Our HIPAA compliance news section keeps you up to date with HIPAA breaches, OCR updates and HITECH and GDPR compliance issues. Make sure you remain up to date with the latest HIPAA compliance news by subscribing to our newsletter or follow us on Twitter @HIPAAJournal.

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought. One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could...

Read More
Is Dropbox HIPAA Compliant?
Jul14

Is Dropbox HIPAA Compliant?

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information? Is Dropbox HIPAA Compliant? Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant? Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules. The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required. Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014. After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details. The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual. However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
OCR Issues Guidance on the Correct Response to a Cyberattack
Jun12

OCR Issues Guidance on the Correct Response to a Cyberattack

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken. Responding to an ePHI Breach Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack. The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated. Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements
Jun01

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and healthcare IT security incidents last month have prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached. HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time. Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again. Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed. Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management...

Read More
OCR and ONC Face Major Budget Cuts
May24

OCR and ONC Face Major Budget Cuts

On Tuesday this week, the Trump administration revealed its 2018 fiscal budget with the Department of Health and Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) both facing major cuts to their operational budgets. The ONC faces the largest budget cut, with its $60 million per year cut by 36% for the coming financial year. ONC would need to lose 26 members of staff, with such a large budget cut likely to force the agency to reconsider its priorities. OCR faces a budget cut of 13%, reducing funding from $38 million to $33 million likely requiring the loss of 16 staff. The fiscal 2018 budget is not set in stone and changes are likely to be made before the budget is passed by Congress. However, the Trump administration has previously stated the desire to shave $15.1 billion from the Department of Health and Human Services budget and cuts are therefore inevitable. OCR has many roles, although as the main enforcer of HIPAA Rules, those budget cuts could affect the agency’s HIPAA enforcement activities. OCR has...

Read More
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
May24

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer. The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested. The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule...

Read More
HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat. Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly...

Read More
HIPAA Compliance Best Practices
May16

HIPAA Compliance Best Practices

Questions and Answers to Improve Security and Avoid Penalties By Bill Becker Even after 14 years, public and private sector organizations are still routinely found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the weakest links in compliance. In this article, we’ll look at some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with financial or other penalties. For the uninitiated, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that engage in many types of transactions. Enforcement of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement four years later. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been investigated by OCR. 98% (or 147,826) of the complaints have been...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules. However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient...

Read More
HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape
May03

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk. More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management. The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch. George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access...

Read More
MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations
Apr26

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients. App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are sent to an Israeli company called Test Fairy, which conducts quality control tests for MDLive. The lawsuit alleges patients are not informed that their information is disclosed to a third-party company, and that all data entered into the app can be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data. Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories,...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures. In this case, the settlement relates to a data...

Read More
Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge
Apr21

Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge

A New York Supreme Court Judge has recently ruled that patient records held by the New York Organ Donor Network must be turned over to a plaintiff and that the request cannot be denied based on HIPAA. Patrick McMahon claims he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he made about organ harvesting from four patients who were still showing clear signs of life and had not been declared legally dead. The New York Organ Donor Network maintains the plaintiff was fired for poor performance while he was still a probationary employee. The allegations about the procurement of organs have been denied. McMahon requested the New York Organ Donor Network turn over the medical records of the four patients as they are ‘material and necessary’ to show the patients showed signs of brain activity at the time the organs were harvested.  The New York Organ Donor Network had previously denied McMahon’s request, instead providing contact details of the patients’ next of kin, informing McMahon that he needed to obtain consent forms...

Read More
OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements
Apr21

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois. On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI. The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules. CCDH had provided paper records relating...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
Roger Severino Named New Director of HHS’ Office for Civil Rights
Mar27

Roger Severino Named New Director of HHS’ Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights. Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015. A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief. Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II...

Read More
Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule
Mar20

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient. The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’ The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy. From the video, it would appear that the patient was happy with the treatment,...

Read More
Updated HIPAA Compliance Audit Toolkit Issued by AHIMA
Mar07

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities. At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1, 2017, are to be delayed. This gives covered entities more time to prepare. The phase 2 HIPAA compliance desk audits were more detailed than the first phase of audits conducted in 2011/2012. The desk audits covered a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to demonstrate compliance. The onsite audits will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI. AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data. AHIMA has explained to whom...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework. While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations. The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more...

Read More
Small Healthcare Data Breach Notification Deadline: March 1, 2017
Feb23

Small Healthcare Data Breach Notification Deadline: March 1, 2017

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights. While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the reporting of smaller data breaches. While patients must be notified of any breach of their ePHI within 60 days – regardless of the number of individuals affected by the breach – notifications of security incidents are not required by OCR until 60 days after the end of the calendar year in which the data breaches were discovered. The deadline for reporting 2016 healthcare data breaches impacting fewer than 500 individuals is March 1, 2017. As with larger data breaches, all smaller incidents must be submitted via the OCR breach reporting tool. While smaller data breaches can be reported together, each breach must be entered into the breach reporting tool...

Read More
New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough
Feb22

New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year. Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement the ban was back in place. Late last year, the Joint Commission partially lifted the ban, saying the use of a secure text messaging platform was acceptable for doctors when communicating with each other, although the use of text messages – regardless of whether a secure, HIPAA-compliant platform was used – remained prohibited. OCR receives many questions from physicians and covered entities on the use of text messaging and HIPAA Rules. McGraw has confirmed that in response to the many questions, OCR will be issuing HIPAA guidance on text messaging later this year. In an interview with Information Security Media Group, McGraw explained “There are a...

