Dedicated to providing the latest
HIPAA compliance news

OCR Rules Townsend Violated the HIPAA Privacy Rule
Jun02

OCR Rules Townsend Violated the HIPAA Privacy Rule

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently ruled that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year when he posting an “information packet” online containing the protected health information of individuals who had used the town’s ambulance service. The information was intended to be viewed by Selectmen in order that a vote could be taken about whether or not to write off the unpaid bills. Rather than sharing the document securely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only accessible for 18 hours before it was removed, but during that time it had been downloaded and shared on social media. The privacy breach was also reported to the OCR. The information packet contained the names of patients who had not yet paid their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now living in a hospice. Prior to the uploading of the files, all...

Read More
Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews
Jun01

Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews

Some healthcare providers have violated patient privacy and HIPAA Rules when responding to negative comments on Yelp and similar review sites according to a recent ProPublica report. For the report, ProPublica was provided with access to around 1.7 million Yelp reviews of healthcare providers. The researchers used a tool to sift through the reviews and isolated approximately 3,500 one-star ratings of healthcare providers – the lowest possible rating on the review site – that mentioned “Privacy” or “HIPAA”. ProPublica researchers discovered “dozens” of instances where healthcare providers had breached HIPAA Rules when responding to comments. In some cases, the responses to the negative comments involved the disclosure of patients’ protected health Information. ProPublica cited one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had performed and information about her medical condition. Another example involved a dentist who responded to a comment about an alleged unnecessary tooth...

Read More
OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI
May24

OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI

Earlier this year the Office for Civil Rights issued guidance for healthcare providers and health plans on the general right of patients to obtain copies of their protected health information on request. The HIPAA Privacy Rule allows patients to obtain one or more designated record sets which a covered entity holds and maintains. By obtaining copies of their PHI, patients can take control of their own healthcare and wellbeing. Providing copies of PHI to patients involves a cost to the covered entity, such as the time taken to obtain and copy records and prepare summaries, the cost of paper and printing if record sets are supplied in physical form, the cost of media devices for electronic copies of PHI, and the cost of mailing records to patients if they are not collected in person. Covered entities are permitted to charge patients for providing copies of their PHI, which was explained in the OCR guidance; however, based on the questions submitted by covered entities there appeared to be some confusion over allowable charges, in particular regarding the charging of flat rate fees to...

Read More
Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits
May20

Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits

Deven McGraw – deputy director of health information privacy at the Office for Civil Rights (OCR) – has offered some advice to covered entities ahead of the HIPAA-compliance audits which are scheduled to take place later this year. The second round of HIPAA-compliance audits will be conducted on covered entities first, followed by business associates. OCR contacted covered entities earlier this year to verify contact information. That process is almost complete and a pool of healthcare providers, health plans, and healthcare clearinghouses will soon be finalized. OCR will select approximately 200 organizations from that pool for a desk audit. Covered entities selected for audit will be notified and given 10 days to submit the requested documentation to the OCR. This does not give covered entities much time so it is important that preparations are made early. In an interview with the Information Security Media Group, McGraw suggested that covered entities should start preparing now in case they are selected for a desk audit. Last month, OCR released the updated audit protocol which...

Read More
Are You Prepared for A Business Associate Data Breach?
May09

Are You Prepared for A Business Associate Data Breach?

HIPAA-covered entities may be prepared to execute their breach response procedures for a security breach that exposes patients’ Protected Health Information (PHI), but what about business associate data breaches? Have policies and procedures been developed to ensure a rapid breach response can be executed if a business associate suffers a data breach? The Department of Health and Human Services’ Office for Civil Rights has recently warned HIPAA-covered entities that they must take steps to ensure they can deal with a business associate data breach should one occur. OCR: HIPAA-Covered Entities Find Business Associate Data Breach Management Difficult The recent OCR cyber-awareness bulletin confirmed the need for action to be taken by HIPAA-covered entities to prepare for data breaches experienced by their vendors. The bulletin indicates a large percentage of covered entities are concerned that business associate data breaches may not be reported to them. OCR also suggests that when a business associate data breach does occur, covered entities are often unsure whether their vendors’...

Read More
Joint Commission Ends Ban on Clinician Text Messaging
Apr29

Joint Commission Ends Ban on Clinician Text Messaging

For the past five years the Joint Commission has banned the use of text messaging by licensed independent practitioners (and other practitioners) due to security risks. That ban has now been lifted with immediate effect, although there are conditions. Test messaging is permissible, although only if a secure text messaging platform is used. Furthermore, that secure text messaging platform must meet the following criteria: The text messaging platform must incorporate a secure sign-on process All text messages must be protected by end to end encryption The platform must incorporate read and delivery receipts Messages must include a date and time stamp The platform must incorporate a contact list of individuals authorized to receive and record orders, and The platform must allow customized message retention time frames to be set Standard text messaging is still prohibited as encryption is not used, there are no authentication controls to ensure that only the intended recipient can view the messages, and original messages cannot be retained in order to validate information entered into...

Read More
New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients
Apr22

New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. In 2011, an ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed including a dying man and another patient who was seriously distressed. The footage was aired in 2012. Authorization to film had been given by NYP, although not all patients gave their consent to be filmed. One of the patients was Mark Chanko . He had been rushed to hospital after being hit by a sanitation truck. He was filmed receiving treatment from chief surgery resident Sebastian Schubl. Despite the best efforts of Schubl, Chanko died from the injuries sustained in the accident. Chanko had not given NYP permission to film him. To hide his identity ABC used blurring and voice alteration software. This did not prevent the crew from viewing Chanko’s PHI and it was not sufficient to hide his identity from...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation
Apr15

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes. The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited. Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical...

Read More
Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention
Apr15

Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention

A recent survey conducted by 451 Research on behalf of security firm Vormetric indicates 96% of IT managers expect their organizations to be attacked by cybercriminals. The survey was conducted on 1,100 IT managers including over 100 working in healthcare organizations. One in five organizations have experienced a data breach in the past 12 months, while 63% of respondents said they have experienced a data breach in the past. Even though the threat of a data breach is considerable, a majority of healthcare IT managers say their organizations are prioritizing compliance over data breach prevention. 61% of healthcare IT managers said compliance was their main priority, compared to just 40% that said it was data breach prevention. Other priorities were preventing reputation and brand damage and implementing security best practices, rated as the main priorities by 49% and 46% of respondents respectively. More than Two Thirds of Respondents Said Achieving Compliance Was an Effective Way of Protecting Data   69% of healthcare IT managers said achieving compliance with EPCS, FDA CFR...

Read More
Compliance Assistance Provided to Mobile Health App Developers by FTC
Apr07

Compliance Assistance Provided to Mobile Health App Developers by FTC

A new interactive tool has been released by the Federal Trade Commission (FTC) to help mobile health app developers determine whether their apps need to comply with federal regulations. The new web-based tool was developed with assistance from the U.S Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). By answering a series of 10 questions, mobile app developers can determine whether their health care products are covered under the Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug, and Cosmetic Act (FD&C Act), Federal Trade Commission Act (FTC Act) or need to comply with the FTC’s Health Breach Notification Rule. In many cases, app developers will be required to comply with more than one set of federal laws. According to Jessica Rich, FTC Bureau of Consumer Protection director, “Mobile app developers need clear information about the laws that apply to their health-related products.” The tool aims to...

Read More
OCR Publishes New HIPAA Audit Protocol
Apr05

OCR Publishes New HIPAA Audit Protocol

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...

Read More
Breach Notification Laws in Tennessee Updated
Apr04

Breach Notification Laws in Tennessee Updated

Data breach notification laws in Tennessee have been updated to better protect state residents. The new law requires organizations to issue notifications to state residents more quickly, while the range of information covered has been broadened. When the new laws come into effect, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data exposure. Originally the bill required entities to issue notifications within 14 days of discovery, although this was later amended to 45 days. Previously, data breach notification laws in Tennessee required all businesses to issue breach notifications in a reasonable time frame after a breach was discovered. Tennessee is the eighth state to introduce a time frame for sending breach notification letters. Tennessee is not the only state to introduce laws that reduce the timescale for notifying breach victims – it is the eight state to add a timescale for sending notifications – but in contrast to many states, information holders are...

Read More
Phase 2 HIPAA Compliance Audits Commence
Mar21

Phase 2 HIPAA Compliance Audits Commence

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started. According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.” Start Date for the Second Phase of HIPAA Compliance Audits While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin. The OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016. The date when the first desk audits will actually be conducted was not detailed in the...

Read More
Non-Compliant Hospital Pager Use Persists
Mar18

Non-Compliant Hospital Pager Use Persists

Communicating protected health information (PHI) over unsecured networks is not permitted under Health Insurance Portability and Accountability Act (HIPAA) Rules, which means pagers cannot be used to send PHI unless messages are encrypted. Encryption alone is not sufficient to ensure compliance with HIPAA. Not only must messages be encrypted to prevent interception, there must be a means of verifying the identity of the user. User authentication is essential, as there is no guarantee that a message containing PHI will be received by the intended recipient. If a pager is lost, stolen, or is left unattended, PHI could potentially be accessed by an unauthorized individual. It is also necessary to implement controls to automatically log off users and allow messages to be remotely erased in the event that a pager is lost or stolen. Due to the cost implications of applying these safeguards, and the difficult in doing so, many hospitals implement policies that prohibit the transmission of PHI over the pager network. If PHI needs to be communicated, a pager message is sent and the...

Read More
OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research
Mar17

OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care. Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY. The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach...

Read More
$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures
Mar17

$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Following a PHI breach reported on September 27, 2011, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation revealed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels. The data breach involved the theft of a laptop computer from a business associate of North Memorial. The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted. The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to be...

Read More
OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs
Mar16

OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs

Office for Civil Rights Director Jocelyn Samuels has written a blog post to clear up confusion about how HIPAA Rules apply to workplace wellness programs provided through employer-sponsored group health plans. Workplace wellness programs have become increasingly popular in recent months and more employers are now offering workplace wellness programs to employees to improve their health. Providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means, and those data must be protected under Health Insurance Portability and Accountability Act Rules. HIPAA also places severe restrictions on how health data can be used. HIPAA does not apply to all workplace wellness programs, only those that are offered through an employer-sponsored group health plan. Samuels explained in the post that employers are not permitted to disclose any health data for employment-related actions, nor are data allowed to be used for marketing purposes or any other reason not permitted by HIPAA Rules. The HIPAA Security Rule...

Read More
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Mar03

Deven McGraw Gives Update on OCR HIPAA Compliance Audits

Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...

Read More
OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges
Mar02

OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges

The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524) While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights. To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA covered entities to comply with this aspect of the Privacy Rule. The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing. Provided that the healthcare provider...

Read More
HIPAA Compliance for Small Medical Practices Remains a Problem
Mar01

HIPAA Compliance for Small Medical Practices Remains a Problem

While large healthcare systems have mostly got to grips with HIPAA Rules and implemented controls to safeguard ePHI from external and internal threats, HIPAA compliance for small medical practices remains a problem according to a recent survey conducted by NueMD. NueMD surveyed 900 healthcare professionals last month to gain an insight into how small medical practices are faring with their compliance efforts ahead of the next round of OCR compliance audits due later this year. 588 respondents worked in practices employing 1-3 physicians, 131 were from practices employing 4-10 providers. 80 larger practices that employ over 10 healthcare providers also took part in the survey. 86% of respondents were from medical practices and 6% worked in billing companies. The survey produced some surprising and worrying results. 60% of respondents were unaware of the upcoming HIPAA compliance audits Only 69% of respondents were aware of the 2013 Omnibus Rule 30% did not have a HIPAA compliance plan in place Only 58% conducted annual staff training on HIPAA Rules Only 68% were aware they needed...

Read More
Permitted Uses and Disclosures of PHI Clarified by OCR
Feb27

Permitted Uses and Disclosures of PHI Clarified by OCR

The Office for Civil Rights welcomes feedback from HIPAA-covered entities about aspects of HIPAA that are unclear or need further clarification. Some of the questions asked via the OCR website indicate some covered entities are struggling to understand the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI). HIPAA permits the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be used to help patients receive medical care, as well as for the evaluation of care provided to patients. It is necessary to use PHI to co-ordinate care between different healthcare providers, and PHI is needed for billing purposes. Patients must also be allowed access to their health information so they can take a more active role in their own healthcare. HIPAA allows patient health information to be shared for all of these reasons provided PHI is secured at all times. However, a number of restrictions to apply. Even though the HIPAA Privacy and Security Rules have been in effect for many years, and...

Read More
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
Feb26

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...

Read More
OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency
Feb22

OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency

The U.S. Department of Health and Human Services’ Office of Inspector General has published a report of an investigation into South Carolina’s Medicaid agency. The investigation was conducted in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services the same year. 74 gigabytes of data were stolen from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also stolen. An employee of the Department of Health and Human Services was discovered to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the data to a personal email account. The employee was arrested and was sentenced to three years of probation and community service, although the hackers responsible for the cyberattack on the Revenue department were never caught. The purpose of the investigation was to determine whether the state had properly safeguarded data stored in the Medicaid...

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
OCR Issues Further Guidance on Health App Use
Feb12

OCR Issues Further Guidance on Health App Use

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate. Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers. The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked. There...

Read More
OCR to Receive $4 Million Budget Increase to Support Audit Program
Feb10

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost   The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016. The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the...

Read More
OIG Publishes Findings of Utah Department of Health Security Audit
Feb08

OIG Publishes Findings of Utah Department of Health Security Audit

The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.” The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers. The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals. The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was...

Read More
Deadline for Reporting 2015 Data Breaches
Feb04

Deadline for Reporting 2015 Data Breaches

The deadline for reporting 2015 data breaches is fast approaching. Covered entities must submit all 2015 data breach reports to OCR before the end of the month. The final date for submitting reports of security incidents that affected fewer than 500 individuals is February 29, 2016. Deadline for Reporting 2015 Data Breaches – Monday February 29, 2016   The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows covered entities up to 60 days after the discovery of a large-scale data breach to report the incident to the Department of Health and Human Services’ Office for Civil Rights. A large data breach is defined as one which affects more than 500 individuals. HIPAA also requires all covered organizations to report smaller data breaches, although they are considered lower priority. Small data breaches can be reported at any time during the calendar year in which they are discovered, although the maximum time limit for submission is 60 days from the end of the Calendar year in which they were first identified. Since 2016 is a leap year, the deadline...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
Secure Healthcare Messaging Vendors Assessed by KLAS
Jan29

Secure Healthcare Messaging Vendors Assessed by KLAS

Which is the top vendor for HIPAA-compliant secure messaging? It depends. Established players and up and coming companies have recently been assessed by KLAS. The independent research company has rated the current options available to healthcare providers looking to improve communication between care teams without falling afoul of HIPAA Regulations. The cost of healthcare provisioning is rising, placing increasing pressure on healthcare providers to reduce operational costs, improve efficiency, and increase the productivity of healthcare employees. Currently many physicians, nurses and other healthcare professionals are forced to use slow and inefficient communications systems, resulting in many hours of wasted time each week per employee. The use of SMS text messages would solve many of these problems. The communication channel is fast, convenient, and practical, but SMS messages are unsecure. This poses a problem for healthcare providers and other HIPAA-liable entities. HIPAA Rules prohibit the transmission of Protected Health Information (PHI) via SMS as the messages can all too...

