HIPAA-Altering Cures Bill Passed by House of Representatives
The controversial 21st Century Cures Bill was unanimously passed by the House Energy and Commerce Committee in May, and on Friday July 10, 2015, the U.S House of Representatives passed the Bill with a count of 344 to 77. 21st Century Cures Bill to Remove Obstacles in the Way of Medical Research Medical research and innovation is being hampered by HIPAA, according to proponents of the 21st Century Cures Bill. The new Act aims to remove these and other barriers, to help advance America’s search for new ways to tackle the advance of superbugs, antibiotic-resistant bacteria and the deadly viruses now threatening the health of U.S citizens. The Cures Bill has received some criticism in its short history. Privacy advocates object to the wide range of data that can potentially be shared; information currently under the protection of HIPAA. It is feared that the bill could weaken HIPAA protections if it becomes law. If that happens, HIPAA Rules would certainly need to be changed. HIPAA Changes Necessary as a Result of the Cures Bill At present, the HIPAA Privacy Rule restricts the use and...
Mailing Error Causes Howard University Privacy Breach
Howard Hospital in Washington D.C has announced a mailing error resulted in letters containing patient names, account numbers and the dates of past visits being sent to the wrong recipients. In this instance, only a limited amount of data was exposed. No financial information, insurance details, health data or Social Security numbers were compromised in the incident. The privacy violation was caused by a data error, according to a statement issued by the hospital. Howard Hospital’s Faculty Practice Plan had contracted two companies to – California Healthcare Medical Billing, Inc. and JP Recovery Services, Inc. – to send notification letters to patients advising them that their medical bills had not been paid. The letters were sent to individuals as instructed; however a data error resulted in patients sharing the same surnames being sent letters intended for other recipients. In total 1,445 letters were sent to incorrect individuals. The university has reviewed the incident and will be taking steps to prevent similar privacy breaches occurring in the future. This breach may...
New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations
Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a HIPAA settlement has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that led to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. The number of records exposed was relatively low compared to some of the recent “mega data breaches”, but the OCR deemed the offenses leading to the security incidents to be serious enough to warrant a financial penalty. This OCR HIPAA settlement shows how important it is to make HIPAA compliance a priority. Data breaches may not always be preventable, but HIPAA violation penalties are. Privacy, Security, and Breach Notification Rule Violations Uncovered The initial HIPAA violation was uncovered in November 2012, when a complaint was received by the OCR alerting it to potential non-compliance...
Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years
The Los Angeles County government has failed to safeguard the Protected Health Information (PHI) of state residents for up to seven years, according to a recent audit. Three departmental audits have been conducted since December 2014 and a catalog of data security failures have been uncovered that potentially put PHI in the hands of thieves. Data including Social Security numbers and health information could be accessed by former workers, and the information could already be in the hands of criminals. It is simply not known. Computer equipment has vanished – having been misplaced or stolen – devices were not encrypted, and equipment was simply not tracked. Serious Administrative Failures Lasting up to 7 Years Serious administrative failures in several L.A County government departmenta were discovered by auditors, the most serious being a failure to terminate access to computer systems when employees changed employment. An audit conducted by the Probation Department revealed that 695 former employees still had access to computer systems containing the protected health data of...
Ohio University Hospitals Worker Fired for Improper EHR Access
An Ohio University Hospitals Elyria Medical Center worker has been fired for inappropriately accessing the medical records of patients while employed at the hospital. Alicia Reale, a spokesperson for the hospital, announced yesterday that the medical records of approximately 300 patients had potentially been improperly accessed by an employee of the hospital. The data breach resulted in Protected Health Information (PHI) potentially being viewed and copied. An investigation was triggered when the hospital discovered an employee had accessed the EHR system without a legitimate work purpose for doing so. Reale said “The information that may have been accessed for the impacted patients includes names, dates of birth, medical record numbers, dates of service and diagnostic and treatment information, ” according to a report in the Chronicle-Telegram. Another Case of Hospital Employees Snooping on Medical Records No financial information or Social Security numbers were exposed in the incident, and while the extent of access was determined, Reale said “We did not identify any purpose for...



