Our HIPAA compliance news section keeps you up to date with HIPAA breaches, OCR updates and HITECH and GDPR compliance issues. Make sure you remain up to date with the latest HIPAA compliance news by subscribing to our newsletter or follow us on Twitter @HIPAAJournal.

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty
Oct14

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty. Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI). Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents. As a HIPAA-covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access. Diamond Investigated for...

Read More
OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures
Oct05

OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures

The Department of Health and Human Services’ Office for Civil Rights has issued guidance to educate the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules apply to disclosures of COVID-19 vaccination status information and requests from individuals about whether a person has been vaccinated against COVID-19. In the guidance, OCR confirmed that HIPAA only applies to HIPAA-regulated entities. HIPAA regulated entities are healthcare providers, health plans, and healthcare clearinghouses that conduct standard electronic transactions, and business associates of those entities that require access to or encounter protected health information (PHI). OCR reminded the public that the HIPAA Privacy Rule does not apply to employers or employment records. That includes information collected or stored by HIPAA-regulated entities in their capacity as an employer. OCR explained how HIPAA applies to COVID-19 vaccination information in certain situations through a website Q&A and states: The HIPAA Privacy Rule does not prohibit businesses or individuals from...

Read More
What is a HIPAA Subpoena?
Sep28

What is a HIPAA Subpoena?

The U.S. Department of Justice has recently been cracking down on healthcare offenses, with investigations often involving a HIPAA subpoena being issued. The subpoena compels HIPAA-regulated entities to release information such as patient medical records that they would otherwise not be permitted to disclose due to Privacy Rule restrictions on uses and disclosures. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) if compelled to do so by a valid subpoena. What is a HIPAA Subpoena? A HIPAA subpoena is an administrative subpoena which requires a HIPAA-regulated entity to release documents to support investigations of federal criminal healthcare offenses pursuant to 18 U.S.C. § 3486, and the use of these subpoenas is becoming more common. A HIPAA subpoena is similar to a federal grand jury subpoena, in that they both compel a HIPAA regulated entity to release specific information to assist with investigations into healthcare offenses. A HIPAA subpoena is an administrative subpoena, but they are not generally issued for investigations that are purely...

Read More
Lisa J. Pino Named New Director of HHS’ Office for Civil Rights
Sep27

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January. OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as enforcing federal civil rights, conscience and religious freedom laws. Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow. Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
Future of HIPAA: Reflections at the 25th Anniversary of HIPAA
Aug21

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA? It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today. It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially due to the considerable administrative burden it initially placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives. The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes...

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation
Jun28

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated. The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor. In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the...

Read More
Former Mayo Clinic Doctor Charged Over Improper Medical Record Access
Jun28

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail. The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered. A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no...

Read More
Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation
Jun25

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend. Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties. Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so. Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed. Bacor...

Read More
May 2021 Healthcare Data Breach Report
Jun18

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67. May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months. Largest Healthcare Data Breaches Reported in April 2021 As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by...

Read More
Webinar 06/16/21: Social Media and HIPAA Compliance
Jun10

Webinar 06/16/21: Social Media and HIPAA Compliance

Social media platforms such as Facebook, Twitter, Snapchat, and Instagram make it easy for healthcare organizations to advertise their services and win new business. Healthcare providers can use social media sites to communicate with patients, provide updates on their services, and engage patients and get them to take a more active role in their healthcare. While there are many benefits that can come from social media in healthcare, many healthcare organizations rightly see social media networks as minefield of HIPAA violations. This is not only true for the corporate accounts of healthcare providers, but also the personal social media accounts of their employees. An employee communicating on social media after a particularly difficult day could easily divulge information that could violate patient privacy. There have been many cases of healthcare employees communicating on social media networks, including private Facebook groups, and sharing sensitive information about patients in violation of the HIPAA Rules. Virtually all healthcare employees have smartphones, and it is common...

Read More
What Information is Protected Under HIPAA Law?
Jun08

What Information is Protected Under HIPAA Law?

What Information is Protected Under HIPAA Law The Healthcare Insurance Portability and Accountability Act (HIPAA) consist of five Titles, each with their own set of HIPAA laws. Four of the five sets of HIPAA laws are straightforward and cover topics such as the portability of healthcare insurance between jobs, the coverage of persons with pre-existing conditions, and tax provisions for medical savings accounts. However, Title II – the section relating to administrative simplification, preventing healthcare fraud and abuse, and medical liability reform – is far more complicated. It contains subsets of HIPAA laws which sometimes overlap with each other and several of the provisions in Title II have been modified, updated, or impacted by subsequent acts of legislation. Furthermore, since HIPAA was enacted, the U.S. Department for Health and Human Services (HHS) has promulgated six sets of “Rules”; which, as they are codified in 45 CFR Parts 160, 162, and 164, are strictly speaking HIPAA laws within HIPAA laws. These are most commonly referred to as the Administrative Simplification...

Read More
Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case
Jun02

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019. DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received. In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into...

