Dedicated to providing the latest
HIPAA compliance news

$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA...

Read More
UMass to Pay OCR $650K to Resolve HIPAA Violations
Nov23

UMass to Pay OCR $650K to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure...

Read More
Recent Cases of Device Theft Highlight Importance of Data Encryption
Nov04

Recent Cases of Device Theft Highlight Importance of Data Encryption

Since January 1, 2015, HIPAA-covered entities have reported 102 cases of loss or theft of unencrypted devices to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have exposed the ePHI of more than 1.5 million individuals and could have been prevented had data encryption been employed. The Health Insurance Portability and Accountability Act (HIPAA) does not require covered entities to use data...

Read More
Do Your HIPAA Authorizations Violate the FTC Act?
Oct25

Do Your HIPAA Authorizations Violate the FTC Act?

The Department of Health and Human Services’ Office for Civil Rights (OCR) has been vigorously providing guidance for covered entities on HIPAA Rules. Now, the Federal Trade Commission (FTC) has issued a reminder to covered entities of the need to comply not only with HIPAA Rules, but also the FTC Act. Under HIPAA, covered entities are permitted to share PHI with other covered entities or their business associates for treatment...

Read More
EHNAC and HITRUST Streamline Accreditation Processes
Oct20

EHNAC and HITRUST Streamline Accreditation Processes

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) have announced a new collaboration. The aim is to reduce – and hopefully eliminate – redundant assessments and their associated costs. It is hoped by streamlining the organizations’ accreditation and certification programs the benefits for industry stakeholders will be preserved, while much of the complexity of...

Read More
St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case
Oct19

St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case

The Department of Health and Human Services’ Office for Civil Rights has announced it has agreed to settle potential violations of the HIPAA Privacy and Security Rules with St. Joseph Health (SJH). SJH is required to pay $2.140,500 to OCR and adopt a corrective action plan (CAP) to bring policies and procedures up to the standard demanded by HIPAA. SJH is a not-for-profit integrated Catholic health care delivery system sponsored by...

Read More
OCR Laser-Focused on Data Breaches Says Samuels
Oct18

OCR Laser-Focused on Data Breaches Says Samuels

Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) explained OCR’s role in enforcing HIPAA Rules in a recent blog post and confirmed where enforcement activities will be focused over the coming 12 months. Samuels said OCR is “laser-focused on breaches occurring at health care entities, and any issues that lead to them” and that will not change. In the post, Samuels spoke of the...

Read More
Guidance on HIPAA and Cloud Computing Issued by HHS
Oct10

Guidance on HIPAA and Cloud Computing Issued by HHS

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs). Cloud service providers that are legally separate entities from a HIPAA-covered entity are classed as business associates under HIPAA regulations if the CSP is required...

Read More
EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI
Sep29

EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI

Yesterday, Office for Civil Rights (OCR) issued guidance for EHR vendors and other business associates of HIPAA covered entities explaining the need to ensure electronic protected health information (ePHI) is always available to covered entities. The guidance, which takes the form of a FAQ, also clarifies how the HIPAA Rules apply to the blocking or termination of access to ePHI maintained by a business associate. OCR has confirmed...

Read More
$400,000 HIPAA Settlement for BAA Failures
Sep26

$400,000 HIPAA Settlement for BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Care New...

Read More
WakeMed Health and Hospitals Fined for Patient Privacy Violations
Sep19

WakeMed Health and Hospitals Fined for Patient Privacy Violations

Raleigh-N.C-based WakeMed Health and Hospitals has been ordered to pay a fine of $70,000 by a North Carolina Bankruptcy Court for violating the privacy of patients. The privacy violations occurred when submitting proofs of claim to the bankruptcy court. Documents were submitted electronically; however, they contained the protected health information of debtors, including names, Social Security numbers, bank account numbers, and dates...

Read More
The Importance of Auditing Business Associates Highlighted by OIG Investigation
Sep14

The Importance of Auditing Business Associates Highlighted by OIG Investigation

The Department of Veteran Affairs’ Office of Inspector General (OIG) has published a report on the investigation of a VA contractor that was alleged to be allowing employees to access, share, and store the protected health information of veterans on personally owned devices. Anchorage-based ProCare Home Medical Inc., a supplier of home oxygen services on behalf of the VA, was reported to OIG for breaching federal information security...

