Second Round HIPAA Compliance Audits Delayed Again
The Office for Civil Rights is due to commence the second round of HIPAA compliance audits this year, although news has emerged that the audits are to be delayed once more to give the department time to finalized the audit protocol. The second round audits were originally scheduled to take place in the fall of last year, but were delayed to give the OCR time to implement a new web portal for reporting data breaches. This measure was essential due to the huge administrative burden that healthcare audits place on the OCR. The new web portal was intended to streamline data collection and ease pressure on the department, which has been struggling with a lack of resources and staff. OCR Information Privacy Senior Advisor, Linda Sanches, said at the HIMSS Privacy and Security Forum that she was “Happy because the process that we were going to use before was much more labor intensive in term of analyzing data.” The pilot round of HIPAA compliance audits commenced in 2011 and was completed in 2012. The results of the survey indicated that healthcare organizations in particular were failing...
Amedisys Discovers Data Encryption Alone May Not Prevent A HIPAA PHI Breach
The Baton Rouge based home health and hospice provider, Amedisys Inc., has issued approximately 6,900 breach notification letters to patients alerting them to a potential disclosure of their Protected Health Information. While most data breaches involving electronic Protected Health Information arise as a result of a failure to implement data encryption, this latest HIPAA breach occurred in spite of 256-bit data encryption being employed. The data breach was discovered during an audit of IT equipment revealed that 142 desktop computers and laptops were missing. The company ascertained that the missing computers had been issued to members of staff, but had not been recalled when the individuals’ employment came to an end. While the data was encrypted, since the security keys fort the devices remained active, the protection put in place to protect PHI was rendered useless. The PHI stored on the computer hardware included Social Security numbers together with patient names, addresses, dates of birth, insurance ID number, medical records and other unspecified personally identifiable...
HIPAA and Wiretap Act Could Prevent Installation of Nursing Home Cameras
According to a recent CBS Local report, an Illinois House committee will be meeting next week to discuss the privacy issues raised by the installation of web-based video cameras in nursing home residents’ bedrooms and how HIPAA Rules and the Wiretap Act regulations can be adhered to. The installation of video cameras in nursing homes has been proposed following numerous allegations of neglect and abuse in nursing homes throughout the United States. Nursing home employees are also accused of the financial exploitation of residents and each year many reported cases result in legal action. However, proving abuse and neglect in a court of law can be difficult, especially when the victim suffers from dementia or Alzheimer’s. Action Being Taken to Protect Nursing Home Patients Efforts have been made in both Illinois and Missouri to allow the installation of video cameras in nursing homes to monitor for abuse and to deter staff from abusing residents. When abuse occurs, evidence will be recorded on the cameras or footage can be monitored remotely. The problem is that video cameras record...
HIPAA Compliance and the Cloud
The cloud offers many advantages to healthcare providers and other covered entities. It is possible to use cloud services and remain HIPAA compliant; however, it can be a long and arduous process to obtain all the necessary documentation to confirm that is the case, and if you can’t, you could end up violating HIPAA Regulations. The cloud is convenient and flexible. Covered entities (CEs) can use private and secure cloud services which allow a great deal of customization and there are now a wide range of companies offering cloud based services to the healthcare industry; an industry that has traditionally lagged behind others when it comes to adopting new IT technology. However, any CE using the cloud must exercise extreme caution, especially when it comes to moving data to and it. This is an area well covered by HIPAA regulations. Many healthcare providers have ventured into the cloud already and have implemented their own measures to ensure that PHI is secured. Today, a number of providers of cloud services are taking care of this aspect of the business and are offering “HIPAA...
HIPAA Breach Report: December 2014
December 2014 HIPAA Breach Summary: The Breach Notification Rule of HIPAA places a requirement on covered entities and their Business Associates, to notify the Office for Civil Rights of the Department of Health and Human Services of data breaches affecting more than 500 individuals. The time limit for doing so is 60 days from discovery of the breach. This report contains a summary of the breaches reported to the OCR during the month of December, 2014. Major HIPAA Breaches in December 2014 December saw a major fall in the number of reported breaches with just 9 incidents reported for the month. The massive data breach at Sony Pictures dominated the newspaper headlines, and while huge volumes of highly sensitive data were obtained by hackers, the majority of this information was not covered by HIPAA. However, 30,000 records relating to the Sony Pictures Entertainment Health and Welfare Benefits Plan was present in the data stolen by the cybercriminals. Walgreen Co. (IL) reported another data breach involving paper records. In this incident, of which scant details were released, up...