Read More
TigerText Launches Healthcare Pager and Fax Replacement
Jan15

TigerText Launches Healthcare Pager and Fax Replacement

TigertText has announced the release of two new communication solutions for healthcare providers. The two new products have clear potential, and could convince many healthcare providers to start phasing out pagers and faxes. The new products, named TigerPage & TigerFax, are aimed at healthcare providers that would like to transition to a more secure, HIPAA-compliant method of communication but who are reluctant to give up the communication tools they have relied on for decades. Rather than totally replacing pagers and faxes, the new solutions allow them to continue to be used. If fact, the speed and efficiency that pages and faxes can be received and responded to is greatly improved. Rather than carrying a pager and a Smartphone, healthcare workers can have pages and faxes sent directly to their Smartphone. Healthcare Providers Reluctant to Relinquish the Pager Pagers and faxes have been an essential communication tool for the healthcare industry for decades, yet despite reliable, HIPAA-compliant communication systems being available for some time, healthcare providers are...

Read More
Upgrade Internet Explorer to Remain HIPAA Compliant
Jan11

Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches. 18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete. Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage. Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.” Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between...

Read More
A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015
Jan10

A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015

In its capacity as enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Rules, the Department of Health and Human Services’ Office for Civil Rights (OCR) can issue fines to HIPAA-covered entities that fail to implement sufficient safeguards to keep the Protected Health Information (PHI) of patients and health plan members secure. OCR has been criticized in recent years for an apparent lack of enforcement, specifically for failing to issue financial penalties for clear violations of the HIPAA Privacy, Security, and Breach Notification Rules by HIPAA-covered entities. Covered entities are required to self-report data breaches to OCR under the Breach Notification Rule of 2009, and all data breaches that expose the PHI of more than 500 patients are investigated. Sometimes, those data breaches occur even when covered entities have implemented all of the administrative, technical, and physical controls that are required by the HIPAA Security Rule. However, in many cases, data breaches are suffered as a result of HIPAA failures. In such cases, action is taken by OCR...

Read More
OCR Issues New Guidance on Patient Data Access
Jan10

OCR Issues New Guidance on Patient Data Access

Healthcare providers should be aware that patients are permitted access to their medical records under HIPAA rules; however, not all patients are aware of their legal rights. Not only are patient data access rights under HIPAA not well understood, many patients who have attempted to access their medical records have faced problems. There is also a misconception that HIPAA – specifically the HIPAA Privacy Rule – prevents healthcare providers from disclosing medical records. While it is true when it comes to disclosing Protected Health Information (PHI) of patients to individuals unauthorized to view that information, HIPAA does allow patients to access their own records. In fact, any healthcare provider who fails to allow patients to access their medical records could be fined. OCR Issues Guidance on Patient Data Access Rights Under HIPAA   The Department of Health and Human Services’ Office for Civil Rights has started the year with the launch of a brand new website interface, and has now followed up on previous promises by issuing new guidance on HIPAA. This is the...

Read More
NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool
Jan08

NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool

Many mHealth apps lack sufficient controls to keep patient data secure. In late 2014, a Trustworthy Health and Wellness (THaW) project funded by the National Science Foundation (NSF) determined that 63% of popular mHealth apps were not encrypting data (out of a test sample of 22), potentially placing data at risk of theft. Furthermore, 81% of mHealth apps were using third party storage or hosting services. The benefits of mHealth apps for patients and healthcare providers are considerable. Unfortunately, healthcare providers wishing to use mHealth apps are prevented from doing so by HIPAA. Unless developers of mHealth apps encrypt stored and transmitted data to a nationally accepted standard, or implement other controls to keep data secure, use of the apps by the healthcare industry will be limited. Secure Mobile Cloud Dietary Assessment Tool Under Development University of Massachusetts Medical School and UMass Lowell have recently embarked on a new National Science Foundation grant funded project to test a new mHealth infrastructure that will allow patient data to be collected...

Read More
Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption
Jan08

Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption

The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption. The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST). Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders. Dentists are covered under HIPAA and must...

Read More
OCR Website Receives Long Awaited Upgrade
Jan07

OCR Website Receives Long Awaited Upgrade

The Department of Health and Human Services’ Office for Civil Rights website has been redesigned and upgraded, and features a responsive design and a more user-friendly interface. The redesign was part of the Reimagined HHS.gov initiative. The aim was to create a website that is faster, easier to use, and makes content sharing and syndication much more straightforward. The HHS site-wide overhaul has taken well over a year so far, with the OCR the first HHS department to receive its site upgrade. The upgrade and redesign was conducted in phases, with phase 1 of the project completed in May, 2015. OCRs overhaul was finished on schedule and was made live this week in time for the January 6 launch. The new crisp, clean, and simplistic design presents information clearly, while a fast and powerful search function has been incorporated to ensure visitors can quickly and easily gain access to the information they need. Typing in a search term will offer numerous suggestions based on the most common searches of the site, ensuring the most relevant information can be quickly retrieved. In...

Read More
HIPAA Privacy Rule Updated to Permit NICS Reports
Jan05

HIPAA Privacy Rule Updated to Permit NICS Reports

The Department of Health and Human Services has issued a final rule permitting certain covered entities to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), changing the HIPAA Privacy Rule. At the time of writing, HIPAA prevents healthcare providers from disclosing PHI, except in a very limited number of circumstances, without first having obtained permission from a patient. The rule change, which will become effective 30 days after publication in the federal register, will allow certain information about individuals to be divulged and entered into NICS by some HIPAA-covered entities. NICS is maintained by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is permitted to purchase a firearm. When an FFL starts a NICS background check on an individual, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on individuals who have...

Read More
Online Medical Record Access Not Possible for the Majority of Patients
Dec31

Online Medical Record Access Not Possible for the Majority of Patients

A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access patient medical data. The recent survey was conducted on 502 consumers that intended to enroll in a 2016 health plan. The survey took place between October and November, 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and medical...

Read More
Improper Dumping of Patient Medical Records Continues
Dec30

Improper Dumping of Patient Medical Records Continues

This month, Allina Health System and Springfield Community Hospital discovered that medical records had been disposed of without first rendering them indecipherable as required by HIPAA. A third healthcare provider has also just been alerted that some of its confidential patient data have allegedly been illegally dumped. New Alleged Case of PHI Dumping Reported   The latest case of improper dumping of PHI came to light when a local man reported discovering paperwork from the Cottonwood Comfort Dental clinic on the West Mesa, close to Albuquerque. The man had been on the West Mesa collecting shell casings when he discovered hundreds of paper medical records, according to a KRQE News 13 report. The paperwork allegedly contained patient names, Social Security numbers, insurance information and patient addresses. The man who discovered the records allegedly took them to a recycling center, although reporters from KRQE claim to have seen some of the data and taken it to the Cottonwood clinic. An investigation into the alleged privacy breach has been launched by Cottonwood Comfort...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More
Allina Health System Alerts 6,000 About Improper PHI Disposal
Dec24

Allina Health System Alerts 6,000 About Improper PHI Disposal

The Minneapolis Isles clinic run by Allina Health System has notified approximately 6,000 patients of a breach of their Protected Health Information (PHI). The clinic, located at 2800 Hennepin Avenue, discovered instances of improper PHI disposal had occurred after documents containing sensitive information were found in regular trash. HIPAA rules require all documents containing PHI to be rendered unreadable, indecipherable, and incapable of being reconstructed prior to disposal. The HIPAA breach is not understood to have resulted in any patient health information being viewed by unauthorized individuals, although the clinic is unable to guarantee that to be the case. According to a statement released by Allina Spokesman, David Kanihan, the incident is considered only to be a “technical breach of unsecured protected health information.” Because a risk does exist, out of an abundance of caution Allina Health System will be offering all affected patients a year of credit monitoring services without charge. The data potentially exposed include names of patients, their mailing...

Read More
Study Shows Value of Phishing Simulation Exercises
Dec23

Study Shows Value of Phishing Simulation Exercises

A recent report indicates the probability of members of staff responding to a phishing campaign can be effectively reduced to zero if phishing simulation exercises are completed regularly. The Growing Threat of Healthcare Phishing Attacks The Office for Civil Rights recently issued its first financial penalty to an organization that suffered a data breach after its employees responded to a phishing campaign. The case resulted in University of Washington Medicine agreeing to a $750,000 fine to settle potential HIPAA violations. UWM had already had to cover significant data breach resolution costs after suffering a 90,000-record breach. The fine and data breach costs could potentially have been avoided if staff members had been trained how to identify phishing emails. The healthcare industry is now being targeted by cybercriminals, and phishing is the most commonly used method of gaining access to patient data. Even when multi-million-dollar security defenses are employed to keep networks secure, a single response to a phishing email can be all it takes to compromise the records of...

Read More
Healthcare Cybersecurity Addressed in Omnibus Bill
Dec20

Healthcare Cybersecurity Addressed in Omnibus Bill

New cybersecurity provisions specifically for the healthcare industry have been added to the Omnibus bill passed by congress late last week. The aim of their inclusion is to assist healthcare organizations tackle the growing risk of cyberattacks, and provide them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less pregnable to cyberattacks. The new legislation is part of the Cybersecurity Information Sharing Act, passed by Congress on Friday. One of the ways that the new legislation will help healthcare organizations is with the formation of a new Cybersecurity Task Force. This is scheduled to take place during the first 90 days following the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats faced by the healthcare industry. The methods used by cybercriminals to break through security defenses will be analyzed and vulnerabilities assessed. The task force will also study how other industries are managing to repel attacks. Healthcare organizations will then be...

Read More
TigerText Launches HIPAA Compliant Secure Texting App for Desktops
Dec18

TigerText Launches HIPAA Compliant Secure Texting App for Desktops

TigerText, the leading provider of secure text messaging solutions for the enterprise, has announced the launch of its latest initiative, TigerText Anywhere: A HIPAA compliant secure texting app for desktop computers. TigerText’s HIPAA compliant text message platform is already hugely successful. To date, more than 250,000 healthcare professionals have adopted the secure messaging platform. The company now counts 4 out of 5 of the largest for-profit healthcare systems in the United States among its clients. According to TigerText co-founder and CEO, Brad Brooks, “TigerText has reached the scale necessary to truly improve the quality of care our healthcare customers deliver, while at the same time reducing the costs to do so.” In fact, the potential cost savings from using the HIPAA compliant secure texting app are considerable, as Brooks explains. “By connecting electronic health records, critical alerts, real time shift data, and other essential components of patient care and productivity, we think that secure, real-time messaging could save the healthcare industry $30-$50 billion...

Read More
Day Pitney Launches New HIPAA Self-Assessment Tool Ahead of Compliance Audits
Dec16

Day Pitney Launches New HIPAA Self-Assessment Tool Ahead of Compliance Audits

Hartford, Conn., Dec. 14, 2015 – – Day Pitney LLP has announced the launch of a new HIPAA Self-Assessment Tool ahead of the second round of Dept. Health and Human Services’ Office for Civil Rights HIPAA-compliance audits. New HIPAA Self-Assessment Tool Launched Day Pitney, a full service law firm employing approximately 300 attorneys in it its Connecticut, New Jersey, New York, and Washington, D.C.  offices, has developed the HIPAA Self-Assessment Tool to assist covered entities with their final compliance efforts before the audits commence next quarter. James Bowers, Day Pitney director of Compliance Risk Services and former chief compliance officer at Aetna Inc., recently pointed out that “Companies should really start self-audits as soon as possible to make sure they are in compliance with the HIPAA rules.” The HIPAA Self-Assessment Tool allows covered entities to assess their organization for potential HIPAA violations, allowing them time to take action to address any issues before they are discovered by auditors. Covered entities should already have conducted risk...

Read More
OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs
Dec15

OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs). OIG Audits Reveal 74 High Risk Security Vulnerabilities at 3 Medi-Cal MCOs The OIG audits revealed numerous, significant security vulnerabilities at the three Medi-Cal MCOs being assessed. In total, 74 high-risk security vulnerabilities were discovered across 14 separate security control areas. Many of the vulnerabilities existed at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the vulnerabilities had potential to place patient data at risk of exposure. In some cases, the security vulnerabilities were extremely serious. The vulnerabilities were categorized into three broad areas: Access controls, security management and configuration management. Access Management Controls Access controls included password and login controls, database security controls, the use of backup storage media, and portable device...

Read More
$750,000 HIPAA Fine for University of Washington Medicine
Dec14

$750,000 HIPAA Fine for University of Washington Medicine

University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights, and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013 Flurry of HIPAA Enforcement Activity as 2015 Draws to a Close   There has been a flurry of HIPAA enforcement activity over the past few weeks. First came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, then news of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. That was closely followed by the announcement of a $3.5 million settlement between OCR and Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA violations with OCR. Spam Email Behind 90,000-Record Data Breach   On November 27, 2013, University of Washington Medicine alerted OCR to a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients. The data breach occurred as a result of an employee...

Read More
NY Attorney General HIPAA Fine for URMC
Dec08

NY Attorney General HIPAA Fine for URMC

An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015. An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules It is not only Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA. The first attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals....

Read More
Cyberattack Simulation Exercise Tests Incident Response Readiness
Dec07

Cyberattack Simulation Exercise Tests Incident Response Readiness

It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved. Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved. Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted,...

Read More
Guidance on Patient Rights Under HIPAA Due this Month
Dec04

Guidance on Patient Rights Under HIPAA Due this Month

This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative. Clarification Due on Patient Rights Under HIPAA to Access their Own PHI The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data. While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA. Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under...

Read More
HIPAA Violation Fine of $3.5 Million for Triple-S
Dec02

HIPAA Violation Fine of $3.5 Million for Triple-S

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. This is the second HIPAA violation fine to be announced in the space of a week, with the latest financial penalty closely following the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine highlights just how costly non-compliance can be. This does not need to be explained to Triple S Management Corporation. The company was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. The PRHIA fine was issued following the mailing of a pamphlet that displayed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 members of the insurer’s Medicare...

