Dedicated to providing the latest
HIPAA compliance news

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep22

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands. As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in...

Read More
The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit
Sep20

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018. Only a small number of...

Read More
OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data
Sep13

OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data

The Department of Health and Human Services’ Office for Civil Rights has launched a new campaign to raise awareness of patients’ right to access their health information and the benefits of doing so. The “Information is Powerful Medicine” campaign informs patients that they have the right to obtain copies of their health data and tells them to “Get it. Check it. Use it.” The benefits to patients are clear. If they obtain copies of the...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security...

Read More
OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters
Sep08

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits...

Read More
Want to Prevent Data Breaches? Time to Go Back to Basics
Aug15

Want to Prevent Data Breaches? Time to Go Back to Basics

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of...

Read More
Delaying Breach Notifications is a Violation of the Breach Notification Rule
Aug11

Delaying Breach Notifications is a Violation of the Breach Notification Rule

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities to notify the HHS’ Office for Civil Rights of a breach of unsecured protected health information and send notification letters to affected individuals without unreasonable delay and no later than 60 days after the discovery of the breach. As last year’s monthly Breach Barometer reports from Protenus have shown, many covered entities have struggled to...

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’...

Read More
Nuance Communications Decides Not to Report NotPetya Attack to OCR
Aug02

Nuance Communications Decides Not to Report NotPetya Attack to OCR

As the Department of Health and Human Services’ Office for Civil Rights has previously explained in its ransomware guidance, if ePHI is encrypted, ransomware attacks are usually HIPAA breaches and are reportable incidents. OCR says out in its ransomware guidance that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” going on to explain that the definition of a breach...

Read More
How Often Should Healthcare Employees Receive Security Awareness Training?
Aug01

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training? Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as...

Read More
Only One Third of Patients Use Patient Portals to View Health Data
Jul27

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to...

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data...

Read More
Model HIPAA-Compliant PHI Access Request Form Released by AHIMA
Jul21

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

The American Healthcare Information Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data. The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization. AHIMA claims that until now, a...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a...

Read More
Are You Blocking Ex-Employees’ PHI Access Promptly?
Jul19

Are You Blocking Ex-Employees’ PHI Access Promptly?

A recent study commissioned by OneLogin has revealed many organizations are not doing enough to prevent data breaches by ex-employees. Access to computer systems and applications is a requirement while employed, but many organizations are failing to block access to systems promptly when employees leave the company, even though ex-employees pose a significant data security risk. Blocking access to networks and email accounts when an...

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving...

Read More
Is Dropbox HIPAA Compliant?
Jul14

Is Dropbox HIPAA Compliant?

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information? Is Dropbox HIPAA Compliant? Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant? Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing...

Read More
OCR Draws Attention to Risks from File Sharing Tools and Cloud Computing
Jul03

OCR Draws Attention to Risks from File Sharing Tools and Cloud Computing

File sharing and collaboration tools offer many benefits to HIPAA-covered entities, although the tools can also introduce risks to the privacy and security of electronic health information.  Many companies use these tools, including healthcare organizations, yet they can easily lead to the exposure or disclosure of sensitive data. The Department of Health and Human Services’ Office for Civil Rights has recently issued a reminder to...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth,...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of...

Read More
OCR Issues Guidance on the Correct Response to a Cyberattack
Jun12

OCR Issues Guidance on the Correct Response to a Cyberattack

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken. Responding to an ePHI Breach Preparation is key. Organizations must have response and mitigation procedures in...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or...

Read More
OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements
Jun01

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and healthcare IT security incidents last month have prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached. HIPAA requires all covered...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal...

Read More
OCR and ONC Face Major Budget Cuts
May24

OCR and ONC Face Major Budget Cuts

On Tuesday this week, the Trump administration revealed its 2018 fiscal budget with the Department of Health and Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) both facing major cuts to their operational budgets. The ONC faces the largest budget cut, with its $60 million per year cut by 36% for the coming financial year. ONC would need to lose 26 members of...

Read More
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
May24

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. In September 2014, OCR received a complaint about a potential privacy...

Read More