HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation. Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach on November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid. The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation...
IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk
An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk. NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations. The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center. NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730...
NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce
The National Institute of Standards and Technology (NIST) has published a cybersecurity education and development roadmap based on data from five pilot Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education and Workforce Development programs. There is a currently a global shortage of cybersecurity professionals and the problem is getting worse. Data from CyberSeek.org shows that between September 2017 and August 2018, 313,735 cybersecurity positions were open and figures from the 2017 Global Information Security Workforce Study indicate that by 2022, 1.8 million cybersecurity professionals will be required to fill open positions. To help address the shortfall, the National Initiative for Cybersecurity Education (NICE), led by NIST, provided funding for the pilot programs in September 2016. The RAMPS cybersecurity education and development pilot programs were concerned with “energizing and promoting a robust network and ecosystem of cybersecurity education, training, and workforce development.” The pilot programs involved forming regional...
Healthcare Organizations are Overconfident About Their Ability to Protect PHI and Control Data Sharing
Healthcare organizations are confident they are protecting regulated data and are controlling data sharing, but that confidence appear to be misplaced in many cases according to a recent report from Netwrix. Data has a life cycle. When it is no longer required it should be deleted, but oftentimes sensitive data can remain hidden away on networks for long periods of time. Documents containing sensitive information can be stored in the wrong place where they are no longer subject to the protection measures organizations have implemented to keep confidential information secure and prevent unauthorized access. Misplaced data can be exposed for weeks or months. A recent survey conducted by Netwrix has revealed the extent of the problem. For its 2020 Data Risk & Security Report, Netwrix surveyed 1,045 IT professionals from a wide range of industries and found that the 91% were confident that their sensitive data was stored securely. However, a quarter of respondents said they had found sensitive data stored outside designated storage locations in the past 12 months, indicating that...
American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths
The American Medical Association (AMA) has published a new HIPAA playbook to help physicians and their practices understand the HIPAA Right of Access and ensure compliance with this important requirement of HIPAA. Misunderstandings about the HIPAA Right of Access can result in financial penalties for noncompliance. The HHS’ Office for Civil Rights launched a new HIPAA Right of Access enforcement initiative in 2019 and has already taken action against two healthcare organizations that were not providing patients with copies of their medical records in a timely manner. Both cases started with a single complaint from a patient who was not provided with a copy of the requested records and ended with an $85,000 financial penalty. Patients need to be able to access their healthcare data to be able to make informed decisions about their own health. HIPAA gives patients the right to obtain a copy of their health records, but healthcare providers can face challenges complying with all of the legal requirements of HIPAA. These challenges, together with misunderstandings about the HIPAA Right...