Read More
OCR Settlement Reached with Lahey Hospital
Nov25

OCR Settlement Reached with Lahey Hospital

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI. Failure to Safeguard ePHI Results in $850,000 Settlement The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners.  The laptop contained electronic Protected Health Information of 599 patients. A financial penalty was...

Read More
Texas Attorney General Takes Action over Improper Disposal of PHI
Nov25

Texas Attorney General Takes Action over Improper Disposal of PHI

Legal action has been taken by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients. The home healthcare management company is no longer in business, having ceased trading in July 2009; however last year, documents containing the PHI of patients were discovered to have been discarded in a dumpster without first having been rendered indecipherable. HIPAA Rules Covering the Disposal of Protected Health Information The HIPAA Privacy Rule requires covered entities to implement physical safeguards to keep all forms of PHI secured at all times. When PHI is no longer required by a covered entity it must be disposed of securely (45 CFR 164.310(d)(2)(i) and (ii)). PHI must be destroyed, or rendered unreadable and indecipherable. It must not be possible for any element of PHI to be reconstructed. The exact method that must be used to destroy records is not stipulated by HIPAA Rules, although for physical records the OCR recommends pulping, burning, shredding, or pulverizing....

Read More
Healthcare Provider Not Liable for Social Media HIPAA Violation
Nov12

Healthcare Provider Not Liable for Social Media HIPAA Violation

On Monday this week, a case against University of Cincinnati Medical Center (UCMC) was heard by Judge Jody Luebbers in the Hamilton County Common Pleas Court regarding the posting of Protected Health Information of a patient on social media. The incident that triggered the lawsuit concerned the posting of a patient’s medical records by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of her medical records and uploaded the image to her Facebook account. The image was then shared with members of a Facebook group. The same image was also emailed to the same individuals. The group in question had been named “Team No Hoes.” The patient in question had contracted syphilis and was pregnant at the time. The naming and shaming of the patient on social media was investigated by the hospital as soon as the privacy violation was discovered, and the employee lost her job as a result. Cases involving vicarious liability are often filed by co-workers who have suffered sexual harassment in the...

Read More
Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft
Nov10

Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft

Hartford Hospital and one of its Business Associates, EMC Corporation (EMC), have agreed to a settlement with the Connecticut Office of the Inspector General over the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents. Hartford Hospital and EMC have agreed to a settlement of $90,000 to resolve the incident.  The agreement was reached voluntarily, and no admission of liability has been accepted by either party. EMC was contracted by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The aim of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to conduct an analysis of patient data, and EMC was provided with the Protected Health Information of patients for this purpose. However, on June 25, 2012 an unencrypted laptop computer containing patient data was stolen from the home of an EMC employee. The data does not appear to have been used inappropriately according to Hartford Hospital. After...

Read More
OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning
Nov06

OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning

Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights. OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies. HIPAA Requirements for Coping in Emergencies   The administrative safeguards of the HIPAA Security Rule (45 CFR, Part 164 § 308(7)(i)) require all covered entities to be able to continue to function during emergency situations. Access to Protected Health Information (PHI) must be maintained at all times. Should access be lost, it must be restored as a priority.  In order for covered entities to be able to do this, proactive steps must be taken. It is essential that policies and procedures are developed that can be implemented in case of disaster. Rapid action is required, and every individual must be aware of his or her responsibilities in case of emergency. This applies to emergency situations such as natural disasters, as well as at times when EHR...

Read More
Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million
Nov05

Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million

A unit of pharmaceutical company Warner Chilcott has agreed to plead guilty to healthcare fraud, and will be required to pay $125 million to resolve civil and criminal liability, according to the Boston US Attorney’s Office. The case against the pharmaceutical company is concerned with the illegal promotion of seven drugs. Payments were made to physicians to prescribe pharmaceuticals to patients over other drugs. This is of course not the first time such allegations have been made against drug firms, and nor is it the first time that pharmaceutical companies have been found to be liable. What makes this case different is the fact that charges have been filed against employees of Warner Chilcott and Warner Chilcott U.S. Sales LLC under HIPAA Rules. The case was possible under the False Claims Act, which permits private individuals to sue companies on behalf of the government under the Act’s whistleblower provisions. Two whistleblowers brought the case against the company and are being represented by law firms MoloLamken, Seeger Weiss, and the Simmer Law Group. The criminal charges...

Read More
Did Siobhan Dunnavant Violate HIPAA? Senate Candidate Investigated by OCR
Nov05

Did Siobhan Dunnavant Violate HIPAA? Senate Candidate Investigated by OCR

A complaint has been sent to the Department of Health and Human Services’ Office for Civil Rights regarding a Republican State Senate Candidate who sent a mailing to her patients to notify them of her intention to stand for office, and to solicit assistance with her campaign. Questions have been raised about whether Dr. Siobhan Dunnavant violated the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule by doing so. Did Siobhan Dunnavant Violate HIPAA? Dr. Dunnavant used her patient database to obtain the contact information of her patients, and subsequently sent emails and a letter announcing her candidacy, in an apparent effort to secure votes, contributions and volunteers to help her with her campaign. Emails and letters are to be expected from a state senate candidate; however due to the strict rules covering the use of patient information under HIPAA, Dr. Dunnavant may have violated HIPAA Rules by doing so. Dr. Dunnavant also emailed her patients on three separate occasions in the run up to the primary elections in June. HIPAA Rules cover a number of...

Read More
SecurityMetrics Reports on HIPAA Security Rule Compliance
Oct16

SecurityMetrics Reports on HIPAA Security Rule Compliance

What steps are U.S healthcare organizations taking to ensure HIPAA Security Rule compliance? How well are HIPAA rules understood? Are healthcare providers actually now compliant with HIPAA Rules? These questions will naturally be answered when the Office for Civil Rights compliance audit program recommences early in 2016. In the meantime, SecurityMetrics – a Utah-based merchant data security and compliance company – decided to get some answers now and conducted a survey of health IT professionals to gain a better understanding of the general state of HIPAA compliance among healthcare organizations. Attitudes on HIPAA-Compliance Probed Security Metrics compiled a survey to probe attitudes on common patient health data protection issues, network security measures used to safeguard data, and other security issues such as Wi-Fi encryption. The aim was to gain a better understanding of the efforts U.S healthcare organizations are making to comply with the HIPAA Security Rule. Over 300 healthcare professionals took part in the survey and were asked over 40 questions relating to...

Read More
Physicians Choose Secure Texts to Engage Patients
Oct10

Physicians Choose Secure Texts to Engage Patients

In today’s healthcare environment it is essential to involve patients more in their own healthcare and greater efforts must be made to engage patients. Physicians are now expected to achieve more during patient consultations, yet the cost of healthcare provision must also be decreased. There are numerous ways this can be achieved. Pre-visit check-ins can be performed, patients can be enrolled in remote health monitoring programs, and offered telehealth services. More online visits should also be conducted. However, the Health Insurance Portability and Accountability Act, specifically the Security Rule, poses problems for physicians looking to improve care and engage patients in their own healthcare. The Security Rule places a number of requirements on HIPAA covered entities to ensure that patients’ Protected Health Information (PHI) is protected at all times. Any healthcare provider wishing to take advantage of the wealth of new technology now available must ensure that efforts are made to keep private data secure. If insecure communication channels are used to communicate with...

Read More
OCR Web Portal for Mobile Health App Developers Launched
Oct06

OCR Web Portal for Mobile Health App Developers Launched

The Department of Health and Human Services’ Office for Civil Rights has launched a new web portal for mobile health app developers. The portal will allow application developers to get answers to the burning questions they have about HIPAA Rules and compliance requirements. The new portal is intended to encourage application developers, in particular mobile app developers, to submit comments and questions regarding HIPAA. In a recent email bulletin following the launch, the OCR explained the sort of questions it hopes will be asked. “We are asking stakeholders to provide input on the following issues: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? The information gathered via the portal will also help the OCR develop future guidance covering mobile health apps. New mHealth Guidance has been a Long Time Coming   The Health Insurance Portability and Accountability Act was first introduced in 1996, many years before the first Smartphones...

Read More
7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness
Oct05

7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness

The 7th Annual mHealth Summit is fast approaching. This year, the 4-day conference will be bigger and better than ever before, exploring the impact mobile health, telehealth and connected health are having on healthcare delivery, clinical care management and patient/consumer engagement. The event will also focus on how mobile solutions for health and wellness can improve the delivery of healthcare and patient outcomes. This year the event will take a slightly different format, including the new HIMSS Connected Health Conference, which has been billed as an “all-inclusive event highlighting how technology is enabling the transformation of healthcare delivery.” It promises to be the most comprehensive event in its seven-year history, incorporating industry-leading keynote presentations covering mHealth, mobile apps, wearable technology, interoperability, the Internet of Things, as well as the usual presentations to assist HIPAA-covered entities achieve and maintain compliance. The event offers attendees the opportunity to network, discuss new ideas, and learn about the latest...

Read More
How to Respond to a Healthcare Data Breach
Oct02

How to Respond to a Healthcare Data Breach

HIPAA-covered entities that have spent time developing and testing a health data breach response plan will be able to respond more quickly to a suspected data breach and execute an efficient HIPAA breach response. Those that have not invested time and effort into planning, are likely to struggle to react quickly and delays can prove costly. As the Ponemon Institute’s 2017 Cost of a Data Breach study showed, having a health data breach response plan helps organizations to execute an efficient HIPAA breach response. The faster the response, the easier it will be to contain the breach quickly and limit the harm caused. Organizations that are able to respond to a data breach quickly end up paying less in breach resolution costs. The cost of a data breach increases the longer it takes to respond and deal with the breach. Cyberattacks and Data Breaches Are Inevitable With hackers targeting healthcare providers for the protected health information (PHI) they hold, data breaches are no longer a probability but an inevitability. If fact, it is now highly likely that healthcare providers,...

Read More
OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016
Oct02

OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016

The Director of the Department of Health and Human Services’ Office for Civil Rights, Jocelyn Samuels, has confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016. No more delays are expected. HIPAA-covered entities will soon have their compliance efforts put to the test and Business Associates will also not escape. They too will be assessed on compliance with the HIPAA Privacy, Security and Breach Notification Rules. Samuels recently wrote to the HHS Inspector General following strong criticism received about the OCR’s enforcement activities in addition to inconsistencies enforcing HIPAA Rules. At present, the OCR relies heavily on reports of privacy violations from the general public and self-reporting of data breaches to identify HIPAA violations and to choose which entities to investigate. The agency has yet to develop a permanent HIPAA-compliance audit program, even though such a program was much talked about early in Leon Rodriguez’s tenure as head of the OCR. According to a recent OIG report, released on Tuesday, “Without fully implementing...

Read More
OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities
Oct02

OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities

Take a look at the Department of Health and Human Services’ Office for Civil Rights website and you will discover relatively few financial penalties have been issued for HIPAA Privacy violations. Even apparently serious violations of HIPAA Rules have not always resulted in financial penalties being issued. Out of the thousands of data breaches listed on the website, only a tiny percentage have resulted in a financial penalties being issued, with the OCR often favoring other enforcement actions. This has not gone unnoticed by the Office of the Inspector General (OIG). The OIG has just published the findings from two studies conducted on the OCR to assess how well the agency is enforcing HIPAA Rules. Poor Oversight of HIPAA Covered Entities   The first study was conducted to assess the OCR’s oversight of covered entities’ compliance with the Privacy Rule. OIG investigators took a sample of Medicare Part B providers that had reported data breaches to the OCR between September 2009 and March 2011. The OIG then assessed the extent to which those organizations had addressed five privacy...

Read More
New Rules for Electronic HIPAA Transactions Approved by CAQH CORE
Sep28

New Rules for Electronic HIPAA Transactions Approved by CAQH CORE

Last week, the CAQH® Committee on Operating Rules for Information Exchange (CORE®) approved a new set of national rules for electronic HIPAA transactions, as part of Phase IV of the CAQH® CORE® Operating Rules. The new rules for electronic HIPAA transactions cover four groups of healthcare business transactions – prior authorizations, employee premium payment, enrollment/disenrollment in health plans, and healthcare claims. The aim of the new rules is to facilitate the exchange of healthcare information, as mandated by the Affordable Care Act (ACA). The new rules will augment existing HIPAA administrative standards to ensure uniform transmission of electronic healthcare data. Phase IV of the CAQH® CORE® Operating Rules address infrastructure requirements such as connectivity, system availability and response times. Rules covering data content of transactions are due to be added to the Operating Rules at a later date. The approval process involves a vote on the new rules by the subgroups and work groups responsible for preparing the draft version of the Operating Rules. If the new...

Read More
HIPAA Compliant Wellness Platform Launched By Fitbit
Sep17

HIPAA Compliant Wellness Platform Launched By Fitbit

Yesterday, Fitbit, America’s leading manufacturer of activity and fitness trackers, announced it has developed a HIPAA compliant wellness platform which it aims to use to corner the lucrative healthcare market. The company has flirted with health and fitness trackers for the healthcare sector for some time; however, until now one of the major stumbling blocks has been the Health Insurance Portability and Accountability Act (HIPAA), which places a number of restrictions on the use of electronic devices capable of recording, storing and transmitting Protected Health Information (PHI). No electronic device can be fully HIPAA-compliant, as compliance with HIPAA Rules is dependent on the actions of the users of the devices. Therefore, rather than being billed as a HIPAA compliant wellness platform, Fitbit announced that it ‘supports’ HIPAA compliance, having incorporated the necessary safeguards – as demanded by HIPAA – to keep stored and transmitted data protected from prying eyes. According to James Park, CEO and Co-Founder of Fitbit, “We prioritize protecting our consumers’...

Read More
WEDI Issues New Resources to Assist with ICD-10 Transition
Sep14

WEDI Issues New Resources to Assist with ICD-10 Transition

The Workgroup for Electronic Data Interchange (WEDI), the country’s leading authority on the use of IT in healthcare to improve health information exchange, has developed two new resources to assist organizations implement the new ICD-10 codes required by the Health Insurance Portability and Accountability Act (HIPAA). The new resources, ICD-10 State Workers’ Compensation Readiness List and the List of State Medicaid Sites with ICD-10 Information, have been developed with the aim of “Ensuring that all entities are adopting and or are aligning with ICD-10”. The resources will “help further [the health] industry’s movement towards streamlining and automating end-to-end workflow processes.” The new ICD-10 codes must be adopted by HIPAA-covered entities under federal law; but the new codes do not need to be adopted by the workers’ compensation industry. The industry is now becoming more aligned with HIPAA Transaction and Code Set rules, but rather than being covered by a national mandate, the industry is instead subject to state laws. A number of states will be adopting ICD-10 codes,...

