Data Encryption Advisable but not Mandatory Under HIPAA
Healthcare organizations must take steps to prevent confidential patient health data from being viewed, accessed or used by unauthorized individuals, although current HIPAA regulations do not require healthcare organizations – or their business associates – to encrypt PHI data. However, according to the Director of the Office for Civil Rights, Leon Rodriguez, it is strongly advisable. The HIPAA data breach rule requires healthcare organizations to report any loss of laptop or mobile device containing patient data as a HIPAA breach since the introduction of the HITECH Act (2009); however the loss is not reportable if the data on the device has been encrypted (provided the data encryption is in accordance with the guidance issued by the National Institute of Standards and Technology). According to Rodriguez, in all cases of laptop or computer theft reported to date, financial penalties would have been avoided if the data contained on the lost/stolen devices had been encrypted. Following a data breach, HIPAA covered entities are required to notify all individuals affected by the...
HIPAA Omnibus Rule Final Release Issued
The HIPAA Omnibus Rule (Health Insurance Portability and Accountability Act of 1996 Omnibus Rule) was drafted in July 2010; however the final release has been delayed until this month in order to address some of the concerns raised by stakeholders about the latest HIPAA amendment. The final rule has been held by the Office of Management and Budget since March last year although the final release has now been issued. All HIPAA-covered entities – and their business associates – must read the new rule and make changes to existing policies and procedures and factor in the new amendments. Healthcare organizations have 180 days in order to effect the changes as the Final Rule will not be enforced until Sept 22, 2013. The new rule has been issued to bring HIPAA in line with HITECH, and was introduced by the U.S. Department of Health and Human Services’ Office of Civil Rights to cover the use of Health Information Technology (HIT) and ensure that patient health information is properly protected. The final rule represents a major change to the legislation and is the most extensive...
Penalties for Data Breaches Increased Under HIPAA Omnibus Rule
Financial penalties for healthcare organizations found in violation of HIPAA regulations are to be increased substantially as part of the HIPAA Omnibus Rule, which will also be applied to business associates and their subcontractors. The original fine structure was established by the American Recovery and Reinvestment Act of 2009 (ARRA), although no further increases have been made in the following four years. The new tiered financial penalties have been introduced in line with the Health Information Technology for Economic and Clinical Health Act (HITECH) and increase the maximum penalties for each non-compliance offense, in addition to increasing the maximum penalty for repeat violations. Healthcare organizations committing a one-time violation will still receive a maximum penalty of $50,000; however, repeat violations can now see fines of up to $1.5 million issued, with the maximum penalty now applying to all HIPAA violation categories. While willful neglect carries a $50,000 penalty for each violation, a lack of knowledge of HIPAA and its subsequent amendments is not a...
Stolen Laptop Exposes 57K Patients Records in HIPAA Security Breach
Healthcare organizations can take the necessary measures to protect their computer networks from targeted attacks by hackers; however one of the biggest risks to data security comes from mobile devices such as laptop computers, Smartphones and portable storage devices such as external hard drives and memory sticks. Laptops and other mobile devices have become as essential in the healthcare industry as they have become to modern life. Physicians and healthcare professionals can improve the service provided to patients and they allow doctors access to full patient medical histories, where ever the doctor needs to perform the consultation. As useful as they are, great care must be taken to keep the devices secure. Data encryption is the obvious solution along with training the staff on HIPAA regulations and the importance of securing the contained on the portable electronic devices. Failure to secure PHI data is a HIPAA violation and thefts of laptops containing unencrypted data is reportable to the Office of Civil Rights and is likely to result in substantial financial penalties...
Omnicell HIPAA Breach More Extensive than First Feared
The theft of an electronic device from an Omnicell employee’s car was announced on 21st December by the University of Michigan Health System (UMHS) to have caused a HIPAA breach affecting 4000 patients of three of its hospitals. Omnicell has now revealed that the breach also affected approximately 56,000 patients at Sentara Health and the records of 8,500 patients of South Jersey Healthcare were also stored on the stolen device. Sentara Healthcare data related to patients who had visited one of its outpatients clinics or hospitals, although it has now been confirmed that the data is limited to patients of the Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara BelleHarbour, Sentara Independence and Sentara Port Warwick. The records on the device related to visits between Oct 18 and Nov 9, 2012. Sentara Healthcare issued breach notifications to all affected patients advising them that their clinical and...