Read More
Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000
May25

Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to resolve multiple violations of the HIPAA Security Rule. Peachstate is a CLIA-certified laboratory that provides a range of services including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC). OCR launched a compliance investigation on August 31, 2016 following a breach of unsecured protected health information reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had contracted with AHC to manage the VA’s Telehealth Services Program. The aim of the OCR investigation was to assess whether the breach was the result of the failure to comply with the HIPAA Privacy and Security Rules. During the course of the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had...

Read More
Is it a HIPAA Violation to Ask for Proof of Vaccine Status?
May25

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation. The confusion was highlighted recently when, on May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor in breach of House rules. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations. It is not only Rep. Greene who is unsure about the purpose of HIPAA and who it applies to. Several organizations have also raised concerns that asking employees to provide proof of being vaccinated against COVID-19 in order to avoid wearing a facemask, maintain social distancing, or self-isolate after exposure to an infected person may also be a violation of HIPAA. HIPAA and Its Purpose The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of...

Read More
Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes
May13

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule. There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks. Another area...

Read More
NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance
May05

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed. NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue. NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates. Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the...

Read More
What is HIPAA Certification?
May03

What is HIPAA Certification?

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services. What is HIPAA Certification? Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors. Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services...

Read More
March 2021 Healthcare Data Breach Report
Apr19

March 2021 Healthcare Data Breach Report

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates. The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February. Largest Healthcare Data Breaches Reported in March 2021 The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates. Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server Health Net of California Health Plan 523,709 Hacking/IT...

Read More
HHS Information Blocking and Interoperability Regulations Now in Effect
Apr09

HHS Information Blocking and Interoperability Regulations Now in Effect

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized. The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing. The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes,...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Apr06

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password or alternate – but equally effective – authentication method. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for...

Read More
What Happens if You Break HIPAA Rules?
Apr03

What Happens if You Break HIPAA Rules?

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules? What Happens if You Break HIPAA Rules? If you break HIPAA Rules there are four potential outcomes: The violation could be dealt with internally by an employer You could be terminated You could face sanctions from professional boards You could face criminal charges which include fines and imprisonment What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors: The nature of the violation Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated Whether action was taken to correct the violation Whether there was malicious intent or HIPAA...

Read More
What to Do if You Discover a HIPAA Violation in the Workplace
Apr02

What to Do if You Discover a HIPAA Violation in the Workplace

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told? Is it Necessary to Report a HIPAA Violation in the Workplace? If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with HIPAA Rules, the potential violation(s) should be reported. Since the passing of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA audit, the HHS’ Office for Civil Rights may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence. If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives...

Read More
New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case
Mar29

New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years. OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records. OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting...

Read More
What is the Civil Penalty for Knowingly Violating HIPAA?
Mar26

What is the Civil Penalty for Knowingly Violating HIPAA?

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules What is HIPAA? The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data. HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties. As with other federal laws, there are...

Read More
Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000
Mar25

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty. OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months. When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay. OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right...

Read More
How Often is HIPAA Training Required?
Mar20

How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training? What Does HIPAA Say About Employee Training? Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The HIPAA Security Rule training standard states: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).” The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to...

Read More
How Often Do You Need HIPAA Training?
Mar19

How Often Do You Need HIPAA Training?

Training for healthcare employees on HIPAA is mandatory, but many covered entities and business associates are unsure about how often employees need HIPAA training and how frequently to conduct security awareness training sessions, so how often do you need HIPAA training to ensure compliance with the HIPAA Rules? OCR is Cracking Down on Noncompliance! It can be difficult to fit training into busy workflows, but if training is not provided regularly it is possible for fines to be issued for noncompliance. The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance in recent years, with 19 financial penalties imposed in 2020 to resolve compliance issues. Two financial penalties have been imposed that include penalties for training failures, one of which saw the penalty amount increased for the failure to provide HIPAA privacy training to the workforce and another for the failure to provide security awareness training. With data breaches now occurring at record rates and OCR having imposed 17 penalties following investigations into complaints filed by individual...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Is it a HIPAA Violation to Email Patient Names?
Mar14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
Is HIPAA Training Required Annually?
Mar12

Is HIPAA Training Required Annually?

The frequency of HIPAA training sessions needed to comply with the HIPAA Privacy Rule is a source of confusion, with many healthcare providers interpreting the HIPAA text to mean HIPAA training is required annually, even though annual training sessions are not explicitly stated as a requirement anywhere in the HIPAA text. Similarly, the frequency of security awareness training is not stated, other than HIPAA requiring ‘periodic’ retraining. To help ensure you get your HIPAA training right, we have listed some of the best practices below which will ensure you do not fall afoul of regulators and attract a fine for noncompliance. Is HIPAA Training Required Annually? The HIPAA text does not provide a deadline for providing training and incorporates flexibility to make it easier for healthcare organizations to fit training into busy workflows. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days
Mar10

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made. Following the RFI, a notice of proposed rulemaking is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law. After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021. Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken...

