HHS Increases HIPAA Penalties for 2020 to Account for Inflation
The Department of Health and Human Services has adopted new minimum and maximum penalties for HIPAA violations for 2020 to account for changes to the cost of living. The HHS’ Office of the Assistant Secretary for Financial Resources has now implemented a final rule on the new federal civil monetary penalties under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The changes to penalty amounts are intended to maintain the deterrent effect of federal civil monetary penalties. The adjustments to the penalties are calculated based on the Consumer Price Index for all Urban Consumers (CPI–U) from the previous month, which are applied as a multiplier to the existing minimum and maximum civil monetary penalty amounts. The cost-of-living multiplier for 2020 is 1.01764. Previous cost-of-living multipliers were 1.01636 (2017), 1.02041 (2018), and 1.02522 (2019). The final rule took effect on Sunday, January 17, 2020, and applies to penalties assessed on or after January 17, 2020, if the violation occurred on or after November 2, 2015. These penalties will apply...
At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020
Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft. The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year. In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities. These attacks have caused significant financial harm and in some cases the disruption has had life threatening...
HHS Makes $20 Million Available to Expand COVID-19 Vaccine Information Sharing
The U.S. Department of Health and Human Services has made $20 million available to improve data sharing between health information exchanges (HIEs) and immunization information systems. The money comes from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that was signed by President Trump on March 27, 2020 to support vaccination efforts to fight the COVID-19 pandemic. The investment expands the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and will help communities improve health information sharing related to COVID-19 vaccinations. Public health agencies will be able to receive additional help to track and identify individuals who have not yet received a second dose of the COVID-19 vaccine and the additional investment will help clinicians identify and contact high risk individuals who have not yet received their first vaccination. The additional investment will be spread across the country and...
OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments
The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations. The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency. A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations....
December 2020 Healthcare Data Breach Report
2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website. December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...