Read More
OCR HIPAA Compliance Audits to Commence in 2016
Sep09

OCR HIPAA Compliance Audits to Commence in 2016

The new Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights has been adjusting to life at the OCR since her appointment earlier this year, but until now she has not given an interview to the news media. However, she recently gave an exclusive interview to the Security Media Group, in which she cast some light on planned OCR activities, including the upcoming HIPAA compliance audits. Deven McGraw Gives First News Media Interview   McGraw spoke with HealthcareInfoSecurity.com’s Executive Editor, Marianne Kolbasuk McGee, and was quizzed on OCR enforcement activities, current and future OCR initiatives, and was asked the question that is on everyone’s lips at the moment: When will the HIPAA compliance audits take place? A Shortage of Resources has been McGraw’s Biggest Challenge   The program of random HIPAA audits was penciled in for 2014; however the sheer scale of the job has caused problems. Audits take a considerable amount of time and resources, something which the OCR lacks. McGraw confirmed that the current...

Read More
Recent Cases of Portable Device Theft Highlight Need for Healthcare Data Encryption
Sep07

Recent Cases of Portable Device Theft Highlight Need for Healthcare Data Encryption

Healthcare professionals can be given training on the importance of keeping electronic equipment secure; however, even the most security minded healthcare professional can make an error of judgement that results in PHI being exposed, such as leaving a laptop computer in a vehicle while patients are attended to. Theft of medical devices containing Protected Health Information (PHI) had declined in recent months; but the HHS’ Office for Civil Rights breach portal now displays a high number of cases of portable device theft, highlighting the importance of using data encryption software to safeguard PHI. While portable devices carry the highest risk of data exposure, a number of recent burglaries of physicians’ offices show that even data stored on less portable computer hardware, such as desktop computers and servers, is not secure without robust security measures such as encryption. Stolen Portable Electronic Devices Cited in Numerous Recent Breach Reports   In June, a physician from the University of Oklahoma’s Department of Obstetrics and Gynecology had a laptop computer...

Read More
Jocelyn Samuels Gives Update on OCR Compliance Audits
Sep04

Jocelyn Samuels Gives Update on OCR Compliance Audits

Since the announcement that the second phase of compliance audits would be delayed, the Department of Health and Human Services’ Office for Civil Rights has remained tight-lipped over timescales. Now, a year on from the original proposed start date, many expected OCR Director, Jocelyn Samuels, to give a timescale for the HIPAA audit program at the Safeguarding Health Information: Building Assurance through HIPAA Security HIPAA Security Conference in Washington this month. Samuels gave a keynote address at the National Institute of Standards and Technology (NIST) and Office for Civil Rights (OCR) hosted conference, and while she did not provide a date or a timeline for the compliance audits, she did indicate the audits are now very close to becoming a reality. She explained that the OCR has many roles, with compliance audits a part of its enforcement activities. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our...

Read More
New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000
Sep02

New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000

A new OCR HIPAA penalty has been issued for a breach of HIPAA regulations. Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Back in August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. The stolen device contained highly sensitive data, which included the Social Security numbers of patients: Exactly the data need by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives was not encrypted. HIPAA Does Not Demand Data Encryption   Under the HIPAA Security Rule, data encryption is only an addressable issue. This means that a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered entity can make an...

Read More
Employees’ Social Media App use makes VA Vulnerable to Data Exposure, says OIG
Aug31

Employees’ Social Media App use makes VA Vulnerable to Data Exposure, says OIG

The VA Office of the Inspector General (OIG) has recently published the findings of its administrative investigation into improper web-based collaboration technology by the Department of Veteran Affairs (VA). It determined the agency is particularly vulnerable to data exposure from employees’ social media app use. Employee’s use of the social media application from Yammer.com could potentially result in the expose of sensitive veteran data. The OIG discovered employees have been using the social media app, even though the app had not been sanctioned by the VA. VA policy requires all social media applications to be approved before use, and have usage monitored. The OIG determined that the application “had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources.” Yammer Notifier, a desktop application, was approved by one Technical Reference Model (TRM) with constraints; however use of the Yammer social network was not. The application has a lack of security controls and it was too easy for Protected Health Information...

Read More
Health Net Federal Services Achieves URAC HIPAA Privacy Reaccreditation
Aug16

Health Net Federal Services Achieves URAC HIPAA Privacy Reaccreditation

Health Net Federal Services, LLC., has received URAC HIPAA Privacy reaccreditation, assuring current policyholders that their privacy is treated seriously, and HIPAA standards are being met. URAC – the new name for the former Utilization Review Accreditation Commission – is an independent, non-profit organization that accredits health care organizations, including health plans, in this case on HIPAA standards. Health Net Federal Services, LLC was awarded full reaccreditation for HIPAA privacy standards, effective from May 1, 2018. Health Net has been accredited with URAC since 2008. According to URAC President and CEO Kylanne Green, “By applying for and receiving URAC accreditation, Health Net Federal Services has demonstrated a commitment to quality health care,” she went on to say, “Quality health care is crucial to our nation’s welfare and it is important to have organizations that are willing to measure themselves against national standards and undergo rigorous evaluation by an independent accrediting body.” President of Health Net Federal Services, Billy Maynard, said “Health...

Read More
New Basic Guide to HIPAA Compliance Released By HHS
Aug05

New Basic Guide to HIPAA Compliance Released By HHS

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities. A Basic Guide to HIPAA Compliance   The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI). HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures. The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to...

Read More
FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls
Jul30

FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls

The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls. Some healthcare providers have had trouble understanding the rules regarding HIPAA and patient telephone calls, and how the rules comply with the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were introduced, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any confusion. The ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities and their Business Associates. The ruling also exempts covered entities and Business Entities from certain TCPA legislation in certain circumstances. Rules Regarding HIPAA and Patient Telephone Calls The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls states that, if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to...

Read More
HIPAA Survey Shows Compliance Assessments Can Increase Business
Jul27

HIPAA Survey Shows Compliance Assessments Can Increase Business

A recent series of customer polls conducted by RapidFire Tools Inc., a leading provider of HIPAA-compliance assessment tools, showed that Managed Service Providers (MSPs) are using compliance assessments to engage prospects and increase business. Furthermore, those assessments are now proving more effective at increasing business and winning new contracts than in previous years. The polls were conducted on MSP customers using RapidFire’s Network Detective HIPAA Compliance Module. The results clearly show that compliance assessments are allowing MSPs to capture new clients and create new projects, as well as being instrumental in obtaining extended service agreements. MSPs were asked about instances where they have been able to use the compliance assessment tools to justify the services being provided to clients. Respondents explained that the compliance assessments enabled them to show that the protections currently in place to safeguard Protected Health Information were far inferior to those being offered. The recent spate of successful hacks on healthcare providers’ servers and...

Read More
NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested
Jul26

NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested

The use of Smartphones and other portable devices in healthcare is growing and the federal government is concerned. The devices carry a high risk of causing a data breach, and the feds are concerned that physicians and other healthcare workers may accidentally expose patient data, or worse still, give hackers an entry point into hospital EHRs. Medical identity theft costs billions of dollars every year, and patient’s privacy is being violated on an almost daily basis. Hackers are targeting healthcare organizations, thieves are looking for portable devices to steal, and malicious insiders are copying data from EHRs; however, Smartphones have potential to cause even more data breaches. The reason? The data security and privacy protections used to safeguard data stored on the devices is often inadequate.   NCCoE Takes Steps to Protect Mobile Healthcare Devices   The National Cybersecurity Center of Excellence (NCCoE) was formed by National Institutes of Standards in Technology (NIST), the state of Maryland, and Montgomery County, Md in 2012, and during the past three years...

Read More
American Hospital Association Opposes HIPAA HPID Use
Jul24

American Hospital Association Opposes HIPAA HPID Use

Earlier this week, the Vice President and Deputy Director of the American Hospital Association (AHA) sent a letter to the Centers for Medicare & Medicaid Services (CMMS) expressing concern over the implementation of Health Plan Identification numbers (HPIDs) and Other Entity Identifiers (OEIDs). HPID Use and HIPAA When HIPAA was introduced, it required national identification numbers to be used by healthcare providers, health plans and individuals. A national ID number was introduced in 2004, although the IDs were only for providers, not individuals. In September 2012, the HPID proposed rule was published, although it took until November 2014 before the rule was finalized. HPIDs and OEIDs will now be required to be used for HIPAA transactions from Nov 7, 2016. It is not a requirement for health plans to be identified in HIPAA transactions, but if they are, from Nov 7, next year a HPID must be used. AHA States Opposition to HPID Use in HIPAA Transactions   The letter, sent from Ashley Thompson to Andy Slavitt, the acting administrator for CMMS, stated the AHAs opposition to...

Read More
New HIPAA Compliance Tool Released for Small Dental Practices
Jul24

New HIPAA Compliance Tool Released for Small Dental Practices

Achieving compliance with HIPAA Privacy and Security Rules can be a challenge for all organizations, regardless of size; however smaller healthcare providers tend to have more problems. Budgets tend to be more restrictive, and a lack of suitable staff means slow progress is made. This was clear from the results of the pilot round of HHS compliance audits. Regulatory bodies such as the Department of Health and Human Services’ Office for Civil Rights (OCR), State Comptrollers, and Attorneys General, investigate data breaches for HIPAA violations, and periodic audits are conducted to assess compliance. The next round of OCR HIPAA compliance audits will assess how well organizations have implemented the requirements laid down in the Privacy Rule, Security Rule and Breach Notification Rule. Healthcare organizations, health plans, healthcare clearinghouses – and Business Associates of the above – will have their compliance efforts put to the test. The audits will be conducted on large healthcare providers, multiple hospital systems, the nation’s largest health insurers;...

Read More
URMC Takes Action to Prevent Future Patient Privacy Violations
Jul17

URMC Takes Action to Prevent Future Patient Privacy Violations

In May, The University of Rochester Medical Center suffered a data breach after an employee took the Protected Health Information (PHI) of patients to a new employer, all in the name of continuity of patient care. The employee in question, a nurse practitioner in the Department of Neurology, was concerned about patient continuity of care after she left her employment. She was provided with a printed list of patient’s information by the medical center for the purposes of adding notes and information that would ensure that patients did not suffer any fall in care standards as a result of her departure. The list was not collected prior to the employee leaving her employment, and the information was subsequently disclosed to her new employer (full story here). With the benefit of hindsight, it was perhaps ill advisable to have provided printed PHI to a member of staff about to take employment with another local healthcare provider. However, all that can be done now is notify the patients concerned and make changes to policies and procedures to ensure a similar incident cannot happen...

Read More
PHI Retention by Employees not a HIPAA Breach Says Ark. Court
Jul16

PHI Retention by Employees not a HIPAA Breach Says Ark. Court

The U.S District Court of the Western Division of the Eastern District of Arkansas has ruled that two employees who retained the Protected Health Information (PHI) of patients after their employment at Arkansas Children’s Hospital was terminated, did not violate the Health Insurance Portability and Accountability Act (HIPAA). Unfair Contract Termination after Discovery of Billing Irregularities   Pam and Eben Howard brought an action against Arkansas Children’s Hospital – Dr. Ron Robertson and Jon Bates – after their employment contracts were terminated. They believed their lost their jobs because they highlighted a number of issues relating to how the healthcare provider billed the government. They have accused the healthcare provider of violating the 1st and 14th Amendments, the Arkansas Civil Rights Act, the Public Policy of the State of Arkansas and the False Claims Act. Potential HIPAA Violations for Retention of PHI and Unauthorized Disclosure   While employed at ACH, the pair collected a considerable volume of PHI of patients. After what the pair considered to be...

Read More
New York State Comptroller Publishes ePHI Security Compliance Audit Report
Jul16

New York State Comptroller Publishes ePHI Security Compliance Audit Report

The news is full of reports of healthcare providers failing to implement safeguards to keep Protected Health Information (PHI) secure; but it is rare for a healthcare organization to make the headlines for implementing all of the appropriate physical, administrative and technical safeguards required by HIPAA. However, a recent ePHI data security audit conducted by the New York Office of the State Comptroller has seen Roswell Park Cancer Institute pass with no HIPAA violations discovered. The healthcare provider should be commended for the effort it has put in to protecting the privacy of patients. The New York Office of the State Comptroller Audit   The State of New York Office of the State Comptroller (NYOSC) conducts regular audits of state organizations, most of which are related to corporate finance. However, last week the NYOSC announced it had completed an ePHI compliance audit of Roswell Park Cancer Institute (RPCI). The audit was conducted specifically to test the safeguards the healthcare provider had put in place to secure patient data, pursuant to Article X, Section...

Read More
BCBSA Offers Identity Theft Protection Services to All 106 Million Members
Jul15

BCBSA Offers Identity Theft Protection Services to All 106 Million Members

Yesterday, the Blue Cross Blue Shield Association (BCBSA) made a surprising announcement. It will be offering identity theft protection services to all 106 million of its members, in an effort to address the rapidly increasing risk of data theft and fraud. The Blue Cross and Blue Shield Association consists of 36 independent, community-based and locally-operated companies, which service the entire United States. One in three Americans has a health insurance policy run by BCBSA. The unprecedented move comes after BCBSA health plan members have suffered numerous data breaches, including the massive data breaches at Anthem, CareFirst and Premera Blue Cross. Identity theft protection services do not come cheap, especially when the unit cost must be multiplied by 106 million. This move carries a significant cost, even with a bulk discount, and shows a strong commitment to its plan members. This was a very positive, proactive step to take, and is one likely to win back the faith of many members. The new service will provide ”heightened safeguards for plan members.” BCBSA may not be able...

Read More
Study Highlights Importance of Conducting Regular Malware Scans
Jul13

Study Highlights Importance of Conducting Regular Malware Scans

Concentrating resources on improving protections for computer networks will make it harder for hackers to gain access to protected data; however, according to a report from Vectra Networks, there is a high probability hackers are already inside. In a recent security test, all computer networks analyzed showed some evidence of a targeted intrusion having already taken place. Vectra analyzed the computer networks and end point devices of 40 enterprises, and each network was found to include some indicators of a targeted attack, regardless of the size of the network. Over a quarter of a million devices were analyzed by the network security company as part of the study. Stages of a Malware Attack Infection The first stage involves infection of a PC or other device, using a targeted attack such as a spear phishing campaign, or a more random means of spreading the malware: Infecting websites for example. Once code has been downloaded onto a target machine, hackers can start to make changes to the system. Command and Control The first phase of the attack proper occurs when a foothold in a...