Read More
Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure
Mar09

Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure

This week, the Arizona Supreme Court revived a HIPAA violation lawsuit filed by a Phoenix man over a privacy violation by a pharmacy employee related to an erectile dysfunction medication prescription. Greg Shepherd, 50, had visited his doctor for a routine medical appointment in January 2016 and his doctor provided him with a erectile dysfunction medication sample. He received a call from the Costco pharmacy later and was told that the full prescription for the ED medication was available to collect. Shepherd explained that he did not want the medication and cancelled the prescription. Shepherd called the pharmacy a month later to check whether an unrelated prescription was ready to collect, and the pharmacy informed again him that his ED prescription was still waiting to be collected. Shepherd declined the medication a second time and told the pharmacy to cancel the prescription for the second time. Shepherd, who had been trying to reconcile with his ex-wife, authorized her to collect an unrelated, regular prescription refill from the pharmacy. When she visited the pharmacy, the...

Read More
Two Employees Fired for Impermissible PHI Disclosures to Third Parties
Mar08

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of 62,950 of its members to a third-party for training purposes. Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA. The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor. The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
What Happens if a Nurse Violates HIPAA?
Mar03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
What is Considered Protected Health Information Under HIPAA?
Mar02

What is Considered Protected Health Information Under HIPAA?

Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA? What is Considered Protected Health Information Under HIPAA Law? If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI. Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense. Protected Health Information Definition Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created,...

Read More
Who Does HIPAA Apply To?
Feb28

Who Does HIPAA Apply To?

Who Does HIPAA Apply To? Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs. Does HIPAA Apply to Everybody? The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans. However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S....

Read More
March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches
Feb25

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020. HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized...

Read More
Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months
Feb24

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been sentenced to 6 months in jail and fined $1,200. In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally. According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ). Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his...

Read More
January 2021 Healthcare Data Breach Report
Feb19

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day. There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records. Largest Healthcare Data Breaches Reported in January 2021 The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply...

Read More
HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm
Feb19

HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm

Following President Joseph R. Biden’s declaration of an emergency in the State of Texas, Norris Cochran, Acting Secretary of the Department of Health and Human Services, declared a public health emergency due to the consequences of the winter storm in the state of Texas. Pursuant to Section 1135(b)(7) of the Social Security Act, the HHS Secretary announced a limited waiver of sanctions and penalties arising from noncompliance with certain provisions of the HIPAA Privacy Rule. For the period of the waiver, sanctions and penalties will not be imposed for noncompliance with the following HIPAA Privacy Rule requirements: The requirement to obtain a patient’s agreement to speak with family members of friends – 45 C.F.R. § 164.510(a); The requirement to honor a patient’s request to opt out of the facility directory – 45 C.F.R. § 164.510(b); The requirement to distribute a notice of privacy practices – 45 C.F.R. § 164.520; The patient’s right to request privacy restrictions – 45 C.F.R. § 164.522(a); The patient’s right to request confidential communications –...

Read More
Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation
Feb15

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019. OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule. The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019. The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been...

Read More
Renown Health Pays $75,000 to Settle HIPAA Right of Access Case
Feb11

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action. Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000. OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made. The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical...

Read More
What is HIPAA Authorization?
Feb09

What is HIPAA Authorization?

We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’ What is HIPAA Authorization? The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared. The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations. HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule....

Read More
Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS
Jan22

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office. Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking. Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology. Tripathi has also served as manager of the strategy and management...

Read More
HIPAA Enforcement by State Attorneys General
Jan21

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases were...

Read More
OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments
Jan20

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations. The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency. A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations....

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
Possible HIPAA Updates and HIPAA Changes in 2021
Jan18

Possible HIPAA Updates and HIPAA Changes in 2021

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA have been long overdue and steps were finally made to update HIPAA win December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several changes to the HIPAA Privacy Rule. Major HIPAA Updates in the Past 20 Years Since HIPAA was signed into law there have been some major HIPAA updates. The HIPAA Privacy and Security Rules were followed by the incorporation of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA covered entities and considerable time and effort was required to introduce new policies and procedures to ensure continued compliance. It is now 7 years since...

Read More
Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More
What are the Penalties for HIPAA Violations?
Jan15

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal
Jan15

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office...

Read More
2020 HIPAA Violation Cases and Penalties
Jan13

2020 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. Penalties for Noncompliance with the HIPAA Right of Access In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been highly active and has imposed 14 financial penalties for noncompliance, 11 of which were announced in 2020. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of...

Read More
OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine
Jan13

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case. The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days. In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records. Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities. OCR received two...

Read More
HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law
Jan12

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach. While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach. The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions. The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches...

Read More
Jail Terms for HIPAA Violations by Employees
Jan10

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. Jail terms for HIPAA violations are relatively rare, but there have been several cases where HIPAA violations by employees have been referred to the Department of Justice and have resulted in financial penalties and jail time. Some cases that have resulted in jail terms for HIPAA violations by employees are listed below, along with cases where jail terms have only narrowly been avoided. Jail Term for Former Transformations Autism Treatment Center Employee In February 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Jan10

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
What is Protected Health Information?
Jan10

What is Protected Health Information?

The latest article in our HIPAA basics series answers the question what is protected health information? The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information? First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information. What is Protected Health Information? Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in...

