K to Resolve HIPAA Violations
Nov23

UMass to Pay OCR $650K to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure...

Read More
Recent Cases of Device Theft Highlight Importance of Data Encryption
Nov04

Recent Cases of Device Theft Highlight Importance of Data Encryption

Since January 1, 2015, HIPAA-covered entities have reported 102 cases of loss or theft of unencrypted devices to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have exposed the ePHI of more than 1.5 million individuals and could have been prevented had data encryption been employed. The Health Insurance Portability and Accountability Act (HIPAA) does not require covered entities to use data...

Read More
Do Your HIPAA Authorizations Violate the FTC Act?
Oct25

Do Your HIPAA Authorizations Violate the FTC Act?

The Department of Health and Human Services’ Office for Civil Rights (OCR) has been vigorously providing guidance for covered entities on HIPAA Rules. Now, the Federal Trade Commission (FTC) has issued a reminder to covered entities of the need to comply not only with HIPAA Rules, but also the FTC Act. Under HIPAA, covered entities are permitted to share PHI with other covered entities or their business associates for treatment...

Read More
EHNAC and HITRUST Streamline Accreditation Processes
Oct20

EHNAC and HITRUST Streamline Accreditation Processes

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) have announced a new collaboration. The aim is to reduce – and hopefully eliminate – redundant assessments and their associated costs. It is hoped by streamlining the organizations’ accreditation and certification programs the benefits for industry stakeholders will be preserved, while much of the complexity of...

Read More
St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case
Oct19

St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case

The Department of Health and Human Services’ Office for Civil Rights has announced it has agreed to settle potential violations of the HIPAA Privacy and Security Rules with St. Joseph Health (SJH). SJH is required to pay $2.140,500 to OCR and adopt a corrective action plan (CAP) to bring policies and procedures up to the standard demanded by HIPAA. SJH is a not-for-profit integrated Catholic health care delivery system sponsored by...

Read More
OCR Laser-Focused on Data Breaches Says Samuels
Oct18

OCR Laser-Focused on Data Breaches Says Samuels

Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) explained OCR’s role in enforcing HIPAA Rules in a recent blog post and confirmed where enforcement activities will be focused over the coming 12 months. Samuels said OCR is “laser-focused on breaches occurring at health care entities, and any issues that lead to them” and that will not change. In the post, Samuels spoke of the...

Read More
Guidance on HIPAA and Cloud Computing Issued by HHS
Oct10

Guidance on HIPAA and Cloud Computing Issued by HHS

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs). Cloud service providers that are legally separate entities from a HIPAA-covered entity are classed as business associates under HIPAA regulations if the CSP is required...

Read More
EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI
Sep29

EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI

Yesterday, Office for Civil Rights (OCR) issued guidance for EHR vendors and other business associates of HIPAA covered entities explaining the need to ensure electronic protected health information (ePHI) is always available to covered entities. The guidance, which takes the form of a FAQ, also clarifies how the HIPAA Rules apply to the blocking or termination of access to ePHI maintained by a business associate. OCR has confirmed...

Read More
$400,000 HIPAA Settlement for BAA Failures
Sep26

$400,000 HIPAA Settlement for BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Care New...

Read More
WakeMed Health and Hospitals Fined for Patient Privacy Violations
Sep19

WakeMed Health and Hospitals Fined for Patient Privacy Violations

Raleigh-N.C-based WakeMed Health and Hospitals has been ordered to pay a fine of $70,000 by a North Carolina Bankruptcy Court for violating the privacy of patients. The privacy violations occurred when submitting proofs of claim to the bankruptcy court. Documents were submitted electronically; however, they contained the protected health information of debtors, including names, Social Security numbers, bank account numbers, and dates...

Read More
The Importance of Auditing Business Associates Highlighted by OIG Investigation
Sep14

The Importance of Auditing Business Associates Highlighted by OIG Investigation

The Department of Veteran Affairs’ Office of Inspector General (OIG) has published a report on the investigation of a VA contractor that was alleged to be allowing employees to access, share, and store the protected health information of veterans on personally owned devices. Anchorage-based ProCare Home Medical Inc., a supplier of home oxygen services on behalf of the VA, was reported to OIG for breaching federal information security...

Read More
Updated Security Risk Assessment Tool Released by ONC
Sep07

Updated Security Risk Assessment Tool Released by ONC

OCR prefers to settle HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more commonplace. If OCR investigators uncover HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be issued for each violation category discovered. One of the most common reasons for a financial penalty is the failure to conduct a comprehensive,...

Read More
OCR Investigation into Bizmatics Data Breach is Closed
Aug29

OCR Investigation into Bizmatics Data Breach is Closed

The Department of Health and Human Services’ Office for Civil Rights has closed the investigation into the 2015 Bizmatics data breach. The breach, which was discovered in late 2015, affected many of the company’s clients. The malware was discovered to have been installed on a server in early 2015. The server was used to house the company’s PrognoCIS EMR database. At least 300,000 patients were impacted and potentially had their PHI...

Read More
OCR to Increase Investigations of Small PHI Breaches
Aug18

OCR to Increase Investigations of Small PHI Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it will be stepping up investigations of small PHI breaches with immediate effect. Breaches impacting fewer than 500 individuals will now be subjected to closer scrutiny, with the responsibility for investigating those breaches falling to the OCR’s Regional Offices. OCR currently investigates all PHI breaches that impact more than 500 individuals,...

Read More
CMS Cracks Down on Social Media Abuse of Nursing Home Residents
Aug15

CMS Cracks Down on Social Media Abuse of Nursing Home Residents

A significant number of cases of abuse of nursing home and assisted living center residents have come to light in recent months. The cases involved the taking of degrading and demeaning photographs and videos of residents by employees of nursing facilities, and sharing the images and videos on social media websites. Photographs of residents in various states of undress, covered in feces, or made to pose in degrading positions have...

Read More
Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years
Aug15

Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years

Ten years ago, WTHR 13 conducted an investigation into the improper disposal of sensitive information by pharmacies. The investigation was conducted following a robbery that took place at the home of an Indiana resident. A drug addict targeted the individual knowing that she had pain medication. That information was obtained from a pharmacy dumpster. The investigation involved reporters checking the dumpsters behind a number of...

Read More
Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud
Aug09

Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud

A former employee of Tampa General Hospital was recently convicted of wrongful disclosure of individually identifiable health information and wire fraud. Shanakia Benton was accused of stealing the protected health information of patients during the time she was employed at Tampa General Hospital. According to court documents, between June 2011 and December 2012, Benton improperly accessed the computer system of Tampa General...

Read More
Med Students Violating HIPAA by Tracking Patients on EHRs
Aug02

Med Students Violating HIPAA by Tracking Patients on EHRs

Medical students are using hospital electronic health records to track former patients, even though by doing so they are potentially violating the Health Insurance Portability and Accountability Act (HIPAA). While it is known that the practice occurs, little research has been performed to determine the extent to which EHRs are accessed and the exact reasons why patients are tracked. In August 2013, Gregory E. Brisson, MD of...

Read More
Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans
Jul26

Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans

According to a recent report issued by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have HIPAA-compliant EHR contingency plans in place, although most are “largely addressing” HIPAA requirements for EHRs. In September 2014, OIG sent a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to determine whether HIPAA-compliant EHR...

Read More
2.75 Million Dollar HIPAA Settlement Reached with UMMC
Jul22

2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university. The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also...

Read More