441-Patient HIPAA Breach Results in 50K Penalty
Under Health Insurance Portability and Accountability Act (HIPAA) regulations, healthcare organizations are required to report data breaches involving more than 500 individuals to the Office of Civil Rights and financial penalties apply for HIPAA violations; however security breaches involving fewer individuals can still result in fines being issued. In 2010, a laptop computer was stolen from a community non-profit hospice in Hayden, North Idaho. The laptop contained the PHI of 441 patients including Social Security numbers, medical test results, diagnoses, medications issued and other protected patient information. The laptop was issued to a nurse from the he Hospice of North Idaho who took the device home with her at the weekend and left it in her car where it was subsequently stolen. When data breaches involve more than 500 patients the incident must be reported to the OCR promptly; however since this incident involved just 441 patients, the report of the theft and data breach was not provided to the OCR until the year end; as required under HIPAA breach notification rules. Upon...
University of Michigan Health System Reports 4000-Patient HIPAA Breach
The University of Michigan Health System (UMHS) has announced that the records of 4000 patients may have been exposed by Omnicell, its supply management system vendor. The data breach affected the patients of three hospitals operated by the University of Michigan Health System, all of whom had visited for consultations between October 24th, 2012 and November 13, 2012. The unencrypted data was stored on an unnamed device that was stolen from a car belonging to an Omnicell employee. This is a violation of the data privacy and security policies in place at UMHS. The lost data was limited to medications prescribed, demographics, and some other health information; although UMHS confirmed that no Social Security numbers or credit card details were compromised in the incident. Names were included but no addresses or phone numbers were present in the data. Pursuant to the Health Insurance Portability and Accountability Act, UMHS is in the process of notifying all individuals affected by the breach in writing to alert them to the possibility that their personal health information could be...
Massachusetts Healthcare Provider to pay $1.5M HIPAA Settlement to HHS
The theft of a laptop computer from a healthcare center belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has resulted in a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA violations. The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was deemed to have violated the Security Rule by failing to take adequate precautions to protect the health information of its patients and research subjects. The laptop contained unencrypted data which could be accessed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to commit medical and identity fraud. Under the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be notified of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR investigation....
Healthcare Data Breaches Exceed 500
In September 2009, following the incorporation of the requirements of the HITECH Act into HIPAA legislation, the Department of Health and Human Services started monitoring healthcare data breaches. Since that date all data breaches affecting over 500 individuals must be reported within 60 days of the breach being discovered. Over 21.2 million individuals have been affected by healthcare data breaches since records started being kept, and the tally of data braches has now exceeded the 500 milestone. The Health Insurance Portability and Accountability Act was introduced with a number of aims, one of which was to ensure Protected Health Information is safeguarded and protected from unauthorized access, disclosure, hacking, loss and theft. The legislation also covers patient privacy and restricts the information that can be disclosed without authorization. HIPAA is supposed to ensure that all covered entities implement administrative, technical and physical safeguards to protect PHI and meet a minimum national standard of data security. The problem is that covered entities are not...
Pediatricians Risking HIPAA Violations Sending SMS Messages
The pager has served doctors and medical professionals well since the 1940s and an estimated 90% of hospitals are still using the devices for communication between members of the care team. However an increasing number of medical professionals are turning to Smartphones to communicate, according to a recent survey conducted by the University of Kansas School of Medicine in Wichita. The data even suggests that phone text messaging is about to take over as the primary mode of communication in U.S hospitals. Smartphones allow doctors to communicate quickly with other members of the healthcare team, but while modern mobile devices offer convenience, the use of SMS in hospitals could result in HIPAA Privacy and Security Rule violations. Text messages are not secure, and any unencrypted PHI sent via the SMS network could potentially be read by any number of people. Uptake of Smartphones has not been quick in healthcare due to the cost of purchasing the units and making them secure. However, since the majority of medical professionals have a personal phone, Bring Your Own Device (BOYD)...