Read More
Updated Security Risk Assessment Tool Released by ONC
Sep07

Updated Security Risk Assessment Tool Released by ONC

OCR prefers to settle HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more commonplace. If OCR investigators uncover HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be issued for each violation category discovered. One of the most common reasons for a financial penalty is the failure to conduct a comprehensive,...

Read More
OCR Investigation into Bizmatics Data Breach is Closed
Aug29

OCR Investigation into Bizmatics Data Breach is Closed

The Department of Health and Human Services’ Office for Civil Rights has closed the investigation into the 2015 Bizmatics data breach. The breach, which was discovered in late 2015, affected many of the company’s clients. The malware was discovered to have been installed on a server in early 2015. The server was used to house the company’s PrognoCIS EMR database. At least 300,000 patients were impacted and potentially had their PHI...

Read More
OCR to Increase Investigations of Small PHI Breaches
Aug18

OCR to Increase Investigations of Small PHI Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it will be stepping up investigations of small PHI breaches with immediate effect. Breaches impacting fewer than 500 individuals will now be subjected to closer scrutiny, with the responsibility for investigating those breaches falling to the OCR’s Regional Offices. OCR currently investigates all PHI breaches that impact more than 500 individuals,...

Read More
CMS Cracks Down on Social Media Abuse of Nursing Home Residents
Aug15

CMS Cracks Down on Social Media Abuse of Nursing Home Residents

A significant number of cases of abuse of nursing home and assisted living center residents have come to light in recent months. The cases involved the taking of degrading and demeaning photographs and videos of residents by employees of nursing facilities, and sharing the images and videos on social media websites. Photographs of residents in various states of undress, covered in feces, or made to pose in degrading positions have...

Read More
Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years
Aug15

Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years

Ten years ago, WTHR 13 conducted an investigation into the improper disposal of sensitive information by pharmacies. The investigation was conducted following a robbery that took place at the home of an Indiana resident. A drug addict targeted the individual knowing that she had pain medication. That information was obtained from a pharmacy dumpster. The investigation involved reporters checking the dumpsters behind a number of...

Read More
Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud
Aug09

Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud

A former employee of Tampa General Hospital was recently convicted of wrongful disclosure of individually identifiable health information and wire fraud. Shanakia Benton was accused of stealing the protected health information of patients during the time she was employed at Tampa General Hospital. According to court documents, between June 2011 and December 2012, Benton improperly accessed the computer system of Tampa General...

Read More
Med Students Violating HIPAA by Tracking Patients on EHRs
Aug02

Med Students Violating HIPAA by Tracking Patients on EHRs

Medical students are using hospital electronic health records to track former patients, even though by doing so they are potentially violating the Health Insurance Portability and Accountability Act (HIPAA). While it is known that the practice occurs, little research has been performed to determine the extent to which EHRs are accessed and the exact reasons why patients are tracked. In August 2013, Gregory E. Brisson, MD of...

Read More
Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans
Jul26

Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans

According to a recent report issued by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have HIPAA-compliant EHR contingency plans in place, although most are “largely addressing” HIPAA requirements for EHRs. In September 2014, OIG sent a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to determine whether HIPAA-compliant EHR...

Read More
2.75 Million Dollar HIPAA Settlement Reached with UMMC
Jul22

2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university. The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also...

Read More
How Does OCR Deal with HIPAA Complaints?
Jul21

How Does OCR Deal with HIPAA Complaints?

The Department of Health and Human Services’ Office for Civil Rights (OCR) encourages individuals to file complaints about HIPAA-covered entities, or their business associates, if they feel that their privacy has been violated. Individuals are also able to file complaints if they believe the privacy of other individuals have been violated. Complaints about potential HIPAA violations are investigated by OCR, and while many prove to be...

Read More
Oregon Health & Science University to Pay OCR $2.7 Million for 2013 Data Breaches
Jul14

Oregon Health & Science University to Pay OCR $2.7 Million for 2013 Data Breaches

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health...

Read More
OCR Phase 2 HIPAA Audits: Documentation Requests Issued
Jul13

OCR Phase 2 HIPAA Audits: Documentation Requests Issued

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. Covered entities selected for a compliance audit have now been notified by email. Those organizations now have just 10 days to respond to the emails and submit the requested documentation to the OCR. The audits – which are desk based...

Read More
OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches
Jul12

OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance on ransomware. A fact sheet on healthcare ransomware attacks has been published along with a 12-page document providing technical guidance for CIOs and CISOs on best practices to adopt to prevent ransomware infections, mitigation strategies to adopt when ransomware is installed on computers or healthcare networks, and detailed information on...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate...

Read More