OCR Issues New Guidance on Patient Data Access
Healthcare providers should be aware that patients are permitted access to their medical records under HIPAA rules; however, not all patients are aware of their legal rights. Not only are patient data access rights under HIPAA not well understood, many patients who have attempted to access their medical records have faced problems. There is also a misconception that HIPAA – specifically the HIPAA Privacy Rule – prevents healthcare providers from disclosing medical records. While it is true when it comes to disclosing Protected Health Information (PHI) of patients to individuals unauthorized to view that information, HIPAA does allow patients to access their own records. In fact, any healthcare provider who fails to allow patients to access their medical records could be fined. OCR Issues Guidance on Patient Data Access Rights Under HIPAA The Department of Health and Human Services’ Office for Civil Rights has started the year with the launch of a brand new website interface, and has now followed up on previous promises by issuing new guidance on HIPAA. This is the first in...
Healthcare Worker Asks for ‘Massive Break’ after Stealing Half a Million Dollars
Markitta Washington, a resident of Farmington Hills, MI., is just like many Americans. She has been working two jobs in order to make ends meet. However, unlike most Americans, she also drives an expensive Cadillac which has been made possible by stealing the Social Security numbers and personal information of hospital patients and filing fraudulent tax returns in their names. Washington has added close to $500,000 to her salary with this “third job”. She recently admitted the theft and fraud, and has asked the judge to give her a “massive break” and suspend her jail sentence for 5 years. Washington worked two hospital jobs, taking a position at both Henry Ford Hospital in West Bloomfield and Harper Hospital in Detroit. In addition to taking home a pay check from each she also took home patents’ Social Security numbers and personal information. At her trial, Washington admitted to stealing the data of 14 patients and using that information to file false tax returns in their names. Washington and her husband, who was also part of the scam, also sent in fraudulent tax returns...
New Oregon Breach Notification Law Comes Into Effect
Organizations doing business in the state of Oregon must now comply with a new data breach law that came into effect on January 1, 2016. If a data breach is suffered that exposes the personal information of more than 250 state residents, a breach notice must be submitted to the Oregon Attorney General. On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment expanded the definition of “personal information” to include biometric data such as a retina or iris images and fingerprints, as well as medical and health insurance information. Other data classed as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial information including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial requires a breach notice to be issued. Oregon is one of a few states...
NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool
Many mHealth apps lack sufficient controls to keep patient data secure. In late 2014, a Trustworthy Health and Wellness (THaW) project funded by the National Science Foundation (NSF) determined that 63% of popular mHealth apps were not encrypting data (out of a test sample of 22), potentially placing data at risk of theft. Furthermore, 81% of mHealth apps were using third party storage or hosting services. The benefits of mHealth apps for patients and healthcare providers are considerable. Unfortunately, healthcare providers wishing to use mHealth apps are prevented from doing so by HIPAA. Unless developers of mHealth apps encrypt stored and transmitted data to a nationally accepted standard, or implement other controls to keep data secure, use of the apps by the healthcare industry will be limited. Secure Mobile Cloud Dietary Assessment Tool Under Development University of Massachusetts Medical School and UMass Lowell have recently embarked on a new National Science Foundation grant funded project to test a new mHealth infrastructure that will allow patient data to be collected...
Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption
The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption. The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST). Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders. Dentists are covered under HIPAA and must...