Read More
New HIPAA Regulations in 2021
Jan10

New HIPAA Regulations in 2021

Tt has been several years since new HIPAA regulations have been introduced but that is likely to change very soon. The last update to the HIPAA Rules was the HIPAA Omnibus Rule changes in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. There are, however, expected to be several 2021 HIPAA changes as OCR has issued a Notice of Proposed Rulemaking in December 2020 that outlines several changes to the HIPAA Privacy Rule. The Trump Administration’s policy of two regulations out for every new one introduced was always likely to mean any new HIPAA regulations in 2020 would be limited, as first there would need to be some removal of regulations. In 2019 and 2020, updates under consideration included changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Jan06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
What is Considered PHI Under HIPAA?
Dec28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual...

Read More
OCR Announces its 19th HIPAA Penalty of 2020
Dec23

OCR Announces its 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care. Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a complaint from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule. The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records. Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and...

Read More
November 2020 Healthcare Data Breach Report
Dec22

November 2020 Healthcare Data Breach Report

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud. November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).   The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records. Largest Healthcare Data Breaches Reported in November 2020 Name of Covered Entity State Covered...

Read More
OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA
Dec21

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA). An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis. HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
FTC Settles 2019 Consumer Data Breach Case with SkyMed
Dec18

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information. SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted. The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused....

Read More
House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices
Dec16

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices

A new bill (HR 7898) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes. The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations. The bill defines ‘Recognized Security Practices’ as “standards,...

Read More
What is Considered PHI?
Dec13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights
Dec10

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI). OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data. “Our proposed...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center
Nov20

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative. In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records. The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer. The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that...

Read More
Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure
Nov13

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation. OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided. OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually...

Read More
Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative
Nov06

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative. California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance. OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019. OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been...

Read More
Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000
Nov04

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices. Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the ShopRite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY. In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes,...

Read More
ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule
Nov03

ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule

The deadline for compliance with the information blocking and health IT certification requirements of the 21st Century Cures Act have been extended due to the ongoing COVID-19 pandemic. On October 29, 2020, the US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) announced the release of an interim final rule with comment period that extended the compliance dates and timeframes for meeting certain information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements. The ONC’s Cures Act Final Rule, released on March 9, 2020, defined exceptions to the information blocking provision of the 21st Century Cures Act and adopted new Health IT certification requirements which, through the use of application programming interfaces (APIs), would enhance patients’ access to their own health data through their smartphones at no cost. Compliance deadlines were set for 2020, but health IT stakeholders expressed concern about meeting the deadlines due to the COVID-19 pandemic. On April 21, 2020, ONC announced that it would...

Read More
Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT
Nov02

Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case. An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules. During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative. While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health...

Read More
Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches
Oct29

Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017. The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials. The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service. The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in...

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
What Are Covered Entities Under HIPAA?
Oct18

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative
Oct12

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost. HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received. By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost. Under the OCR HIPAA...

Read More
Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation
Oct09

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million. A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during...

Read More
OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure
Oct08

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records. On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights. OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018. SJHMC did respond to the requests and provided some, but not all, of the...

Read More
Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules
Oct06

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements. Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered.  The HIPAA training for staff must include procedures for reporting breaches. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations.  Employers can help employees by providing regular HIPAA training. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross
Sep28

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals. Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
Sep21

Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a $1.5 million settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2016 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data. Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security...

Read More
HHS Releases Updated Security Risk Assessment Tool
Sep16

HHS Releases Updated Security Risk Assessment Tool

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a new version of its Security Risk Assessment (SRA) Tool has now been released. The SRA tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with OCR to help small- to medium-sized healthcare providers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. A security risk assessment is conducted to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). The risk assessment should identify any unaddressed risks, which can then be addressed by implementing appropriate physical, technical, and organizational safeguards. HIPAA compliance audits and investigations of data breaches have revealed healthcare providers often struggle with the risk assessment. Risk assessment failures are one of the most common reasons why HIPAA penalties are issued....

Read More
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
Sep16

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...

Read More
OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers
Sep04

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs). The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate. “Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.” The portal provides access to...

Read More
Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations
Aug28

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations. Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidentally exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk. The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted...

Read More
HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires
Aug28

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires. During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)....

Read More
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
Aug27

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the...

Read More
House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System
Aug07

House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System

The House of Representatives has voted to lift the ban on the Department of Health and Human Services using federal funds to develop a national patient identifier system. The Health Insurance Portability and Accountability Act (HIPAA) called for the development of a national patient identifier system. As the name suggests, a national patient identifier system would see each person in the United States issued with a permanent, unique identification number, similar to a Social Security number, that would allow each patient to be identified across the entire healthcare system in the United States. If a patient from California visited an emergency room in New York, the patient identifier could be used to instantly identify the patient, allowing the healthcare provider to access their medical history. Currently, the lack of such an identifier makes matching patients with their medical records complicated, which increases the potential for misidentification of a patient. The extent to which records are mismatched has been shown in multiple studies. For instance, in 2012, a study...

Read More
OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures
Jul28

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017. The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates. OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI....

Read More
Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance
Jul24

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule. Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year. On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule. Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA...

Read More
Is Google Voice HIPAA Compliant?
Jun30

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing, and email, Google Voice is not...