Read More
HIPAA-Altering Cures Bill Passed by House of Representatives
Jul11

HIPAA-Altering Cures Bill Passed by House of Representatives

The controversial 21st Century Cures Bill was unanimously passed by the House Energy and Commerce Committee in May, and on Friday July 10, 2015, the U.S House of Representatives passed the Bill with a count of 344 to 77. 21st Century Cures Bill to Remove Obstacles in the Way of Medical Research Medical research and innovation is being hampered by HIPAA, according to proponents of the 21st Century Cures Bill. The new Act aims to remove these and other barriers, to help advance America’s search for new ways to tackle the advance of superbugs, antibiotic-resistant bacteria and the deadly viruses now threatening the health of U.S citizens. The Cures Bill has received some criticism in its short history. Privacy advocates object to the wide range of data that can potentially be shared; information currently under the protection of HIPAA. It is feared that the bill could weaken HIPAA protections if it becomes law. If that happens, HIPAA Rules would certainly need to be changed. HIPAA Changes Necessary as a Result of the Cures Bill At present, the HIPAA Privacy Rule restricts the use and...

Read More
New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations
Jul11

New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a HIPAA settlement has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that lead to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. The number of records exposed was relatively low compared to some of the recent “mega data breaches”, but the OCR deemed the offenses leading to the security incidents to be serious enough to warrant a financial penalty. This OCR HIPAA settlement shows how important it is to make HIPAA compliance a priority. Data breaches may not always be preventable; but HIPAA violation penalties are. Privacy, Security and Breach Notification Rule Violations Uncovered   The initial HIPAA violation was uncovered in November, 2012, when a complaint was received by the OCR alerting it to potential...

Read More
Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years
Jul10

Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years

The Los Angeles County government has failed to safeguard the Protected Health Information (PHI) of state residents for up to seven years, according to a recent audit. Three departmental audits have been conducted since December 2014 and a catalog of data security failures have been uncovered that potentially put PHI in the hands of thieves. Data including Social Security numbers and health information could be accessed by former workers, and the information could already be in the hands of criminals. It is simply not known. Computer equipment has vanished – having been misplaced or stolen – devices were not encrypted, and equipment was simply not tracked. Serious Administrative Failures Lasting up to 7 Years   Serious administrative failures in several L.A County government departments were discovered by auditors, the most serious being a failure to terminate access to computer systems when employees changed employment. An audit conducted by the Probation Department revealed 695 former employees still had access to computer systems containing the protected health data...

Read More
Connecticut Breach Notification Laws Updated
Jul03

Connecticut Breach Notification Laws Updated

Connecticut breach notification laws have been updated and are now in effect. Substitute Senate Bill No. 949, Public Act No. 15-142 introduced a number of changes to improve data security and agency effectiveness to better protect state residents. Updates affect all who do business in the state, with specific changes that affect contractors (Business Associates/BAs) and health insurers. One of the major changes concerns damage and risk mitigation after a data breach. All companies and individuals doing business in the state must now provide credit monitoring services to breach victims, without charge, for a minimum period of one year if confidential information is exposed. The definition of “confidential information” varies from state to state. It broadly follows the definitions in HIPAA/HITECH, although in Connecticut it specifically refers to: Name Date of birth Mother’s maiden name Motor vehicle operator’s license number Social Security number Employee identification number Employer or taxpayer identification number Alien registration number Government passport...

Read More
Extent of Unauthorized Cloud Service Usage by Employees Uncovered
Jun29

Extent of Unauthorized Cloud Service Usage by Employees Uncovered

How many cloud services is your organization using? According to a new report, if the figure is under 928 – the average number of cloud services used by healthcare providers – you may be underestimating the extent to which employees are using the cloud. The data suggest employees are breaching security policies by using cloud services that lack the necessary security controls. If the data collected is representative of the healthcare industry as a whole, HIPAA violations are being committed on a daily, if not hourly basis by healthcare professionals. Benefits of HIPAA-Compliant Cloud Services   There are a number of advantages to be gained from using cloud services. Healthcare providers and other HIPAA-covered entities can cut IT equipment and maintenance costs by hosting data in the cloud. Leveraging cloud services can also improve productivity, and speed up accessing and logging of patient data. A number of healthcare providers have been able to improve patient health outcomes by making use of cloud services. Security Risks Being Taken by Employees   Skyhigh Networks...

Read More
CFO Sentenced to Jail for False Meaningful Use Claims
Jun27

CFO Sentenced to Jail for False Meaningful Use Claims

A former Chief Financial Officer (CFO) has been sentenced to serve 23 months in federal prison after making false claims to receive payments under the Medicare Electronic Health Record (EHR) Incentive Program. Joe White, 68, was the former CFO of Shelby Regional Medical Center and was responsible for overseeing the implementation of new Electronic Health Records (EHRs) at the hospital, and attested that the hospital had met the minimum standards as required by the EHR Incentive Program. The HITECH meaningful use incentive program has resulted in billions of dollars in payments being made to hospitals and other healthcare organizations that have made the change from paper to Electronic Health Records. To qualify for the incentive payments, healthcare providers must “adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology.” Each year, hospitals are required to attest to reaching meaningful use standards. In order to receive the incentive payments, on Nov. 20, 2012, White knowingly claimed that the hospital was a meaningful user of EHRs when this was not...

Read More
What are the Penalties for HIPAA Violations?
Jun24

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
Samsung Galaxy Hacking Vulnerability Worrying for BYOD Schemes
Jun24

Samsung Galaxy Hacking Vulnerability Worrying for BYOD Schemes

Despite a security vulnerability existing on Samsung Galaxy devices, the electronics giant has yet to issue a fix 7 months after the company was first alerted to a hacking vulnerability affecting S3 to S6 models of Samsung Galaxy phones. The Samsung security vulnerability could potentially allow the phones to be hijacked by hackers, allowing information entered or sent via the phones to be viewed. The security vulnerability concerns the software used for the phones keyboard, according to researchers at NowSecure. What is especially worrying is the owner or user of the phone does not need to take any actions to allow hackers to gain access the mobile phone; the security vulnerability can be exploited remotely. How are Hackers Gaining Access to Samsung Phones?   Fortunately, the hack is not straightforward to pull off. It requires considerable technical skill and can only be executed at specific times; when the keyboard software is being updated. The researchers point out that a hacker with access to Wi-Fi networks, or with the ability to otherwise manipulate a user’s network...

Read More
July 28 Deadline for HIPAA HPID Comments
Jun24

July 28 Deadline for HIPAA HPID Comments

The request has been submitted to the federal register by the Department of Health and Human Services (HHS) inviting comments from the public on the HPID Final Rule, to determine whether changes are required to make the ID scheme more workable. The deadline for those comments has been set for July 28. Any covered entity – or individual – must submit comments before this date in order for them to be considered. It is the last opportunity to have a say in how the scheme will operate. Background to The HIPAA HPIDs   The Health Insurance Portability and Accountability Act (HIPAA) – Section 262, Public Law 104–191 – amended the Social Security Act requiring the HHS to introduce a new national identification scheme for health plans, with each needing to be issued with a unique Health Plain ID number (HPID). Under the Patient Protection and Affordable Care Act, the HHS was required to release a final rule on the use of HPIDs by health plans, which was initially scheduled for October 1, 2012. However, in September, 2012 an Administrative Simplification was released along...

Read More
Recent Equipment Thefts Bring Data Encryption Issue to the Forefront
Jun21

Recent Equipment Thefts Bring Data Encryption Issue to the Forefront

Cybersecurity is a hot topic at board meetings; the healthcare industry is under attack and cybersecurity defenses must be improved. While boards may be preoccupied with the threat from hackers – it is often perceived to be the biggest cause of HIPAA breaches – it is important not to forget about lower-tech attacks. Hackers are breaking through healthcare providers defenses to obtain PHI, but there are easier ways for thieves to obtain data: A fact that has certainly not been overlooked by the criminal fraternity. Theft of equipment containing Protected Health Information is also a major cause of HIPAA breaches, in spite of affordable technology existing to prevent data disclosure. Healthcare Providers Must Tackle Device Loss and Theft   The spate of recent thefts reported by healthcare providers and health plans shows that while cybercriminal activity is on the rise, theft of devices containing unencrypted PHI is keeping pace. The risk of HIPAA breaches from the theft and loss of equipment simply cannot be ignored. It is an ever-present threat. Current figures may suggest...

Read More
HIPAA-Covered Entities in for a Rude Awakening in the Compliance Audits
Jun18

HIPAA-Covered Entities in for a Rude Awakening in the Compliance Audits

It has been three years since the OCR completed the pilot phase of HIPAA compliance audits. The OCR discovered numerous violations of all HIPAA Rules when it analyzed the results, and while healthcare data security standards have improved considerably since 2012, many Covered Entities (CEs) would still fail a compliance audit. A new survey recently published by Healthcare Information Security Today (HIST) indicates many Covered Entities (CEs) are making the same compliance mistakes that were uncovered during the pilot phase of audits. The OCR used the results of the pilot phase to develop a protocol for phase two, and the areas that CEs struggled to implement will be specifically tested second time around. A number of healthcare providers could have a rude awakening on what compliance with HIPAA really means. The HIST survey uncovered a surprising level of confidence among covered entities. 80% of respondents said they were confident or somewhat confident of passing a compliance audit. The pilot round of compliance audits identified many areas where organizations were failing to...

Read More
Deven McGraw Appointed OCR Deputy Director for Health Information Privacy
Jun18

Deven McGraw Appointed OCR Deputy Director for Health Information Privacy

Very shortly there will be a new face at the Department of Health and Human Services’ Office for Civil Rights. Privacy Advocate, Deven McGraw, has taken on the role of Deputy Director of Health Information Privacy, and must get the agency auditing, advising and enforcing as it should. She will be filling the role left vacant by Susan McAndrew, who retired last year, and is set to join the OCR on June 29. It Takes Time to Find the Right Candidate The OCR has taken its time to find and appoint a replacement for Susan McAndrew. That wait certainly appears to have paid off. McGraw will bring a wealth of experience to the OCR, having worked in both the public and private sector. She has developed strong strategic leadership skills and has held the posts of Chief Operating Officer at the National Partnership for Women & Families and Director of the Health Privacy Project at the Center for Democracy & Technology. McGraw is no stranger to challenges, and has an extensive working knowledge of the intricacies of healthcare privacy and security laws. She will be able to draw from the...

Read More
HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches
Jun17

HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches

Microsoft has announced it will be stopping issuing patches and software updates for Windows Server 2003 on July 15, 2015. Any HIPAA-covered entity that is still running the outdated software on any of its servers after this date will be in violation of the HIPAA Security Rule, and could face a financial penalty from the Department of Health and Human Services’ Office for Civil Rights (OCR). Microsoft advises users to upgrade to Windows Server 2012 R2 in order to maintain security standards and receive continued support, upgrades and patches. Upgrades Must be Planned and Time is Fast Running Out   When Microsoft stopped issuing patches for Windows XP, all users had to be moved onto new operating systems; a task that required a considerable amount of planning, a considerable number of man hours and a not insignificant financial outlay. While a HIPAA-covered entity will have fewer servers than desktops/laptops, upgrading servers has potential to cause even more disruption, especially in large organizations operating a number of servers and an even higher number of virtual...

Read More
Billing Business Associate Exceeds Breach Notice Period by 7 Months
Jun14

Billing Business Associate Exceeds Breach Notice Period by 7 Months

A payment processing Business Associate (BA) of North Shore-LIJ Health System – Global Care Delivery (GCD) – has reported the theft of five laptop computers; four of which are believed to have contained the Protected Health Information (PHI) of approximately 18,000 patients. The theft took place at GCD’s offices in Texas on or before September 2, 2014. The data stored on the laptop computers was not encrypted, although the devices were protected by passwords. While passwords offer some degree of protection, they can be cracked. The Health Insurance Portability and Accountability Act (HIPAA) demands that incidents such as this are classed as data breaches as PHI can potentially be viewed and used inappropriately. After the discovery of the theft on September 2, 2014, GCD reported the incident to law enforcement and an investigation was conducted to determine which data was stored on the laptops. GCD determined that the laptops contained patients’ first and last names, dates of birth, diagnosis and procedural codes, and internal account numbers. Insurance identification numbers...

Read More
Cybersecurity Services Being Outsourced Due to Lack of Skilled Staff
Jun10

Cybersecurity Services Being Outsourced Due to Lack of Skilled Staff

A lack of suitable personnel with appropriate skills to improve cybersecurity defenses is leading many CISOs and CIOs to look outside their organizations for assistance. Businesses and healthcare providers and now increasingly hiring third party experts to provide cybersecurity services, according to a new report by Cybersecurity Ventures. Wave of Attacks Increases Demand for Trained Cybersecurity Staff   Cybersecurity incidents have risen by 48% over the course of the previous 12 months and industry experts predict that the volume of security incidents will rise further still throughout 2015 and 2016. This is not a problem that will just go away. Improving cybersecurity defenses to resist highly sophisticated attacks requires skilled staff, and with the complexity of attacks increasing there is no time to lose. The quarterly Cybersecurity Market Report indicates that the increased risk of attack has led many businesses to create new positions for cybersecurity officers; however the dearth of talent has seen 209,000 of those cybersecurity jobs remain unfulfilled. Over the next...

Read More
HIPAA and the New Helping Families in Mental Health Crisis Act
Jun10

HIPAA and the New Helping Families in Mental Health Crisis Act

The Helping Families in Mental Health Crisis Act (H.R. 2646) of December, 2013, has been reintroduced by Tim Murphy (R-PA) – Subcommittee Chairman for the House Energy & Commerce Oversight and Investigations – and Rep. Eddie Bernice Johnson (D-TX) with a double purpose. First, it is hoped that the new bill will help to improve the standard of mental health care provided to patients, and secondly a number of new provisions will be introduced to ensure patient privacy is protected. According to Tim Murphy, the new bill “marks a new dawn for mental health care in America,” he went on to say that the new bill “breaks down federal barriers to care, clarifies privacy standards for families and caregivers; reforms outdated programs, expands parity accountability, and invests in services for the most difficult to treat cases while driving evidence-based care.” The bill has been praised by many, but the legislation change has not been universally welcomed. The bill has received criticism from some quarters; in particular for the potential for HIPAA violations to occur. One area of...

