American Hospital Association Opposes HIPAA HPID Use
Earlier this week, the Vice President and Deputy Director of the American Hospital Association (AHA) sent a letter to the Centers for Medicare & Medicaid Services (CMMS) expressing concern over the implementation of Health Plan Identification numbers (HPIDs) and Other Entity Identifiers (OEIDs). HPID Use and HIPAA When HIPAA was introduced, it required national identification numbers to be used by healthcare providers, health plans and individuals. A national ID number was introduced in 2004, although the IDs were only for providers, not individuals. In September 2012, the HPID proposed rule was published, although it took until November 2014 before the rule was finalized. HPIDs and OEIDs will now be required to be used for HIPAA transactions from Nov 7, 2016. It is not a requirement for health plans to be identified in HIPAA transactions, but if they are, from Nov 7, next year a HPID must be used. AHA States Opposition to HPID Use in HIPAA Transactions The letter, sent from Ashley Thompson to Andy Slavitt, the acting administrator for CMMS, stated the AHAs opposition to...
New HIPAA Compliance Tool Released for Small Dental Practices
Achieving compliance with HIPAA Privacy and Security Rules can be a challenge for all organizations, regardless of size; however, smaller healthcare providers tend to have more problems. Budgets tend to be more restrictive, and a lack of suitable staff means slow progress is made. This was clear from the results of the pilot round of HHS HIPAA compliance audits. Regulatory bodies such as the Department of Health and Human Services’ Office for Civil Rights (OCR), State Comptrollers, and Attorneys General, investigate data breaches for HIPAA violations, and periodic audits are conducted to assess compliance. The next round of OCR HIPAA compliance audits will assess how well organizations have implemented the requirements laid down in the Privacy Rule, Security Rule and Breach Notification Rule. Healthcare organizations, health plans, healthcare clearinghouses – and Business Associates of the above – will have their compliance efforts put to the test. The audits will be conducted on large healthcare providers, multiple hospital systems, the nation’s largest health...
Class Action Filed Against UCLA for 4.5 Million-Record Data Breach
It has been less than a week since the announcement that the patient database at UCLA Health Systems was hacked, and already a class action lawsuit has been filed by one patient, Michael Allen of Casper, Wyoming, on behalf of “several million individuals”. Allen, represented by Kevin Mahoney of Long Beach, claims UCLA Health Systems’ failure to encrypt data constitutes unlawful business practices, breach of contract, unjust enrichment and negligence. He is seeking class certification and as of yet unspecified damages for fraud, violation of medical confidentiality, an invasion of privacy and the costs of filing the lawsuit. UCLA hospitals and the University of California Board of Regents were named in the lawsuit which was filed on Monday of this week. The breach was announced on July 17, barely one business day before the lawsuit was filed. In the lawsuit, Allen claims the lack of data protection, specifically the lack of data encryption, amounted to negligence. “Due to defendants’ failure to take the basic steps of encrypting patients’ data, it was much easier...
Pharmacy Technician Suspended over 100-Patient Data Theft
A pharmacy technician who worked at CVS in San Diego has recently had her pharmacy technician’s license suspended (under Business and Professions Code 494) by the California State Board of Pharmacy after she was discovered to have accessed and stolen the Protected Health Information of around 100 patients. Nicole Yvonne Flores was employed at the San Diego’s Imperial Beach branch of CVS Pharmacy, where she had held the position since 2008, until 2015 when the data theft was discovered and she lost her job. The theft was discovered by the Secret Service, which conducted a raid on the apartment of Flores early last month. The Secret Service discovered a number of patient records in her apartment, and notified CVS of the potential theft of data. Flores was interviewed about by CVS management on June 10, 2015. During the interview Flores admitted that she had copied and removed patient records between May, 2013 and November, 2014, as well as during a three month period between February and April, 2015. The records were obtained when patients came to the drop off counter. Flores would...
Mailing Error Exposes PHI of Integral Health Plan Members
On July 6, 2015, Integral Quality Care (IQC) sent breach notification letters to some of its Integral Health Plan (IHP) members advising them of a data breach that exposed a limited amount of Protected Health Information (PHI). Patients’ names, dates of birth, Florida Medicaid ID numbers, diagnosis codes and payment information were exposed, although no addresses, Social Security numbers, credit card numbers or financial information were compromised in the incident. PHI Emailed to Incorrect Recipients In the breach notice, IQC informed patients that their data was accidentally emailed to the wrong doctors by a Business Associate, Independent Living Systems, LLC. The notice does not state how many individuals were affected by the data breach, although patients were told less than 10% of health plan members had their data compromised. The error has been attributed to a “processing mistake” which resulted in patient data being emailed to incorrect individuals who were authorized to view PHI, but not the patient data they were sent. The data breach occurred on May 11, 2015,...