Read More
Is Amazon Web Services HIPAA Compliant?
Jun22

Is Amazon Web Services HIPAA Compliant?

If you are a healthcare organization in the United States that is required to comply wit the Health Insurance Portability and Accountability Act (HIPAA) you may be wondering if Amazon Web Services is HIPAA compliant and if the public cloud provider’s platform can be used to store, process, or transmit protected health information (PHI). Is Amazon Web Services HIPAA Compliant? Under HIPAA Rules, any provider of a product or service that ‘touches’ PHI is classed as a business associate, which means they must comply with HIPAA Rules and need to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of any PHI that is accessible through their products or services. Any healthcare entity required to comply with HIPAA must ensure that they obtain a signed business associate agreement from a vendor before their products and services are used in connection with PHI. The business associate provides reasonable assurances that appropriate safeguards are in place and that the business associate is aware of its responsibilities under HIPAA. Covered entities...

Read More
Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations
Jun15

Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations

When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients. Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19. To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but...

Read More
Safe Partner Inc. Confirmed as HIPAA Compliant
May11

Safe Partner Inc. Confirmed as HIPAA Compliant

Compliancy Group has announced that Safe Partner Inc. has demonstrated it has implemented an effective HIPAA compliance program and has successfully completed its proprietary 6-stage HIPAA risk analysis and remediation process. Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting company that provides a full range of software services, from design to development, implementation, and ongoing customer support. The company was formed in 1995 and works with clients in a wide range of industry sectors, including healthcare. Some of the software solutions developed by the company interact with healthcare data, which means the company is classed as a business associate and must comply with HIPAA Rules. To ensure that no aspect of HIPAA compliance was missed, Safe Partner Inc sought assistance from Compliancy Group. Assisted by the company’s compliance coaches and using the firm’s HIPAA compliance tracking software solution, The Guard, Safe Partner Inc was able to demonstrate its HIPAA compliance program covered all aspects of the HIPAA Privacy, Security,...

Read More
Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations
May07

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months. The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed. No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital. This is not the first incident of...

Read More
OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities
May06

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations. OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations. OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered...

Read More
Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance
May04

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen. To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems. The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as...

Read More
HHS Delays Enforcement of New Interoperability and Information Sharing Rules
Apr23

HHS Delays Enforcement of New Interoperability and Information Sharing Rules

The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020. The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules. The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic. “ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19...

Read More
HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking
Apr23

HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking. “When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General. OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin. OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the...

Read More
Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers
Apr13

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis. The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities. In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is...

Read More
HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites
Apr10

HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites

The HHS has issued a Notice of Enforcement Discretion covering healthcare providers and business associates that participate in the operation of COVID-19 community-based testing sites. Under the terms of the Notice of Enforcement discretion, the HHS will not impose sanctions and penalties in connection with good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is retroactive to March 13, 2020 and will continue for the duration of the COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. The purpose of the notification is to help pharmacies, other healthcare providers, and their business associates to provide COVID-19 testing services and specimen collection at dedicated walk-up or drive through facilities, without risking a financial penalty for noncompliance with HIPAA Rules. While the Notice of Enforcement Discretion has been issued, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable...

Read More
Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities
Apr02

Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities

On April 2, 2020, the Department of Health and Human Services announced that with immediate effect, it will be exercising enforcement discretion and will not impose sanctions or financial penalties against healthcare providers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health emergency, or until the Secretary of the HHS declares the public health emergency no longer exists. The Notice of Enforcement Discretion was issued to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that require timely access to COVID-19 related data. While disclosures of PHI by HIPAA-covered entities for public health and health oversight purposes are permitted under the HIPAA Privacy Rule, currently business associates of HIPAA...

Read More
CMS Announces Sweeping Regulatory Changes in Response to Surge in COVID-19 Patients
Mar31

CMS Announces Sweeping Regulatory Changes in Response to Surge in COVID-19 Patients

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has announced a set of sweeping regulatory changes and waivers to give healthcare providers maximum flexibility to treat patients during the 2019 Novel Coronavirus pandemic. The new changes will allow healthcare providers to act as healthcare delivery coordinators in their areas. The temporarily changes will ease restrictions are intended to create hospitals without walls, which will make it easier for hospitals and health systems to cope with an expected massive increase in COVID-19 patients over the coming weeks. Under normal circumstances, federal restrictions require hospitals to provide medical services within their existing facilities, but this will cease to be possible as patient numbers increase. As the number of COVID-19 cases grow, hospitals will soon reach capacity. If they do not develop additional sites to provide treatment to patients, they will be overwhelmed. To ensure all patients can receive treatment and no one is left behind, the CMS has relaxed restrictions and has...

Read More
OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis
Mar26

OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued further guidance on HIPAA and COVID-19, the disease caused by the 2019 Novel Coronavirus, SARS-CoV-2. The new guidance document provides examples of allowable disclosures of protected health information (PHI) by covered entities under the HIPAA Privacy Rule to help make sure first responders and others receive PHI about individuals exposed to SARS-CoV-2 or displaying symptoms of COVID-19. The new guidance document is in Q&A form and explains when covered entities are permitted to disclose PHI such as names and other identifying information to first responders, law enforcement officers, paramedics, and public health authorities without first obtaining a HIPAA authorization. The document confirms that under the HIPAA Privacy Rule, disclosures of PHI are permitted when the information is required to provide treatment, when a disclosure is required by law, when first responders such as paramedics are at risk of contracting COVID-19 and need information to prevent infection, and when a...

