Highmark Subsidiary Visionworks Hit by 75K HIPAA Breach
The Pennsylvania-based health Insurance company, Highmark Inc., has announced today that one of its subsidiaries, Visionworks, has lost a computer server containing the medical records of approximately 75,000 patients. The medical data stored on the server included details of patients’ visits to Visionworks optometrists, their lens prescriptions and names and addresses. The HIPAA breach is understood to have potentially exposed the data of patients who had previously visited its Jennifer Square, Annapolis, MD store. No patients of its other 650 nationwide vision care centers are believed to have been affected. All affected individuals are in the process of being notified of the data breach by post in accordance with the breach notification rules laid down in the Health Insurance Portability and Accountability Act and are being offered a year of free credit monitoring services through Equifax. The breach letter informs patients that the incident exposing patient data was actually part of the company´s efforts to improve privacy and security. A server was scheduled to be replaced as...
OCR Issues Guidance on HIPAA in Emergencies
The outbreak of Ebola has raised numerous issues of personal privacy and the information that should be disclosed in situations when there is a public health concern. Under HIPAA regulations, protected health information such as the diagnosis of a disease should remain private, and the disclosure of this information with the name of the patient can be a potential HIPAA violation. The issue of sharing private information in an emergency situation is not addressed in the HIPAA privacy rule, although the Privacy Rule does cover what information can be shared. In cases where the sharing of patient information can aid the treatment of the patient or other patients, medical information can be disclosed without authorization. The OCR explained that “Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.” If an entity is covered by HIPAA it is permitted to submit medical information about a patient to public health authorities in cases...
Connecticut Supreme Court to Allow HIPAA Negligence Claim
A recent ruling by the Connecticut Supreme Court could potentially pave the way for a wave of lawsuits from victims of theft and fraud who have had their protected health information disclosed and have suffered losses or harm as a result. The case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, was heard by the court after a patient’s medical records were provided to a third party when explicit instructions were provided to the contrary. While this is just one individual case, legal experts are now considering how this ruling will apply to data breaches involving millions of potential victims. HIPAA violations are investigated by the Office for Civil Rights of the Department of Health and Human Services and financial penalties are issued to organizations that breach regulations. HIPAA makes no provision for the private right of action to sue for loss and damage caused by non-compliance issues or data breaches, although a small number of cases have been heard by the courts where HIPAA has been allowed as the Standard of Care in negligence claims. It was not possible...
Connecticut Court Allows Claim for a Breach of HIPAA to Proceed
The Connecticut Supreme Court has ruled that a plaintiff can proceed with a claim for a breach of HIPAA after her private health details were released without her consent. Emily Byrne brought her claim for a breach of HIPAA after advising her doctor at the Avery Center for Obstetrics and Gynecology in Westport not to provide her protected health information to the father of the child to whom she was pregnant as their relationship had broken up – Andro Mendoza. However, after Mendoza had obtained a subpoena to support a paternity suit, the health center released Emily´s protected health information without telling Emily or fighting the subpoena in court. Emily´s former partner then used the information to launch “a campaign of harm, ridicule, embarrassment and extortion”. Emily took her claim for a breach of HIPAA to the Appellate Court – claiming that the Avery Center had been negligent in releasing her protected health information to Mendoza. The court decided that HIPAA preempted the negligence suit which meant that the health center could admit to a breach of HIPAA...
Healthcare Professionals Violate HIPAA with Personal Phones
There is a worrying practice taking place in healthcare centers across the country: The use of personal mobile phones for communicating with care teams and sending patient data. The practice is a clear HIPAA violation, yet text messages, attachments and even photographs and test results are being shared over insecure networks without data encryption, albeit with individuals permitted to view the data. Even if the recipient of the message or communication is authorized to have access to that information, sending of PHI over an insecure network without the protection of a firewall is a clear security risk. If messages are sent via the hospital’s password-protected WI-Fi network this may be permitted under the HIPAA Security Rule; the sending of text messages via an AT&T network for example, is not. The Department of Health and Human Services enforces HIPAA compliance via the OCR, which is issuing financial penalties for HIPAA violations and taking a particular interest in the use of mobile technologies and communication of PHI in healthcare centers and between healthcare...