Read More
Crown Point Medical Tests Discovers HIPAA Violation
Jun08

Crown Point Medical Tests Discovers HIPAA Violation

A former business belonging to Crown Point Medical Tests has violated the Health Insurance Portability and Accountability Act (HIPAA) after it failed to securely dispose of files containing the Protected Health Information (PHI) of at least 167 individuals. The victims had previously had medical tests processed through My Fast Lab. My Fast Lab was founded by Barry Walker of Cedar Lake in 2013, although the business is no longer in operation. The company was known for its highly discounted medical testing services, which were advertised as being up to 70% less than competitor rates. However the business did not survive, and the former office of the company has since been listed. Some of the contents of the facility, including patient files, have been dumped along with regular commercial waste in a public area, in violation of HIPAA Rules. HIPAA demands that PHI is securely and permanently destroyed when it is no longer required. Highly Sensitive Data Dumped in Public The files were found by a local resident at the back of a Crown Point strip mall. While taking out the trash from the...

Read More
U.S HealthWorks HIPAA Breach Raises Issue of Data Encryption
Jun02

U.S HealthWorks HIPAA Breach Raises Issue of Data Encryption

U.S. HealthWorks, a healthcare provider based in Valencia, California, has reported a breach of PHI and PII after an unencrypted laptop computer was stolen from the vehicle of a company employee. Theft of Laptop Computer from Unattended Vehicle The incident occurred on April 21, 2015 and was discovered by the healthcare provider the following day. The sample breach notification letter – posted on the State of California DoJ Attorney General’s website – explains that a company employee had taken a laptop computer and left it in a vehicle from where it was stolen. Upon discovering the theft, the incident was reported to law enforcement officers and an investigation was commenced. U.S HealthWorks started an internal investigation to determine the exact nature of the data stored on the laptop; a process which has taken some time to complete. According to the breach notification letter – dated May 30, 2015 – it took until May 5, 2015 to determine that the laptop computer was password protected but lacked data encryption software. The healthcare provider was able to determine that...

Read More
Nevada and North Dakota Amend Data Breach Laws
Jun01

Nevada and North Dakota Amend Data Breach Laws

North Dakota and Nevada have joined the growing list of states to update their breach notification laws this year. Last month, new laws were passed to tighten up the legislation and expand “personal information” definitions, with the two states joining California, Florida, Montana, Washington and Wyoming, which have already updated state breach notification laws. The Health Insurance Portability and Accountability Act (HIPAA) – specifically the Breach Notification Rule of 2009 – places a number of requirements of Covered Entities (CEs) when it comes to responding to a data breach involving Protected Health Information and Personal Identifiable Information. HIPAA Rules are only a minimum set of standards. States can introduce laws to increase data privacy and security protections for patients and plan members and other individuals affected by a healthcare data breach. Often states include provisions in their new laws for entities covered under HIPAA and other federal laws. New Breach Notification Law in North Dakota The Sixty-fourth Legislative Assembly of North Dakota Met on...

Read More
Secure Text Message Service Improves Response Times at Chicago Cardiology Institute
May29

Secure Text Message Service Improves Response Times at Chicago Cardiology Institute

The Chicago Cardiology Institute, a leading healthcare provider offering treatment for cardiovascular and peripheral vascular diseases, has implemented a new secure text message service that allows its nurses, physicians and other healthcare staff to communicate in a timely and efficient manner, without running the risk of violating data privacy and security legislation. HIPAA Prohibits the Transmission of PHI over Insecure Networks   The Health Insurance Portability and Accountability Act (HIPAA) places a number of restrictions on healthcare providers to ensure patient privacy is protected and Protected Health Information (PHI) is secured. HIPAA does not permit the transmission of PHI over insecure networks; meaning pagers, Smartphones and other mobile devices cannot be used to communicate PHI, unless the data is first encrypted. Healthcare providers wanting to improve communication between care teams, and speed up the exchange of healthcare information, must implement a system to secure communications. One of the most efficient and easiest ways to do this is to use a secure...

Read More
Ohio Radiologist Disciplined for HIPAA Violation
May28

Ohio Radiologist Disciplined for HIPAA Violation

The Ohio State Board of Medicine has taken action against a radiologist who violated the Health Insurance Portability and Accountability Act (HIPAA) by unlawfully accessing the medical records of a colleague. The radiologist, Dr. Aimee Hawley, accessed the records of a work colleague of Mercy Health St. Rita’s Medical Center in September 2013. Hawley has since left the hospital’s medical staff. It is not known why Hawley accessed the records of her physician colleague, when she should have been aware of the restrictions in place covering access to Protected Health Information under HIPAA. The State Medical Board of Ohio’s education & outreach program manager, Joan Wehrle, said the source of the compliant into the HIPAA violation was being kept confidential. He pointed out that patient privacy is a serious matter and “No one can access a patient’s medical records unless they are a treating or consulting physician or have permission from the patient.” As a result of this transgression, Hawley has agreed to sign a consent agreement submitting to disciplinary action. A consent...

Read More
US Coastguard Criticized for HIPAA Failures
May24

US Coastguard Criticized for HIPAA Failures

The U.S. Coastguard (USCG) has been audited by the Office of the Inspector General (OIG) to assess privacy and security measures that have been implemented to safeguard Protected Health Information (PHI). The OIG auditors discovered the USCG lacks a number of the necessary controls to protect the privacy of the data it holds. The USCG operates 42 health clinics and 150 sick bays in coastal areas in the United States and Puerto Rico. Each year over 300,000 clinic visits are recorded, with data recorded in its Composite Health Care System (CHCS). The CHCS contains Personally Identifiable Information (PII) along with PHI that includes medical test results, immunization data, pharmacological and x-ray data; information covered under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy and Security Rules place a number of requirements on HIPAA-covered entities to ensure that data remains private and confidential, and is only shared with authorized individuals for the provision of treatment and medical care to patients. HIPAA also covers the physical,...

Read More
OCR Confirms HIPAA Compliance Audit Surveys Sent
May23

OCR Confirms HIPAA Compliance Audit Surveys Sent

There has been much speculation over the past week since the sending of the letters was first reported, about whether the OCR pre-screening surveys have actually been dispatched. Now the Department of Health and Human Services’ Office for Civil Rights has confirmed – to Fierce Health IT – that its preliminary HIPAA surveys have now been dispatched, marking the start of the 2015 HIPAA compliance audits. In an article in the National Law Review on Monday, McDermott Will & Emery announced that phase 2 of the HIPAA compliance audits was no longer being delayed, after the firm had been notified by some of its clients that an OCR HIPAA audit screening survey had been received. The purpose of the screening surveys is to ensure that all contact and organization information is correct. The OCR auditors can then select the organizations most appropriate for audit. From the responses, the OCR is expected to select 350 covered entities and 50 Business Associates for an audit on the Security Rule, Privacy Rule, Breach Notification Rule or a combination audit comprising 2 or 3 audit modules....

Read More
Holston Valley Medical Center Reports HIPAA Breach
May19

Holston Valley Medical Center Reports HIPAA Breach

Holston Valley Medical Center, a Kingsport, Tenn. hospital run by the Wellmont Health System, has discovered that 1,726 patients’ medical records have been improperly disposed of, according to a report on WYMT Mountain News. On March 1, 2015, the hospital was alerted to the presence of a number of documents containing Protected Health Information (PHI) in a recycling container in Steel Creek Park, Bristol. The documents contained notes on patients taken by a nurse and related to patients who had visited the Holston Valley Medical Center between 1998 and 2007. It is not clear exactly what information was included on the patients, although a statement released by Wellmont’s Chief Compliance Officer, Nancy Merritt, confirmed “The notes were not part of any patients’ legal medical record and were never in a public area before they were placed in the recycling bin.” Merrit went on to say, “Holston Valley and Wellmont did not authorize these notes, their retention or their disposal at Steele Creek.” The taking of notes was in violation of company policy and in an interview with the nurse...

Read More
University of Pittsburgh Medical Center Patients Warned of BA HIPAA Breach
May15

University of Pittsburgh Medical Center Patients Warned of BA HIPAA Breach

A Business Associate (BA) of the University of Pittsburgh Medical Center has notified the healthcare provider, and numerous other clients, of a HIPAA breach caused by a rogue employee. The now former employee is alleged to have stolen the records of 2,259 patients. Medical Management LLC – a medical billing company – was notified by federal law enforcement agencies that a member of staff at the company was believed to have stolen and disclosed confidential data and that the incident was being investigated. The employee in question – who has not been named – was a worker in the company’s call center. That person has been accused of copying “personal information from the billing system” and disclosing the information to a third party. Social Security Numbers and Personally Identifiable Information Stolen Patients affected by the breach are being sent breach notification letters from today to alert them that their personal information has been obtained and disclosed. They have been advised that their names, dates of birth and Social Security numbers had been compromised. Breach...

Read More
Indiana State Medical Association HIPAA Breach Update
May13

Indiana State Medical Association HIPAA Breach Update

Details have emerged on the Indiana State Medical Association data breach reported in early March. The Indiana State Medical Association issued a media release in which it confirmed that a data breach was suffered in which approximately 39,000 individuals were exposed, after two back-up hard drives were stolen from an employee’s car. A report in the Star Press yesterday adds further detail to the story, suggesting the initial report was inaccurate and the breach was not reported promptly. The employee in question has also been disclosed as being the ISMA Information Technology Administrator. The employee parked his car in a lot for a period of two and a half hours, and during that time a thief broke into the vehicle and stole two computer back up hard drives containing 39,090 medical records. The hard drives are understood to have been left in plain sight inside the vehicle. The employee did not report the theft until more than 24 hours later. The theft report was filed at 7pm on February 14. The administrator called law enforcement to report the theft and officers were dispatched...

Read More
Illinois AG Files Improper Dumping Lawsuit Against HIPAA Business Associate
May11

Illinois AG Files Improper Dumping Lawsuit Against HIPAA Business Associate

Lisa Madigan, the Illinois Attorney General, has filed a lawsuit against a Northbrook HIPAA Business Associate (BA) for failing to destroy medical records prior to disposal. The BA is alleged to have exposed the PHI of at least 1,500 individual patients. The complaint says that the attorney general’s investigators found 1,500 medical records at Shred Spot. The company had received the medical records from Filefax Inc of 3405 Commercial Ave., Northbrook. According the suit, as reported by the Chicago Tribune, “an individual by the name of Halina Bysiek took 1,100 pounds of paper out of the container and brought it to another Sky Harbor business, seeking cash for recycled material.” The data was allegedly left in an “unlocked garbage container behind the building in the Sky Harbor business park.” Paul Kaufmann, Owner of Shred It, identified the material as medical records and alerted his Trade Association – The National Association for Information Destruction. Following the advice he received, Kaufmann contacted the state attorney general’s office and an investigation was...

Read More
HIPAA Compliance Guide Released
May11

HIPAA Compliance Guide Released

Our 65-page HIPAA Compliance Guide for Privacy, Security and Compliance Officers provides useful advice on the main elements of the Health Insurance Portability and Accountability Act, including tips and best practice advice for Covered Entities (CEs) and their Business Associates (BAs). The guide can be downloaded here. HIPAA Compliance Will be put to the Test Three years have passed since the Department of Health and Human Services’ Office for Civil Rights completed its pilot round of HIPAA compliance audits and organizations covered by HIPAA do not have long before the audits will start again. The pilot phase did not result in any financial penalties being issued – only action plans – although the audits revealed HIPAA compliance was in a sorry state. The same is not expected to be true for the next round. CEs have had plenty of time to get procedures and policies updated, and if violations are discovered this time around, fines are likely to follow. The next round of audits will specifically test the areas of HIPAA Rules that were causing so many problems for CEs three years...

Read More
2014 HIPAA Privacy and Security Breach Report
May11

2014 HIPAA Privacy and Security Breach Report

The healthcare industry suffered a number of large scale data breaches in 2014, with Community Health Systems the hardest hit after hackers stole 4.5 million patient health records. 2014 HIPAA Privacy and Security Breaches Increase by 138% In 2014, HIPAA privacy and security breaches hit record highs with millions of patient health records exposed. Since 2012, security breaches have increased by 138% and the trend has continued into 2015. Colossal data breaches have already been reported by Anthem and Premera Health, which exposed 78.8 million and 11 million health plan member records respectively and that was before February had come to an end. The healthcare IT security focus has now shifted from compliance with HIPAA regulations to the prevention of data breaches according to a survey of healthcare IT professionals at HIMSS 2015 due to the staggering cost of data breaches. However, the data from last year suggests that hacking accounted for a relatively small proportion of the data breaches reported in 2014. When these incidents do occur, as we have seen over the course of the...

Read More
HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys
May08

HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys

According to a recent article in Lexology, the Department of Health and Human Services’ Office for Civil Rights has started transmitting pre-screening surveys to HIPAA-covered entities signaling the start of the long awaited second round of HIPAA compliance audits. However, the OCR has yet to post a notice on its website to that effect. OCR Prepares for the Second Phase of Compliance Audits   The OCR previously placed a notice in the Federal Register stating its intention to send out pre-audit screening questionnaires to up to 1200 covered entities and their Business Associates last year, allowing organizations to be contacted to assess their suitability for audit. The OCR must ensure that a representative sample of covered entities are audited, including both large and small healthcare providers, healthcare clearinghouses, insurers, health plans as well as Business Associates of covered entities. The audits must also be geographically representative, covering the whole of the United States. According to the OCRs Susan McAndrew, the screening questionnaires are to “assess the...

Read More
The Cost of HIPAA Non-Compliance
May04

The Cost of HIPAA Non-Compliance

The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) demands that all covered entities implement the appropriate administrative, physical and technical safeguards to keep PHI secure. Failure to implement those basic minimum standards can lead to more than just a fine from the Department of Health and Human Services’ Office for Civil Rights (OCR). The cost of HIPAA non-compliance is considerable. The True Cost of HIPAA Non-Compliance Since the HIPAA Enforcement Act, the OCR has been able to fine organizations that fail to implement the appropriate controls to protect healthcare data and the privacy of patients. Fines of up to $1.5 million can be issued for HIPAA violations, with that number multiplied by the number of years each violation has been allowed to persist. Multimillion dollar financial penalties have already been issued for non-compliance, but a HIPAA-violation penalty is one of the smaller costs covered entities have to cover. Organizations experiencing even relatively small data breaches can see the cost of a data healthcare data...