Read More
February 2020 Healthcare Data Breach Report
Mar24

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records. Largest Healthcare Data Breaches in February 2020 The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in. The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents. Name of Covered Entity...

Read More
OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic
Mar23

OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic

Following on from the announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has been relaxed, OCR has issued guidance on telehealth and remote communications. Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be provided through the use of text, audio, or video via secure text messaging platforms, over the internet, using video conferencing solutions, or via landlines and wireless communications networks. The Notification of Enforcement Discretion covers “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the...

Read More
Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency
Mar18

Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency

In an effort to prevent the spread of the 2019 novel coronavirus, patients suspected of being exposed to the virus and individuals with symptoms of COVID-19 have been told to self-isolate at home. It is essential for contact to be maintained with people at risk, especially seniors and people with disabilities. Telehealth services, including video calls, can help healthcare professionals assess and treat patients remotely to reduce the risk of transmission of the coronavirus. Telehealth services can also be used to maintain contact with patients who choose not to visit medical facilities due to the risk of exposure to the virus. On Monday, March 16, 2020, the Trump Administration announced that telehealth services for Medicare beneficiaries have been expanded. Prior to the announcement, doctors were only able to claim payment for telehealth services provided to people living in rural areas and no access to local medical facilities and for patients with established relationships with billing providers. “We are doing a dramatic expansion of what’s known as telehealth for our 62...

Read More
Webinar 03/18/20: Discover the Untold Benefits of HIPAA Compliance
Mar18

Webinar 03/18/20: Discover the Untold Benefits of HIPAA Compliance

If you are a HIPAA-covered entity, current business associate, or you are looking to start providing services to healthcare organizations, you will need to ensure that your business is fully compliant with Health Insurance Portability and Accountability Act Rules. In the event of a compliance audit or data breach investigation you will need to demonstrate that you have implemented an effective compliance program and are compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. However, there are many more benefits to HIPAA compliance than simply being able to pass a compliance audit. On March 18, 2020, HIPAA Journal sponsor, Compliancy Group, will be hosting a free webinar to explain the full benefits of HIPAA compliance and the lasting positive impact HIPAA compliance can have on your organization, from protecting your reputation to differentiating your business from the competition. During the webinar you will be provided with tips on how your organization can start leveraging the true benefits of HIPAA compliance and by the end of the session you will...

Read More
HIPAA Compliance and COVID-19 Coronavirus
Mar16

HIPAA Compliance and COVID-19 Coronavirus

HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19, those suspected of exposure to the 2019 Novel Coronavirus, and those with whom information can be shared. HIPAA Compliance and the COVID-19 Coronavirus Pandemic There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced. It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against...

Read More
Henry Mayo Newhall Hospital Fires Employees for Snooping on Medical Records
Mar13

Henry Mayo Newhall Hospital Fires Employees for Snooping on Medical Records

Henry Mayo Newhall Hospital in Santa Clarita, CA has fired several employees for snooping on the medical records of the Saugus High School shooter. Under Health Insurance Portability and Accountability Act (HIPAA) Rules, hospital staff are only permitted to access the medical records of patients with whom they have a treatment relationship of if there is an otherwise legitimate business relationship for accessing the records. The HIPAA Security Rule requires HIPAA-covered entities to implement mechanisms to record activity in information systems containing patient’s electronic protected health information and regularly review records of system activity to identify unauthorized access. A sanctions policy is also required, which must be applied when members of the workforce violate patient privacy. On November 14, 2009, a student of Saugus High School shot five students, killing two before turning the pistol on himself. The shooter was taken to Henry Mayo Newhall Hospital where he died the following day. An analysis of system activity logs revealed several employees at the hospital...

Read More
HHS Releases Final Interoperability and Information Blocking Rules
Mar09

HHS Releases Final Interoperability and Information Blocking Rules

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking. On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data. The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records. “These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for...

Read More
Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito
Mar06

Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito

The Protecting Jessica Grubbs Legacy Act (S. 3374) has been reintroduced by Senators Joe Manchin (D-W.V.) and Shelley Moore Capito (R-W.V.). The Protecting Jessica Grubbs Legacy Act aims to modernize the 45 CFR Part 2 regulations to support the sharing of substance abuse disorder treatment records and improve care coordination. 42 CFR Part 2 regulations restrict the sharing of addiction records, which makes it very difficult for information to be shared about patients who are recovering from substance abuse disorder. Currently 45 CFR Part 2 regulations only permit substance abuse patients themselves to decide who has access to their full medical history. While the sharing of highly sensitive information about a patient’s history of substance abuse disorder and treatment is intended to protect the privacy of patients and ensure they are protected against discrimination, not making that information available to doctors can have catastrophic consequences, as happened with Jessica Grubbs. Jessica Grubbs was recovering from substance abuse disorder when she underwent surgery. The...

