HIPAA and ISPP Violations Cited in Aventura Hospital Damages Lawsuit
The Aventura HIPAA breach, identified in June last year, has resulted in a lawsuit being filed by a patient of the hospital, according to a Courthouse News Service report. The lawsuit was filed by Aventura patient, Kellie Lynn Case, in the Miami Federal Court. She is seeking damages from the defendants, Hospital Corporation of America and Envision Healthcare Corporation, after they were provided with confidential patient data and failed to implement the appropriate controls to keep that data safe. The lawsuit alleges that the defendants have violated the HIPAA Security Rule in addition to Industry Standard Protection Protocols. Under HIPAA regulations healthcare providers are not permitted to share confidential patient data without having first obtained consent to do so from the patients. They are also required to produce notices of privacy practices which must detail how the data they hold will be used, to whom it will be disclosed and under what circumstances that will happen. The lawsuit alleges that the defendants used the Notice of Privacy Practices as a means to justify an...
2014 Saw 25% Increase in HIPAA Breaches
Redskin has released its 5th annual report of HIPAA breaches reported to the Secretary of Health & Human Services’ Office of Civil Rights (OCR). According to the report there were 164 PHI breaches reported during 2014 which affected approximately 9 million Americans. The data shows there has been a 25% increase in breaches compared to 2013. Last year’s data breaches – including the CHS breach which exposed the data of 4.5 million patients – brings the number of breach victims since the passing of the HITECH Act to over 40 million, although this figure has now potentially been tripled following the Anthem mega breach reported earlier this month. This year’s breach ranks as one of the all time biggest data breaches ever recorded, eclipsing the previous largest healthcare data breaches by many orders of magnitude. To give a better idea of scale, it exposed almost 6 times the data of the huge Tricare breach in 2011, the Community Health System of 2014 and Advocate Medical Group’s HIPAA breach in 2009, which exposed 4.9 million and 4.5 million and 4,029,530 records respectively....
Hospital Employee Receives 18 Month Jail Term for HIPAA Violations
Accessing the healthcare data of patients without authorization is prohibited under HIPAA legislation, and the disclosure of this information to a third party is a criminal matter. The offense carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain. One of the latest examples of wrongful disclosure of individually identifiable health information comes from the Eastern District of Texas where former Longview resident, Joshua Hippler, 30 has been convicted this offence and sentenced to serve 18 months in jail. Hippler was a former employee of an East Texas hospital where he was alleged to have accessed Protected Health Information with the intention of selling it on for personal gain. Hippler was indicted by a federal grand jury on Mar. 26, 2014 and the case was heard by United States Magistrate Judge John D. Love on August 28, 2014. Hippler pleaded guilty to the offenses that took place at an unnamed East Texas hospital between December 1, 2012 and January 14, 2013. The U.S. Department of Health and Human Services’...
Ponemon Institute Publishes Fifth Annual Study on Medical Identity Theft
Each year the Ponemon Institute conducts an annual survey on victims of medical identity fraud to gain a better understanding of its prevalence and how it impacts on the lives of those affected. The organization has now completed and published the Fifth Annual Study on Medical Identity Theft which indicates that medical Identity theft has increased by 21.7 percent since 2013. Medical identity theft is classed as the use of personal information, Social Security numbers and other confidential data to fraudulently obtain products – such as drugs, prescriptions and medical devices – or medical services. It also includes the use of this information to make fraudulent insurance and billing claims. In the case of credit card fraud, the opportunity for thieves to use stolen information is limited. The theft of credit card numbers is identified very quickly and the cards can be blocked. Credit card limits prevent major losses and victims are covered by insurance and can make claims relatively easily. Victims of medical identity fraud often do not find out about the theft until many months...
How to Prepare for a HIPAA Compliance Audit
In 2011 the Department of Health and Human Services’ Office for Civil Rights developed an HIPAA compliance audit program to assess the state of healthcare compliance. The pilot audits, which started in 2011 and were completed in 2012, uncovered numerous violations of HIPAA Privacy, Security, and Breach Notification Rules. Only 11% of audited entities passed the audits with no observations or violations, while more than 60 percent of the audits uncovered security standard violations. The OCR was lenient on offenders and did not issue major fines for non-compliance issues, instead, action plans were developed to help the audited organizations implement the necessary safeguards to protect healthcare data. The OCR is not expected to be as lenient during the second phase of the audit program, which is due to commence later this year. The second phase is likely to see organizations fined for HIPAA violations in line with the new penalty structure introduced with the Omnibus Rule of 2013. Phase 2 of the OCR Compliance Audit Program One of the aims of the pilot round of audits was to...