Read More
Cybercrime Report: Children’s Healthcare Data Prized by Thieves
May04

Cybercrime Report: Children’s Healthcare Data Prized by Thieves

Cybercriminals are targeting healthcare providers and insurers in an attempt to obtain the Protected Healthcare Information (PHI) and Social Security numbers they hold, but above all else it is the Social Security number of children they are after. According to a study conducted by the University of Texas Center for Identity, children are 35 times more likely to suffer identity fraud after a data breach than adults. A 2011 study conducted by Carnegie Mellon University’s Cylab suggests the risk is much higher, and children are 51 times more likely to suffer from fraud. The UT survey researchers have estimated that one in ten U.S children have had their identities stolen to some degree. Who do Criminals Use Healthcare Information and Social Security Numbers? Social Security numbers – along with personal identifiers –can be used by criminals to commit fraud in a variety of ways and the value of these numbers has led criminals to come up with highly sophisticated and diverse ways of breaking through organizations’ defenses. Thieves use healthcare data and Social Security numbers to...

Read More
Can E-Signatures Be Used Under HIPAA Rules?
May03

Can E-Signatures Be Used Under HIPAA Rules?

The use of digital signatures in the healthcare industry has helped to improve the efficiency of many processes, yet the question still remains can e-signatures be used under HIPAA rules. Effectively the answer is “yes”, provided that mechanisms are put in place to ensure the legality and security of the contract, document, agreement or authorization, and there is no risk to the integrity of PHI. What Does HIPAA Say About E-Signatures? Proposals for the use of e-signatures under HIPAA rules were included in the first draft of the 2003 Security Rule, but then removed before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S: Department of Health and Human Resources website that states: “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.” Generally, a signature is not required for many...

Read More
Calculating the Cost of a HIPAA Data Breach
Apr30

Calculating the Cost of a HIPAA Data Breach

Calculating the cost of a HIPAA data breach is not a straightforward process, at least not until a number of years after a data breach has occurred. Actions must be taken following a breach, and the cost of notification and damage mitigation can spiral. Financial penalties are also being issued with increasing frequency to healthcare organizations fail to implement the appropriate privacy and security measures to protect patient healthcare data. HIPAA and Breaches of Protected Health Information The Health Insurance Portability and Accountability Act places a requirement on covered entities to employ the appropriate administrative, physical and technical safeguards to prevent the unauthorized disclosure of Protected Health Information (PHI). Patients must also be allowed access to their healthcare information on request, privacy must be respected and policies developed to de-identify data before it is used for research and marketing purposes. Business Associates – any vendor required to come into contact with PHI – must also be vetted to make sure they comply with HIPAA Rules. When...

Read More
Study Suggests HIPAA Data De-identification Improvements Required
Apr28

Study Suggests HIPAA Data De-identification Improvements Required

Under HIPAA Rules, healthcare providers and other covered entities (CEs) are permitted to use the Protected Health Information (PHI) of patients – and share this information with others – provided that the data has been de-identified. It must not be possible for PHI data to be tied to any individual. CEs are permitted to share the data if it can be demonstrated that the risk of that data being associated with a particular patient is small and have two options for de-identifying healthcare data prior to sharing that information with a Business Associate: They can de-identify data using a model such as k-anonymity, or they can set a rule-based policy – the Safe Harbor model – that changes data values; for example, changing dates of birth to the following or preceding year, or stripping out days and dates to just provide a patient’s age. However, while the latter method is often used, it is far from perfect. According to a recent study published in the Journal of the American Medical Informatics Association (JAMIA), this procedure does not tailor protections to the...

Read More
OCR Issues Advice on HIPAA and Workplace Wellness Programs
Apr20

OCR Issues Advice on HIPAA and Workplace Wellness Programs

Protected Health Information (PHI) is safeguarded under Health Insurance Portability and Accountability Act Rules, which place a number of requirements on covered entities (CEs) to implement a number of controls to ensure that healthcare data is not disclosed to unauthorized individuals. Should that occur, or if the data is stolen, covered entities also have a requirement to notify the Office for Civil Rights (OCR) and any persons affected by the breach, with the rules and regulations for doing so laid down in the Breach Notification Rule. These rules cover most healthcare providers, health plans and healthcare clearinghouses; however, the OCR has recently issued to advice on Workplace Wellness Programs, as there appears to be some confusion about coverage under HIPAA Rules. Are Workplace Wellness Programs Covered by HIPAA? The confusion over HIPAA and Workplace Wellness Programs is understandable, because whether these schemes are covered under HIPAA depends on how the wellness programs have been set up, and if they are provided through an employer as part of a group health plan....

Read More
OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits
Apr16

OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits

The Department of Health and Human Services’ Office for Civil Rights has not used the HIMSS 2015 conference as a podium to announce the start of the long awaited second round of HIPAA compliance audits; although a number of OCR officials have given an insight into what it has in store for 2015. HIMSS 2015 is a time of learning for healthcare professionals. The protection of EHRs – and best practices and technology to adopt to protect them – is a major focus at this year’s conference. Cybersecurity is top of the agenda, and the recent high profile “mega-breaches” of recent months has got healthcare IT professionals looking for answers. The words “data breach” may be enough to bring out a cold sweat at the conference, although there were plenty in attendance on Monday for Marion Jenkins’s session – Chief Strategy Officer at 3t Systems- which gave a brief history of HIPAA, which examined a decade of data breaches. Jenkins recounted the enforcement actions already made by the OCR since it took charge of policing HIPAA, and pointed out that it has increased its enforcement...

Read More
You Ain’t Seen Nothing Yet – OCR Indicates Major Hike in HIPAA Audits
Apr15

You Ain’t Seen Nothing Yet – OCR Indicates Major Hike in HIPAA Audits

They were last seen in 2012, but the second round of HIPAA compliance audits have yet to commence, but they are apparently coming back this year with plans in place for them to be bigger and bolder than ever before. The Department of Health and Human Services’ Office for Civil Rights (OCR) indicated to Washington lawyer and HIPAA expert, Adam Greene – partner of Davis Wright Termaine – that compliance enforcement is set to significantly increase. OCR Has Already Increased Its Enforcement Actions In a presentation at HIMSS15 in Chicago on Tuesday, Greene pointed out that there had been an increase in enforcement actions involving financial penalties in recent years. Greene said there “was one or three fines levied in 2008-2011, five in 2012 and 2013 and seven last year in 2014”. The OCR has had to deal with more than 100,000 claims since it started enforcing HIPAA legislation and in the majority of cases these claims have been resolved without any investigation being necessary. In almost a quarter of cases (24%) the Covered Entity (CE) took voluntary corrective action...

Read More
Health IT Privacy and Security Guide Released by ONC
Apr14

Health IT Privacy and Security Guide Released by ONC

The government, via the Office of the National Coordinator for Health IT (ONC), has issued a new set of guidelines on Privacy and Security of Protected Health Information. The update to the guidance was made in the most part to facilitate the interoperable exchange of healthcare data but also to improve cybersecurity defenses and the understanding of HIPAA Rules, in addition to outlining the core objectives of Stage 2 of the Meaningful Use program. The guidelines set out to explain why PHI must be protected and convey that HIPAA compliance is a responsibility that is shared between everyone employed in the healthcare industry. Advice is provided on how compliance can be achieved under the Health Insurance Portability and Accountability Act and best practices are outlined that should be adopted by Medicare Eligible Professionals (EPs) and HIPAA –covered entities (CEs). The guidelines were last updated in 2011 so an update has been long overdue, especially in light of the 2014 EHR Certification Rule which, like the HIPAA Privacy Rule, allows patients the opportunity to access their...

Read More
Microsoft Office 365 Achieves Top Rating for HIPAA Compliance
Apr07

Microsoft Office 365 Achieves Top Rating for HIPAA Compliance

Microsoft Office 365 cloud services for the healthcare industry has recently achieved the highest possible HITRUST CSF rating – achieving a maximum score of five – in a certification review of its security and privacy controls initiated by Centura Health. The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a scalable, prescriptive and certifiable framework specific to healthcare organizations. It was designed with the aim of speeding up the process of vetting organizations and assessing multiple certification standards as part of a plan to move data to the cloud. The CSF includes an assessment and certification process that simplifies the management of multiple standards – HIPAA, HITECH, PCI, COBIT, NIST and FTC – and assesses the level of “maturity” an organization or potential Business Associate has for particular security requirements. The HITRUST CSF was based on the Program Review for Information Security Management Assistance (PRISMA) – the National Institute of Standards and Technology’s Computer Security Division’s NISTIR...

Read More
How Can PHI be Shared Under HIPAA?
Apr06

How Can PHI be Shared Under HIPAA?

Under the Health Insurance Portability and Accountability Act, specifically the HIPAA Privacy Rule, Protected Health Information (PHI) cannot be shared with unauthorized individuals. Since the Omnibus Rule was introduced, covered entities (CE) are also not permitted to use PHI for marketing purposes, so how can PHI be shared under HIPAA? How Can PHI be Shared Under HIPAA? The sharing of Protected Health Information is not permitted under the Privacy Rule, so if a CE wants to share that data – for marketing purposes, research or any other reason – individual records must be de-identified. If it is not possible to identify an individual from the data, the information is not considered to be PHI. Therefore, if all personal identifiers are striped from the data, the CE will be free to do with the data whatever they wish, as the data will no longer be considered to be PHI. Why De-identify Data? Healthcare providers may wish to conduct comparative drug effectiveness studies in order to check the effectiveness of different treatment methods on patient outcomes for example. Medical...

Read More
HIPAA Audits May Give False Sense of Security
Apr01

HIPAA Audits May Give False Sense of Security

The news that Premera Blue Cross was audited just three weeks before hackers were able to infiltrate its computer systems has raised a number of questions regarding the effectiveness of compliance audits. The U.S. Office of Personal Management performed an audit of the health insurer and identified a number of security vulnerabilities that it advised Premera to address, in particular the failure to install patches and software updates in a timely manner and the importance of developing a baseline configuration that would allow full audits of the insurer’s servers and databases to be conducted. It took the OPM six months to release its final report on the audit, during which time hackers were accessing and copying the PHI of Premera’s members. After the report was released, it took a further 2 months before the insurer was able to identify the HIPAA breach and shut down access, although that was too late to prevent the PHI of 11 million members from being obtained by the thieves. These issues, along with a handful of other observations, were not considered to be serious enough at...

Read More
Cloud Security Adoption: Healthcare and Pharmaceutical Lead the Way
Mar31

Cloud Security Adoption: Healthcare and Pharmaceutical Lead the Way

When it comes to Cloud Security adoption, the healthcare and pharmaceutical industries lead the way according to a recent survey by CipherCloud, an industry leading provider of secure cloud services. Both industries are required to implement safeguards – under the Health Insurance Portability and Accountability Act (HIPAA) – to ensure that Protected Health Information is kept private and confidential, which according to the report is the reason why cloud security adoption is so important and uptake has been so high in these industries. Healthcare and pharmaceuticals have been grouped together in the report, and account for 38% of companies which have chosen to store data securely in the cloud. The banking and finance industry is second, accounting for 25% of companies, with telecommunications third (16%) and the Government in fourth spot (9%). HIPAA does not demand that PHI is encrypted while at rest, although data encryption is an addressable area. If covered-organizations decide not to encrypt data, they must document the reasons why, along with the alternative safeguards...

Read More
HIPAA Violation Warning Issued About Medical Record Subpoenas
Mar26

HIPAA Violation Warning Issued About Medical Record Subpoenas

Law firm, Day Pitney LLP, has issued a warning to healthcare professionals to be cautious about disclosing Protected Health Information, even when asked to provide medical records to attorneys under subpoena. A Connecticut Supreme Court ruling in November 2014 permitted a negligence claim to be filed against a healthcare provider for non-compliance with HIPAA Rules governing the disclosure of PHI to third parties. The court ruled that HIPAA Privacy Rules cover Protected Health Information even when that information is required by attorneys, and requested through proper legal processes. In Connecticut at least, PHI can only be released under subpoena if certain criteria are met. The court cited the Code of Federal Regulations, 45 C.F.R. § 164.512(e)(1)(ii) , which only permits the transfer of Protected Health Information if “satisfactory assurances” have been received that the person whose medical records have been requested to be disclosed has received a notice of the access request. As pointed out by Susan R. Huntington of Day Pitney, in order for PHI to be released under HIPAA...

Read More
Does your Organization Need a Secure Text Messaging Service?
Mar26

Does your Organization Need a Secure Text Messaging Service?

Text messaging has revolutionized worldwide communications. Since the first service was provided in the United States in 1995 it has grown to become one of the most popular – and most frequently used forms of communication, with 74% of mobile users – some 2.4 billion individuals worldwide – now using SMS to communicate with colleagues, friends and relatives. SMS messages are also used extensively in healthcare. 87% of healthcare professionals now use their mobile devices in the workplace, whether that is their own phones – via hospital Bring Your Own Device schemes – or those issued by a healthcare provider. According to a Manhattan Research/Physician Channel Adoption Study, physicians spend 64% of their online time looking for information that allows clinical decisions to be made. However, while extremely prevalent in healthcare, text messaging is inherently insecure. Any PHI transmitted over the mobile network can be potentially viewed by numerous unauthorized individuals. Text message can be relayed and routed via multiple carriers, the messages can remain on servers – in...

Read More
10 HIPAA Breach Costs You May not Be Aware of
Mar25

10 HIPAA Breach Costs You May not Be Aware of

A data breach is less of a possibility and more of inevitability in 2015. Cyber crime is on the increase and the healthcare industry is under threat, with major attacks already having exposed millions of records – with last year’s tally having already been surpassed by some distance. Determining the data breach financial impact can be difficult as there are variables that cannot be accurately predicted immediately after a breach has occurred. Civil claims for damages will almost certainly be filed, although the number of victims of fraud will not be known for many years, neither the damages which will need to be covered. The Department of Health and Human Services’ Office for Civil Rights investigates data breaches; however it can take time for an assessment to take place. A full compliance audit may be required, the findings assessed and financial penalties considered. Settlements can take a number of years to be reached and there is no telling how many violations will be discovered by its auditors. Each violation category carries a maximum fine of $1.5 million in cases where the...

Read More
Premera HIPAA Breach: Insurer Certified as HIPAA Compliant
Mar24

Premera HIPAA Breach: Insurer Certified as HIPAA Compliant

In the aftermath of a major HIPAA breach, the spotlight is shined on healthcare providers and insurers’ and they investigated to determine whether the breach was preventable, and if it was caused by violations of HIPAA regulations. In the case of Premera, hackers were able to infiltrate the insurer’s computer network and gain free access to patient healthcare records for a period of 10 months. The insurer has been criticized for the breach, in particular for failing to audit its internal computer systems regularly; a measure which could have identified the breach much more quickly and thus would have limited the damage caused. While attention is focused on the insurer and potential HIPAA violations, according to the U.S Office of Personnel Management, the insurer was deemed to be HIPAA-compliant after an audit of its systems last year. The U.S Office of Personnel Management conducted general testing of Premera’s information systems in January 2014, in addition to a full application control audit. While the Office for Civil Rights is tasked with auditing healthcare providers on...