Read More
Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete
Mar05

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the nature of the agreements and the information the company received. Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees. In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative....

Read More
HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020
Mar03

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation. Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach on November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid. The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation...

Read More
American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths
Feb27

American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths

The American Medical Association (AMA) has published a new HIPAA playbook to help physicians and their practices understand the HIPAA Right of Access and ensure compliance with this important requirement of HIPAA. Misunderstandings about the HIPAA Right of Access can result in financial penalties for noncompliance. The HHS’ Office for Civil Rights launched a new HIPAA Right of Access enforcement initiative in 2019 and has already taken action against two healthcare organizations that were not providing patients with copies of their medical records in a timely manner. Both cases started with a single complaint from a patient who was not provided with a copy of the requested records and ended with a $85,000 financial penalty. Patients need to be able to access their healthcare data to be able to make informed decisions about their own health. HIPAA gives patients the right to obtain a copy of their health records, but healthcare providers can face challenges complying with all of the legal requirements of HIPAA. These challenges, together with misunderstandings about the HIPAA Right...

Read More
January 2020 Healthcare Data Breach Report
Feb21

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day. As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches compared to December 2019. While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years. Largest Healthcare Data Breaches in January 2020 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information PIH Health CA Healthcare Provider...

Read More
Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts
Feb21

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle. A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes. Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health. According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any...

Read More
OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions
Feb17

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data. OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals. CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits. OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes....

Read More
2019 Healthcare Data Breach Report
Feb13

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018. As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009. 37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019. Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen. Largest Healthcare Data Breaches of 2019 The table below shows the largest healthcare data breaches of 2019, based on the entity...

Read More
Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records
Feb12

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408. That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020. All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year,...

Read More
Center for Counseling & Family Relationships Confirmed as HIPAA Compliant
Feb10

Center for Counseling & Family Relationships Confirmed as HIPAA Compliant

Center for Counseling & Family Relationships (CCFAM), a large group counseling private practice based in Fort Worth, TX, has announced the company has demonstrated compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules after completing Compliancy Group’s 6-Stage HIPAA risk analysis and remediation process. Using Compliancy Group’s proprietary HIPAA compliance tracking solution, The Guard, and assisted by its compliance coaches, CCFAM has demonstrated its policies and procedures are in line with HIPAA and the company has implemented an effective HIPAA compliance program. CCFAM was founded in 2007 with just one counselor and office staff member and has now grown into a large practice offering more than 1,000 sessions a month. Privacy and confidentiality are critical to CCFAM and the children, teenagers, and adults the company serves. CCFAM already complies with Texas licensure board rules and every effort was made to comply with HIPAA, but CCFAM owner, Dr. Rhonda Johnson, recognized the fact that staff HIPAA training had not changed much in the past 5...

Read More
HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs
Feb05

HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs

The Department of Health and Human Services has issued a final rule modifying the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that requires pharmacies to track partially filled prescriptions for Schedule II drugs. The modification is part of HHS efforts to curb opioid abuse in the United States and will provide a greater quantum of data that may help prevent impermissible refills of Schedule II drugs. The final rule takes effect on March 24, 2020. The compliance date is September 21, 2020. By September 21, 2020, pharmacies will be required to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for all Schedule II drugs. Pharmacies must distinguish in retail pharmacy transactions whether the full prescribed amount of a Schedule II drug has been dispensed in a refill, or if the prescription has only been partially filled. Background The NCPDP Telecommunication Standard was adopted by the Secretary of the HHS in January 2009 for pharmacy transactions (health care claims or equivalent encounter information,...

Read More
HHS Reminds Covered Entities of HIPAA Data Sharing Provisions in Light of Novel Coronavirus Outbreak
Feb04

HHS Reminds Covered Entities of HIPAA Data Sharing Provisions in Light of Novel Coronavirus Outbreak

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak. In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment. In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI...

Read More
Do You Have a HIPAA Email Retention Policy?
Feb02

Do You Have a HIPAA Email Retention Policy?

The Health Insurance Portability and Accountability Act (HIPAA) does not specifically mention email archiving and email backups, but it is still strongly advisable to develop and implement a HIPAA email retention policy. HIPAA requires all PHI to be backed up to ensure data is always available, even when disaster strikes. The Administrative Safeguards (§ 164.308(a)(7)) require covered entities to establish and implement policies and procedures to ensure ePHI is always available when it is needed. Under the required, data backup plan provision, it is necessary to “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” Guidance issued by the HHS states the data backup plan should include “all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used.” Since many covered entities store protected health information in...

Read More
HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records
Jan29

HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records

The Department of Health and Human Services’ Office for Civil Rights has announced that certain legislative changes made in the HIPAA Omnibus Final Rule of 2013 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules – have been reversed. The reversal applies to a portion of the rule that expanded the third-party directive within the individual right of access (45 C.F.R. §164.524) “beyond requests for a copy of an electronic health record with respect to Member Login Username: Password: of an individual … in an electronic format” and guidance issued in 2016 confirming fee limitations for providing a copy of an individual’s PHI – 45 C.F.R. § 164.524(c)(4) – also apply to an individual’s request to send health records to a third party for legal or commercial reasons. Those fee limitations will now only apply to an individual’s request for access to their own records, not for an...

