OCR Confirms HIPAA Compliance Audit Surveys Sent
There has been much speculation over the past week since the sending of the letters was first reported, about whether the OCR pre-screening surveys have actually been dispatched. Now the Department of Health and Human Services’ Office for Civil Rights has confirmed – to Fierce Health IT – that its preliminary HIPAA surveys have now been dispatched, marking the start of the 2015 HIPAA compliance audits. In an article in the National Law Review on Monday, McDermott Will & Emery announced that phase 2 of the HIPAA compliance audits was no longer being delayed, after the firm had been notified by some of its clients that an OCR HIPAA audit screening survey had been received. The purpose of the screening surveys is to ensure that all contact and organization information is correct. The OCR auditors can then select the organizations most appropriate for audit. From the responses, the OCR is expected to select 350 covered entities and 50 Business Associates for an audit on the Security Rule, Privacy Rule, Breach Notification Rule or a combination audit comprising 2 or 3 audit modules....
Careless Talk Sees University of Iowa Worker Fired for HIPAA Privacy Violation
A medical assistant at the University of Iowa has had her employment terminated – after 14 years working for student health – after she accidentally disclosed the health status of a patient, with a recent unemployment hearing ruling in favor of the university. The patient in question was the girlfriend of a “well-known athlete” who had visited the hospital to have a pregnancy test performed. Kathryn Trump disclosed the results of the test out loud, with at least one other person hearing her comment about the positive pregnancy test result. In an unemployment hearing, Trump claimed to have said at the time “I said I hope it was a happy situation.” The individual who overheard the comment, only referred to as Beth at the hearing, reportedly spoke to two other members of staff about the matter asking for more information. In addition to Trump’s inadvertent disclosure, she was also alleged to have accessed the patient’s medical records twice more than the hospital deemed was required. As a result of the disclosure and the unauthorized access, Trump’s employment was terminated. On the...
Hospital HIPAA Breaches Go Haywire: 40 CEs Notified of MML Breach
The actions of one employee at billing Business Associate Medical Management LLC has resulted in a HIPAA data breach that has affected 40 different healthcare providers in New York, New Jersey, Pennsylvania and Illinois, with more breach reports and notifications expected to be released in the next few days. The latest hospitals to issue breach notifications come from Bergen County in North Jersey. Three hospitals have been notified by Medical Management that their patients have been affected, with approximately 4,500 victims reported across the three hospitals. Medical Management is sending breach notification letters to all affected individuals and has set up a template which it is using to notify all 40 of its clients of the data breach. As reported on Friday last week, the data breach was caused by a former employee of Medical Management LLC who accessed the billing database, copied protected information and provided that information to a third party. Law enforcement officers became aware of the data breach and notified Medical Management on March 16, 2015. An investigation was...
Unanimous Yes Vote Sees 21st Century Cures Bill March Forward
The 21st Century Cures bill has been unanimously been passed by the House Energy and Commerce Committee today with a vote of 51-0. This is the first major legislative bill to be passed without a single no vote in a very long time. The bill has been some time in the making, with work starting in April of last year. The discussion draft of the bill was released early last week, with the markup version following a week before the vote. During the full committee markup period a number of changes were made to the bill, in particular the inclusion of mandatory funding for the FDA, although the figure of $550 million is much lower than it was seeking. However, since the since the bill has such strong support it looks likely to sail through the full house vote. The popularity of the bill is understandable. The goal is to remove some of the major obstacles that are holding back medical research, and ultimately slowing down the rate at which new cures can be developed, especially for diseases that are currently untreatable. The recent Ebola epidemic highlighted the health dangers currently...
Quantifying the Effect of a Data Breach on Brand Image
The fallout from a healthcare data breach can be considerable. Organizations that have experiences large-scale data breaches, in particular when they have resulted from HIPAA violations, are forced to cover a substantial cost. This may exceed insurance cover or even violate the insurer’s terms and conditions, potentially resulting in no insurance payout. Calculating the Costs of a Data Breach Many of these costs are fairly easy to quantify. For breach notifications it is the cost of first class post, printing and stationary multiplied by the number of individuals affected, while a year or two of credit monitoring services for breach victims is easy to calculate. Other costs are harder to predict – and quantify the financial damage caused – until sometime after a data breach has occurred, and that can be many years. Class action lawsuits may be filed quickly, but they can take a number of years to resolve. Financial penalties from the Department of Health and Human Services’ Office for Civil Rights may be issued, but this will not be known for a number of months. One of...