Read More
Mobile Devices Under HIPAA Rules: Will Geofencing Boost Data Security?
Mar21

Mobile Devices Under HIPAA Rules: Will Geofencing Boost Data Security?

Making healthcare mobile devices secure is a challenge faced by all healthcare providers. It is essential, under HIPAA Rules, to ensure that all medical devices – and the data they contain – are safeguarded and protected against misuse. However, the view from IT professionals is that device users are not being as careful as they should be. According to a recent Cisco Systems report, IT professionals believe that employees are engaging in highly risky behaviors that are potentially putting personal and healthcare data at risk. The report indicates that 70% of IT professionals believe that data breaches have been caused by the use of unauthorized programs in more than 50% of cases. The survey also indicates that 44% of employees are sharing work devices against company policies, while almost four out of 10 respondents have said that they have had to deal with employees who have accessed parts of a network that they were not authorized to enter. Perhaps even more worrying is the fact that 46% of employees admitted to transferring data from a work device to a personal computer to allow...

Read More
HIPAA Warning: Health Insurers Must Conduct A Full IT Security Audit
Mar20

HIPAA Warning: Health Insurers Must Conduct A Full IT Security Audit

A HIPAA data breach affecting 150,000 individuals is shocking. A breach involving 11 million individuals is astonishing. Both incidents have occurred this month, with the latest mega data breach affecting almost three times the number of individuals as the Community Health Systems data breach of last year, making it the largest healthcare data breach of all time, eclipsing the Tricare breach of 2011 that exposed 4.9 million records. It is clear that the healthcare industry has now entered a new era, where companies are being targeted by criminals who are looking to steal data on a monumental scale. Health insurers make attractive targets as they hold the personal information, health data and Social Security numbers of tens of millions of consumers and in many cases, network security measures are not particularly robust. Huge Rewards for Hackers According to a recent report issued by Price Waterhouse Coopers – Managing cyber risk in an interconnected world: key findings from the Global State of Information Security – the value of data is considerable. The report states that “A...

Read More
How To Strengthen Defenses Against HIPAA Data Hacking
Mar19

How To Strengthen Defenses Against HIPAA Data Hacking

The large scale data breaches that affected Anthem and Premera Blue Cross this year – and Community Health Systems in 2014 – are a sign of things to come. Healthcare providers, insurers, healthcare clearinghouses and healthcare business associates must face up to the fact that the game has now changed, and cyber attacks are now an inevitability, not just a possibility. Criminals have previously concentrated on obtaining credit card numbers to commit fraud, although following the major breaches of last year at Target and Home Depot; action is being taken by the retail industry to implement new safeguards and protect consumer data. As the $7 billion retail industry improves defenses, hackers are turning to other less protected industries and the healthcare sector is the prime target. Thieves are now concentrating on obtaining Social Security numbers to sell on the black market. These numbers, especially when accompanied by healthcare data and other personal identifiers, can be used to commit identity and medical fraud, allowing criminals to commit millions of dollars of identity...

Read More
Second Round HIPAA Compliance Audits Delayed Again
Mar17

Second Round HIPAA Compliance Audits Delayed Again

The Office for Civil Rights is due to commence the second round of HIPAA compliance audits this year, although news has emerged that the audits are to be delayed once more to give the department time to finalized the audit protocol. The second round audits were originally scheduled to take place in the fall of last year, but were delayed to give the OCR time to implement a new web portal for reporting data breaches. This measure was essential due to the huge administrative burden that healthcare audits place on the OCR. The new web portal was intended to streamline data collection and ease pressure on the department, which has been struggling with a lack of resources and staff. OCR Information Privacy Senior Advisor, Linda Sanches, said at the HIMSS Privacy and Security Forum that she was “Happy because the process that we were going to use before was much more labor intensive in term of analyzing data.” The pilot round of HIPAA compliance audits commenced in 2011 and was completed in 2012. The results of the survey indicated that healthcare organizations in particular were failing...

Read More
Summary of the HIPAA Breach Notification Rule
Mar15

Summary of the HIPAA Breach Notification Rule

The Health Insurance Portability and Accountability Act of 1996 is one of the most important pieces of legislation to affect the healthcare industry, yet many healthcare providers and insurers are unaware of HIPAA obligations, in particular those relating to the HIPAA Breach Notification Rule. There has been considerable criticism of healthcare providers and insurance companies in recent months regarding the speed at which individuals affected by data breaches are notified that their healthcare data and personal information has been stolen, lost or divulged to an unauthorized individual. With this in mind, and given the rise in the number of HIPAA data breaches in recent months, we have prepared a summary of the important elements of the HIPAA Breach Notification Rule to help healthcare organizations respond quickly to data breaches and stay HIPAA-compliant. Summary of the HIPAA Breach Notification Rule HIPAA Rules set standards which healthcare providers and other covered entities must follow in order to reduce the chance of patient data being exposed; however even with the most...

Read More
HIPAA and Wiretap Act Could Prevent Installation of Nursing Home Cameras
Mar14

HIPAA and Wiretap Act Could Prevent Installation of Nursing Home Cameras

According to a recent CBS Local report, an Illinois house committee will be meeting next week to discuss the privacy issues raised by the installation of web based video cameras in nursing home residents’ bedrooms and how HIPAA Rules and the Wiretap Act regulations can be adhered to. The installation of video cameras in nursing homes has been proposed following numerous allegations of neglect and abuse in nursing homes throughout the United States. Nursing home employees are also accused of the financial exploitation of residents and each year many reported cases result in legal action. However, proving abuse and neglect in a court of law can be difficult, especially when the victim suffers from dementia or Alzheimer’s. Action being Taken to Protect Nursing Home Patients Efforts have been made in both Illinois and Missouri to allow the installation of video cameras in nursing homes to monitor for abuse and to deter staff from abusing residents. When abuse occurs, evidence will be recorded on the cameras or footage can be monitored remotely. The problem is that video cameras record...

Read More
HIPAA Compliance and the Cloud
Mar13

HIPAA Compliance and the Cloud

The cloud offers many advantages to healthcare providers and other covered entities. It is possible to use cloud services and remain HIPAA compliant; however, it can be a long and arduous process to obtain all the necessary documentation to confirm that is the case, and if you can’t, you could end up violating HIPAA Regulations. The cloud is convenient and flexible. Covered entities (CEs) can use private and secure cloud services which allow a great deal of customization and there are now a wide range of companies offering cloud based services to the healthcare industry; an industry that has traditionally lagged behind others when it comes to adopting new IT technology. However, any CE using the cloud must exercise extreme caution, especially when it comes to moving data to and it. This is an area well covered by HIPAA regulations. Many healthcare providers have ventured into the cloud already and have implemented their own measures to ensure that PHI is secured. Today, a number of providers of cloud services are taking care of this aspect of the business and are offering “HIPAA...

Read More
HIPAA Breach Triggers IT Security Audit: Anthem Refuses
Mar10

HIPAA Breach Triggers IT Security Audit: Anthem Refuses

The Office of Personnel Management’s (OPM) Office of the Inspector General (OIG) conducts security audits on healthcare organizations participating in the Federal Employees Health Benefits Program (FEHBP). Following the massive HIPAA breach at Anthem., Inc last month, the OIG decided to conduct a new information technology security audit on the insurer. The OIG Information Technology security audits set out to determine if security vulnerabilities exist that could potentially be used by hackers to gain access to servers and internal computer systems. The audits are not comprehensive, instead that samples a small proportion of the organizations servers to help build an overall picture of data security and whether sufficient steps have been taken to prevent hackers from conducting malicious cyber attacks. The audits consist of automated vulnerability scans and accompanying configuration compliance audits; however according to a HealthITSecurity report, Anthem refused to cooperate fully with OIG auditors and restricted access to its servers, claiming that the provision of access would...

Read More
Delegates Prepare for the 23rd National HIPAA Summit
Mar09

Delegates Prepare for the 23rd National HIPAA Summit

Next week, government department heads and industry leaders will meet at the 23rd National HIPAA Summit to give updates on the progress that has been made over the past 12 months and to provide information on new laws and regulations. The summit also offers an opportunity for compliance officers and other healthcare professionals to receive training on a wide range of healthcare IT and HIPAA-compliance issues. The threat of cyberattacks on healthcare providers has risen to an all time high and healthcare costs are spiraling out of control. The industry may be in critical condition, yet healthcare providers, health plans and other covered entities must find the funding to improve data security and protect the privacy of patients and health plan members. Since the introduction of HIPAA this has been a major challenge, but with the introduction of HITECH, the Affordable Care Act (Obamacare), the move to IC10 coding and the passing of the HIPAA Omnibus Rule the challenge has grown. HIPAA-covered entities now face a huge financial and administrative burden to comply with these...

Read More
Possible HIPAA Violations in Medical College of Wisconsin Breach
Mar03

Possible HIPAA Violations in Medical College of Wisconsin Breach

The Medical College of Wisconsin has issued a statement announcing a data breach that has affected approximately 400 of its patients. WDJT Milwaukee, an affiliate of CBS, was contacted on Feb 28, 2015 by a spokesperson for the Medical College of Wisconsin detailing a data breach which exposed some confidential information of its patients. The breach occurred on February 15, 2015, when a document and a laptop computer were stolen from a physician’s car. The document contained information relating to approximately 400 patients. The laptop is understood only to have only contained the information of one patient. It is not clear exactly what information was stored on the laptop computer or in document at this stage; although MCW has confirmed that no Social Security numbers or patient addresses were stolen. In spite of legislation that requires data encryption is addressed, the healthcare industry has been slow to respond and use data encryption on its desktop computers, laptop computers and other portable storage devices. Data encryption ensures that if a device is stolen, no...

Read More
Why is the OCR Not Issuing More HIPAA Fines?
Feb28

Why is the OCR Not Issuing More HIPAA Fines?

The Department of Health and Human Services’ Office for Civil Rights is tasked with policing HIPAA, and there have been no shortage of HIPAA violations of late, so why is the OCR not issuing more HIPAA fines? Huge Data Breaches – Numerous HIPAA Violations – 22 Financial Penalties Since October 2009, 1,140 data breaches affecting more than 500 individuals were reported to the OCR, while there were more than 120,000 breaches involving fewer than 500 individuals. Out of those incidents – including a large number that involved or directly resulted from HIPAA violations – only 22 have warranted OCR HIPAA penalties according to research conducted by ProPublica. The OCR has been reserving financial penalties for organizations that “have involved systemic and/or long-standing”, and is cautious about exercising its rights and fining HIPAA violators. Interestingly, the California Department of Public Health is more active when it comes to holding healthcare organizations accountable for their lack of attention to HIPAA legislation. It too has issued 22 fines to HIPAA...

Read More
HIPAA and ISPP Violations Cited in Aventura Hospital Damages Lawsuit
Feb25

HIPAA and ISPP Violations Cited in Aventura Hospital Damages Lawsuit

The Aventura HIPAA breach, identified in June last year, has resulted in a lawsuit being filed by a patient of the hospital, according to a Courthouse News Service report. The lawsuit was filed by Aventura patient, Kellie Lynn Case, in the Miami Federal Court. She is seeking damages from the defendants, Hospital Corporation of America and Envision Healthcare Corporation, after they were provided with confidential patient data and failed to implement the appropriate controls to keep that data safe. The lawsuit alleges that the defendants have violated the HIPAA Security Rule in addition to Industry Standard Protection Protocols. Under HIPAA regulations healthcare providers are not permitted to share confidential patient data without having first obtained consent to do so from the patients. They are also required to produce notices of privacy practices which must detail how the data they hold will be used, to whom it will be disclosed and under what circumstances that will happen. The lawsuit alleges that the defendants used the Notice of Privacy Practices as a means to justify an...

Read More
How to Prepare for a HIPAA Compliance Audit
Feb23

How to Prepare for a HIPAA Compliance Audit

In 2011 the Department of Health and Human Services’ Office for Civil Rights developed an audit program to assess the state of healthcare compliance. The pilot audits, which started in 2011 and were completed in 2012, uncovered numerous violations of HIPAA Privacy, Security and Breach Notification Rules. Only 11% of audited entities passed the audits with no observations or violations, while more than 60 percent of the audits uncovered security standard violations. The OCR was lenient on offenders and did not issue major fines for non-compliance issues, instead action plans were developed to help the audited organizations implement the necessary safeguards to protect healthcare data. The OCR is not expected to be as lenient during the second phase of the audit program, which is due to commence later this year. The second phase is likely to see organizations fined for HIPAA violations in line with the new penalty structure introduced with the Omnibus Rule of 2013. Phase 2 of the OCR Compliance Audit Program   One of the aims of the pilot round of audits was to discover which...

Read More
HIPAA Breach or Not? When the OCR Must be Informed?
Feb21

HIPAA Breach or Not? When the OCR Must be Informed?

The Health Insurance Portability and Accountability Act lays down the procedures which must be followed after covered entities (CEs) discover that hackers have gained access to networks, laptops containing unencrypted PHI have been lost or stolen or members of staff have been found to have accessed patient health records without authorization. But how can you tell if your incident is a HIPAA breach or not? When the OCR must be informed of a Data Breach Not all data breaches are HIPAA breaches and not all HIPAA breaches involve data breaches. So, when should the OCR be informed and how should a data breach be classified? The Omnibus Rule made a number of amendments to terminology and definitions in HIPAA. The Breach Notification Rules were not amended, so the response to breaches remains the same as before, but additional elements were changed, most importantly relating to how a breach is reviewed. The change places a requirement on the CE to determine the level of risk that exists after a breach has occurred, and to conduct a thorough risk assessment to determine if PHI has...

Read More
Wearable Devices Carry High Risk of Causing HIPAA Violations
Feb18

Wearable Devices Carry High Risk of Causing HIPAA Violations

Advances in technology have allowed wearable devices to be developed to monitor health and fitness, and while these gadgets, monitors and sensors have potential to greatly improve healthcare, they also carry a high risk of a causing a HIPAA violation. Over the past 12 months the number of devices in use has grown at a tremendous rate. In 2013 the market for wearable devices was estimated to be worth $1.4 billion and by 2024, sales of wearable devices are expected to generate $70 billion per year. High Risk of Data Exposure   Wearable devices include fitness bands, such as those developed by Fitbit, which record detailed data during exercise and everyday living. In 2011, users of the devices discovered just how much personal information was saved, stored and unfortunately for many, also shared with the online community. Some discovered their exercise data had been indexed by Google and was publicly available. Not only was data from jogging, cycling and running sessions recorded, but also much more personal information including other forms of “exercise”. This included kissing,...

Read More