Read More
December 2019 Healthcare Data Breach Report
Jan21

December 2019 Healthcare Data Breach Report

There were 38 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in December 2019, an increase of 8.57% from November 2019. While the number of breaches increased, there was a major reduction in the number of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the median breach size was 3,650 records. It has been a particularly bad year for healthcare data breaches. 2019 was the second worst ever year for healthcare data breaches in terms of the number of patients impacted by breaches. 41,232,527 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years combined. The number of reported data breaches also increased 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That makes 2019 the worst every year in terms of the number...

Read More
California Bill Proposes Further Health Data Exemptions for CCPA
Jan20

California Bill Proposes Further Health Data Exemptions for CCPA

On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. CCPA enhanced privacy protections for state residents and gave Californians new rights over their personal data. Healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to cause compliance headaches for healthcare organizations. A new bill – AB 713 – has now been introduced which aims to simplify compliance by adding further categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal information used for public health and safety purposes, medical research data, and health information collected, maintained, or used by business associates of HIPAA-covered entities. The bill was unanimously approved by the State Senate Health Committee this month. The change to the exemption for deidentified health data is required as the definitions of deidentified data differ...

Read More
Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors
Jan15

Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors

Many group health plan sponsors are not fully compliant with the Health Insurance Portability and Accountability Act Rules, according to a recent survey by the integrated HR and benefits consulting, technology, and administration services firm, Buck. The survey uncovered several areas where group health plan sponsors are noncompliant and revealed many group health plan sponsors are not prepared for a compliance investigation or HIPAA audit. The 2019 HIPAA Readiness Survey was conducted between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors. The survey uncovered several areas where important provisions of HIPAA Rules are not fully understood or are not being followed such as risk analyses, business associate agreements, HIPAA training for staff, and breach notifications. Risk analyses are not being conducted as frequently as they should, so threats to the confidentiality, integrity and availability of ePHI may not be identified and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last conducted or that said it was last conducted...

Read More
Georgia Man Charged Over False Allegations of HIPAA Violations
Jan13

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred. Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period. The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time....

Read More
Is It Possible to Have HIPAA Compliant Gmail?
Jan10

Is It Possible to Have HIPAA Compliant Gmail?

With around 1.5 million users, Gmail is the most popular email service but can Gmail be used by healthcare organizations to send protected health information? Is it possible to make Gmail HIPAA compliant? Is Gmail HIPAA Compliant? In order for Gmail to be HIPAA compliant, Google would have to ensure that the email platform is secure and meets the minimum standards for security laid down in the HIPAA Security Rule. A covered entity would also need to enter into a business associate agreement with Google covering Gmail, as Google would be classed as a business associate under HIPAA. While encryption for email is not mandatory under HIPAA, it is a requirement if emails containing protected health information are to be sent externally beyond the protection of a firewall. If emails are sent externally, they would need to be secured with end-to-end encryption. Google has implemented excellent security and its email service meets the requirements of the HIPAA Security Rule. Google is willing to enter into business associate agreements with HIPAA-covered entities that cover its email...

Read More
Does HIPAA Apply to Schools?
Jan09

Does HIPAA Apply to Schools?

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities but how does HIPAA apply to schools? In this post we explore when HIPAA applies to schools and how the Health Insurance Portability and Accountability Act intersects with the Family Educational Rights and Privacy Act (FERPA). Does HIPAA Apply to Schools? Generally, HIPAA does not apply to schools because they are not HIPAA covered entities, but in some situations a school can be a covered entity if healthcare services are provided to students. In such cases, HIPAA may still not apply because any student health information collected would be included in the students’ education records and education records are exempt from the HIPAA Privacy Rule as they are covered by FERPA. More and more schools are offering healthcare services to their students. Medical professionals are employed by some schools, some have on-site health clinics, and they often dispense medications and administer vaccines. When healthcare services are provided, health information will be...

Read More
HIPAA Enforcement in 2019
Jan02

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 saw two civil monetary penalties issued and settlements were reached with 8 entities, one fewer than 2018. In 2019, the average financial penalty was $1,227,400. Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued. This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR...

Read More
Ambulance Company Settles HIPAA Violation Case with OCR for $65,000
Jan01

Ambulance Company Settles HIPAA Violation Case with OCR for $65,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $65,000 settlement has been reached with West Georgia Ambulance, Inc., to resolve multiple violations of Health Insurance Portability and Accountability Act Rules. OCR launched an investigation into the Carroll County, GA ambulance company after being notified on February 11, 2013 about the loss of an unencrypted laptop computer containing the protected health information of 500 patients. According the breach report, the laptop computer fell from the rear bumper of the ambulance and was not recovered. The investigation uncovered longstanding noncompliance with several aspects of the HIPAA Rules. OCR discovered West Georgia Ambulance had not conducted a comprehensive, organization-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)), had not implemented a security awareness training program for its employees (45 C.F.R. § 164.308(a)(5)), and had failed to implement HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316.). OCR provided technical assistance to West Georgia Ambulance to...

Read More