Breach Penalty Highlights Easily Overlooked HIPAA Security Issues
The Department of Health and Human Services’ Office for Civil Rights has recently issued a large fine to Idaho State University for the accidental disclosure of electronic Protected Health Information stored on one of its servers. Unbeknown to the University, a server holding data on one of its HIPAA-covered clinics accidentally had the firewall disabled causing a 10-month data security breach. The OCR investigation highlighted three main areas of non-compliance: A HIPAA Risk Analysis had clearly not been conducted, as if that had been the case, the deactivated server would have been identified. There was no risk management process in place which also could have identified the problem and thirdly, an Information System Activity Review had not been conducted. The HIPAA Security Rule demands all three of these procedures be made policy at a healthcare organization in order to be HIPAA-compliant. It was clear that ISU had, albeit unwittingly, violated HIPAA regulations without the OCR having to perform a full compliance assessment. HIPAA compliance is an ongoing process “Risk...
Idaho State University Ordered to Pay $400K Settlement for HIPAA Breach
Violating HIPAA regulations can incur harsh penalties, as discovered by Idaho State University this month. The institution has recently been forced to settle with the Department of Health and Human Services’ Office of Civil Rights for alleged violations of the HIPAA Privacy Rule. Fines were issued for HIPAA non-compliance issues relating to network security; inadequacies which exposed sensitive patient health information to third parties. ISU had implemented the required control measures to prevent health data from being accessible by unauthorized personnel, although it failed to perform checks to ensure that the security measures it had implemented had remained in place. The security breach occurred when the Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing medical health records of 17,500 its patients. The firewall was inactive for a period of 10 months leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. According to the HHS, ISU operates 29 outpatient clinics and is...
Using Windows XP will be a HIPAA Violation
Microsoft Windows XP was one of the most liked and most used software platforms released by the Software giant. The platform became the standard operating system in use around the world and it was installed on the majority of PC’s and laptops in the healthcare industry. Microsoft sold millions of copies of its software, yet when Vista and subsequent products were released, many healthcare organizations did not upgrade. Programs had been written to be compatible with Windows XP, issues would arise with hardware and the sheer cost of upgrading software and buying new licenses for all laptops and PCs in use in an organization was deemed by many to be a cost to be put off indefinitely. Unfortunately the time has now come when the decision to upgrade computer operating system can be put off no longer, as Microsoft is finally pulling the plug on Windows XP. It will stop writing software patches and issuing security updates in less than 12 months. Microsoft stopped selling Windows XP five years ago and it has been allowed to fade away; however, while Microsoft is willing to let that...
Hearing Clarifies Rules on Disclose of PHI under HIPAA
One of the main aims of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – and its five subsequent rule amendments – was to create a national standard to protect medical records and other Personal Health Information and keep the data private and confidential. The HIPAA Privacy Rule, one of the five amendments to the original legislation, was introduced specifically to address electronic PHI and ensure that healthcare organizations implemented the necessary technical, administrative and physical safeguards to maintain data security. All entities covered by HIPAA were required to comply with this rule by 2003, and since the rule came into effect, the OCR has been policing healthcare organizations and ensuring that the new rules are adhered to. The Privacy Rule defines and limits the circumstances under which an individual’s protected heath information may be used or disclosed by covered entities. Although the introduced rules have tried to simplify HIPAA policies and help healthcare organizations to put them into action, there are circumstances under...
Lawsuit Alleges IRS Violated HIPAA with Seizure of 60M Patient Medical Records
A class action lawsuit alleges the IRS violated HIPAA regulations when agents seized 60 million private and confidential health records relating to 10 million American individuals. The case is being filed by a healthcare provider – that wishes to remain anonymous – against the IRS and fifteen of its agents who were not named. The case is being filed with the complainant alleging the IRS breached HIPAA regulations and illegally seized 60 million personal medical records when the warrant allowed only access the financial data of one individual. The incident occurred on March 11, 2011 when the IRS gained a search warrant to access specific records relating to one individual who had previously worked for the company filing the suit. The IRS agents allegedly seized the data which included financial and medical records and made no attempt to abide by HIPAA regulations and only take the data relating to their investigation. Unrelated medical records of 10 million patients were included with the record they wanted to access. The data contains highly sensitive medical information such as...



