Permitted Uses and Disclosures of PHI Clarified by OCR
The Office for Civil Rights welcomes feedback from HIPAA-covered entities about aspects of HIPAA that are unclear or need further clarification. Some of the questions asked via the OCR website indicate some covered entities are struggling to understand the Health Insurance Portability and Accountability Act Rules covering the sharing of Protected Health Information (PHI). HIPAA permits the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be used to help patients receive medical care, as well as for the evaluation of care provided to patients. It is necessary to use PHI to coordinate care between different healthcare providers, and PHI is needed for billing purposes. Patients must also be allowed access to their health information so they can take a more active role in their own healthcare. HIPAA allows patient health information to be shared for all of these reasons provided PHI is secured at all times. However, a number of restrictions apply. Even though the HIPAA Privacy and Security Rules have been in effect for many years, and...
Valley Hope Association Notifies Patients of Unencrypted Laptop Theft
Valley Hope Association, a Kansas-based provider of drug and alcohol treatment services, has started notifying patients about the theft of an unencrypted laptop computer which resulted in the exposure of patients’ protected health information. The laptop computer was stolen from an employee’s vehicle on December 30, 2015. The highly sensitive data stored on the laptop include full names of patients along with some of the following data elements: Home addresses, phone numbers, Social Security numbers, driver’s license numbers, health insurance information, financial information, state identification numbers, medical record numbers, patient record numbers, disability codes, details of medication, clinical data, medical diagnoses, treatment location, types of treatment received, referring physician names, and usernames and passwords. The device was being used to store the protected health information of patients, but those data were not encrypted. The laptop was protected with a password, so there is a possibility that the data have not been viewed. However, since passwords can be...
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
The risk of cyberattacks faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities have led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more than 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...
New Research Reveals the Hidden Costs of Pagers for Healthcare Organizations
New research has revealed that the “soft costs” of pagers in healthcare organizations could mean that hospitals are overpaying to maintain legacy paging services. The study – sponsored by TigerText – was conducted by HIMSS Analytics and concerned pager use in more than 200 hospitals throughout the U.S. The majority of the survey´s participants had a direct role in the selection, purchase or management of pagers, and the study was supported by interview-based research with senior executives at the largest participating hospitals. The report resulting from the study – “The Hidden Cost of Pagers in Healthcare” revealed that 90% of the surveyed organizations still use pagers and on average spend around $180,000 per year – with the average paging service costing $9.19 per month per device, compared to TigerText´s own research showing the cost of their secure messaging alternative to be less than $5 per month per user. Commenting on the conclusion of the survey, Bryan Fiekers – Director of the Advisory Services Group for HIMSS Analytics – said: “This...
York Hospital Announces Employee Data Theft Incident
The recent spate of attacks on healthcare providers continues with yet another healthcare provider announcing a cyberattack that has resulted in healthcare employee data being stolen. Few details of the attack on York Hospital in Maine have been released, although the latest incident has all the hallmarks of two other data breaches that were reported by healthcare providers in the past two weeks. York Hospital’s Director of Marketing, Jody Merrill, issued a statement saying “York Hospital was victimized by cyber criminals who fraudulently stole personal identifying information of York Hospital employees.” The exact details of the incident have not been provided to the press. CEO Jud Knox took the decision not to comment on the attack at this stage until further information is known. The theft occurred on Monday this week, Merrill’s statement was issued on Wednesday, and the matter has been reported to the FBI. What is known is the stolen data include the type of information commonly found on W2 forms. The theft involved the exact data types as were emailed to scammers by an...



