Deadline for Reporting 2015 Data Breaches
The deadline for reporting 2015 data breaches is fast approaching. Covered entities must submit all 2015 data breach reports to OCR before the end of the month. The final date for submitting reports of security incidents that affected fewer than 500 individuals is February 29, 2016. Deadline for Reporting 2015 Data Breaches – Monday February 29, 2016 The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows covered entities up to 60 days after the discovery of a large-scale data breach to report the incident to the Department of Health and Human Services’ Office for Civil Rights. A large data breach is defined as one which affects more than 500 individuals. HIPAA also requires all covered organizations to report smaller data breaches, although they are considered lower priority. Small data breaches can be reported at any time during the calendar year in which they are discovered, although the maximum time limit for submission is 60 days from the end of the Calendar year in which they were first identified. Since 2016 is a leap year, the deadline...
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about a Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...
OCR Launches New Cyber-Awareness Initiative
The New Year has already seen the Department of Health and Human Services’ Office for Civil Rights issue new guidance for HIPAA-covered entities. That has now been followed up with the launch of a new initiative to improve cyber-awareness of the latest security threats. By increasing awareness of the threats to healthcare data security it is hoped that many healthcare data breaches can be avoided. As was highlighted by the recent Online Trust Alliance security report, the majority of healthcare data breaches can be easily avoided by implementing basic security principles, such as educating staff members on the latest data security threats. OCR has kicked off the initiative with advice on two growing security threats: Ransomware and tech support scams, both of which are increasing in prevalence over the past 12 months. OCR Offers Advice to Assist HIPAA-Covered Entities Avoid Ransomware Criminal gangs have been using ransomware with increasing regularity. Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their data....
Prime Healthcare Services Hit with Privacy Breach Lawsuit
Prime Healthcare Services has been hit with a lawsuit for repeatedly violating the privacy of a former patient of the Shasta Regional Medical Center. The lawsuit was filed in the Shasta County Superior Court last month by Medicare patient Darlene Courtois, 64. The plaintiff claims that her confidential medical files were shared with 785 employees of the Shasta Regional Medical Center in 2011 without her authorization. The medical information was allegedly emailed to medical center employees by the CEO of the medical center in what is believed by Courtois to be an attempt to discredit a news story published by California Watch. The story covered the healthcare chain’s “unusual and lucrative billing practices.” Reporters from California Watch investigated the unusually high number of Kwashiorkor cases dealt with by the hospital in 2009 and 2010. Kwashiorkor is a relatively rare form of protein malnutrition. Each year, fewer than 20,000 individuals are diagnosed with the condition in the United States. Kwashiorkor is more commonly associated with areas hit by famine, and is associated...
Hawai‘i Medical Service Association Privacy Breach Affects 10,800
Independent Blue Cross Blue Shield licensee Hawai‘i Medical Service Association (HMSA) has started sending breach notification letters to 10,800 members alerting them to a HIPAA Privacy Rule breach that resulted in one member’s medical condition being disclosed to another HMSA member. The privacy breach was caused by an error made with the mailing of care management letters to members, which resulted in letters being sent to incorrect individuals. The incorrectly routed care management letters contained the name of an HMSA member along with information to help that individual manage a specific health conduction, such as asthma, diabetes, or health and lung disease. According to a substitute breach notice placed on the HMSA website, no financial information, membership ID numbers, Social Security numbers, or other sensitive personal information were included in the letters. Individuals affected by the privacy breach do not therefore face a risk of identity theft as a result of the accidental disclosure of PHI. As well as notifying affected individuals by mail, HMSA is contacting all...



