New Rules for Electronic HIPAA Transactions Approved by CAQH CORE
Last week, the CAQH® Committee on Operating Rules for Information Exchange (CORE®) approved a new set of national rules for electronic HIPAA transactions, as part of Phase IV of the CAQH® CORE® Operating Rules. The new rules for electronic HIPAA transactions cover four groups of healthcare business transactions – prior authorizations, employee premium payment, enrollment/disenrollment in health plans, and healthcare claims. The aim of the new rules is to facilitate the exchange of healthcare information, as mandated by the Affordable Care Act (ACA). The new rules will augment existing HIPAA administrative standards to ensure uniform transmission of electronic healthcare data. Phase IV of the CAQH® CORE® Operating Rules addresses infrastructure requirements such as connectivity, system availability, and response times. Rules covering the data content of transactions are due to be added to the Operating Rules at a later date. The approval process involves a vote on the new rules by the subgroups and work groups responsible for preparing the draft version of the Operating Rules. If...
Document Scanner Error Exposes PHI of Silverberg Surgical and Medical Group Patients
Silverberg Surgical and Medical Group is alerting patients to the potential exposure of highly sensitive Protected Health Information after an error made in the configuration of a document scanner resulted in patient information being accessible via the internet. The device had been used to scan documents containing personal information such as patient names, dates of birth, contact telephone numbers, home addresses, fax numbers, and e-mail addresses. Some patients’ Social Security numbers were exposed, as were medical record numbers, health plan ID numbers, beneficiary numbers, medical information, full face photographs and state license numbers: A Smorgasbord of data that could potentially be used by criminals to commit medical, insurance and identity fraud. Silverberg discovered the security breach on August 28, 2015, and immediately launched an investigation. That investigation revealed the device had posted data online since September 10, 2013. The company has now secured the device and data and has enlisted the help of a specialist data security firm to conduct a forensic...
Bogus Doctors Behind Horizon Blue Cross Blue Shield of New Jersey Data Breach
A Horizon Blue Cross Blue Shield of New Jersey data breach has been reported following the discovery that criminals posed as doctors in order to gain access to the Protected Health Information of patients. The bogus physicians obtained insurance ID numbers and other sensitive PHI, after being given access rights to Horizon BCBSNJ members’ data. The information was stolen in order for the criminals to file false insurance claims in the names of the victims. Fraudulent activity was first uncovered on July 30, 2015 and approximately 1,100 individuals are understood to have been affected by the security breach. In addition to member ID numbers, the bogus doctors were able to gain access to patient names, gender, and dates of birth. A notice on the Horizon BCBSNJ website confirms that Social Security numbers and financial information were not obtained by the criminals. It is understood that the information was stolen with the sole purpose of making false insurance claims. Patient PHI is not believed to have been used for any other purpose. All affected members of Horizon BCBSNJ...
Car Theft Results in Exposure of PHI of 2900 Individuals
Insurance Data Services (IDS), a Wyoming-based medical billing company, has started to send breach notification letters to patients of one of its HIPAA-covered clients, Claystone Clinical Associates, to advise them of the potential exposure of some of their Protected Health Information (PHI). IDS had contracted a West Michigan based Delivery Service to deliver client mailings; however the vehicle used by the courier company was stolen on September 15. The vehicle theft occurred at Zondervan Publishing in Kentwood, MI. The vehicle theft was reported to law enforcement officers and an investigation into the theft has commenced. Fortunately, the theft was captured by closed-circuit television cameras; however, the recordings revealed a masked and gloved individual entering the vehicle and driving away. Consequently, it has not been possible to identify a suspect at this time. The vehicle has now been found and recovered, but the contents had been taken by the thief. No electronic PHI was exposed; but patient mailings were taken from the vehicle. The information contained in the...
Healthcare Data Breach Report: August 2015
Healthcare Data Breach Report: August 2015 The number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights differs little from July; however the volume of records exposed fell dramatically month on month. In July, over 8,000,000 patient and health plan member records were exposed. August saw ‘only’ 215,556 records exposed. Only one hacking incident was reported in August: The cyberattack on Pediatric Group LLC, which resulted in 10,000 records being exposed. This was a major improvement on last month, which saw 4 hacking incidents discovered. Those four data breaches included major data exposures at Medical Informatics Engineering and UCLA Health, which exposed 3.9 million and 4.5 million records respectively. Main Cause of Data Breaches in August 2015 Was Lost/Stolen Devices August saw eleven reports of lost and stolen PHI containing devices. Each data breach exposed relatively few medical records (Except the Empi Inc / DJO Global data breach that exposed 160,000 records), but all could have been easily prevented had...