Read More
Onsite HIPAA Audits Could Be Delayed by a Year
Feb21

Onsite HIPAA Audits Could Be Delayed by a Year

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed. It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow the 211 desk audits that were conducted last year, although the decision has been taken to push back the onsite audits until the reports of the desk audits have been written and analyzed. For the HIPAA compliance desk audits, covered entities and business associates of covered entities were sent notifications that they had been selected for audit. They were asked to supply a range of documentation on various aspects of their HIPAA compliance programs. The documentation has now been assessed and OCR is very close to issuing reports to the 166 covered entities that were audited. Those reports will be sent out in groups, with the first batch hopefully...

Read More
Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation
Feb21

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan members. While data encryption is not mandatory technical safeguard, it is an addressable issue. Covered entities must therefore consider the use of encryption technologies to protect ePHI at rest and in motion. If data encryption is not chosen, alternative, security measures must be implemented that offer an equivalent level of protection. Covered entities are required to conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computers are used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of...

Read More
Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System
Feb17

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Memorial Healthcare Systems operates six hospitals in South Florida, with its flagship hospital one of the largest in the state. The healthcare system also operates a range of ancillary healthcare facilities, a nursing home, urgent care center, and is affiliated with many physician offices through an Organized Health Care Arrangement (OHCA). In 2012, Memorial Healthcare discovered a breach of ePHI had occurred. The breach was reported to OCR on April 12, 2012.  That breach related to two employees who were discovered to have inappropriately...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification letters to patients. Presense Health agreed to settle with OCR for $475,000 to resolve the potential HIPAA violations. However, since the announcement was made, there have been a number of instances where covered entities have unnecessarily delayed the issuing of breach notification letters to patients and data breach reports to OCR. The January Breach Barometer – released by Protenus yesterday – indicates 40% of data breaches reported in January 2017 had notifications sent outside of the timescale required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule. The loss, theft, or exposure of patients’...

Read More
Will HHS Secretary Tom Price Ease HIPAA Regulations?
Feb13

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights. The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is expected to appoint a new OCR director soon. Price’s leadership and choice of OCR director could have a major impact on how OCR enforces HIPAA Rules and how rigorous those enforcement activities are. Since taking up the position of OCR Director in July 2014, Jocelyn Samuels oversaw a major increase in HIPAA enforcement activity. Last year, Jocelyn Samuels announced 12 settlements (and one CMP) with covered entities who were discovered to have violated HIPAA Rules during investigations into data breaches – a record year of enforcement for OCR. Jocelyn Samuels also oversaw the second phase of the much delayed second phase of HIPAA compliance audits. Last...

Read More
High Costs are Preventing Many Patients from Accessing their Medical Records
Feb02

High Costs are Preventing Many Patients from Accessing their Medical Records

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare. The Department of Health and Human Services’ Office for Civil Rights (OCR) recently explained patients’ right to obtain copies of their medical records and created a series of videos explaining how the HIPAA Privacy Rule applies to patients. OCR also issued guidance for HIPAA-covered entities on allowable charges for labor, printing, and postage last year. A flat fee of $6.50 has been recommended for providing electronic copies of medical records – should HIPAA-covered entities opt for a single charge for providing designated record sets to patients. While not all covered entities choose this model, the costs associated with obtaining copies of electronic...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR. Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, and August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently,...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals. Multiple Areas of Noncompliance with HIPAA Rules Discovered During the course of the investigation,...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year. An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule.  Such violations can result in financial penalties being issued. Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members. Late last week, OCR released its January Cyber Awareness Newsletter which explained the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users. Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on,...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily. Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate. OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules. The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily. Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to...

Read More
Nurse Fired for HIPAA Violation
Dec20

Nurse Fired for HIPAA Violation

Can a nurse be fired for a HIPAA violation? Certainly. Violate HIPAA Rules and having your employment contract terminated may not be the worst thing that will happen. There may also be criminal charges for HIPAA violations. Jail time is likely if protected health information (PHI) is stolen and passed on to an identity thief, although HIPAA Privacy Rule violations alone can result in a jail term. If there is aggregated identity theft, there will be a mandatory two-year sentence tacked on to the sentence. When a nurse is fired for a HIPAA violation, finding alternative employment can be problematic. Few healthcare organizations would be willing to hire an employee that has previously been fired for violated HIPAA Rules. In January this year, a nurse aide was fired from Wayne Memorial Hospital for a HIPAA violation after the inappropriate accessing of 390 patients’ records was discovered. One notable incident in 2011 saw nurses and other healthcare staff snoop on patient records. In that case, there had been a party in a neighboring town where there were multiple drug overdoses....

Read More
UMass to Pay OCR $650K to Resolve HIPAA Violations
Nov23

UMass to Pay OCR $650K to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Those individuals had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the actors behind the malware attack. Following the discovery of the infection in 2013, UMass conducted a detailed analysis of the infected workstation. The malware was a generic remote access Trojan and infection occurred because the workstation was not protected by a firewall. UMass ascertained that access to ePHI had been gained. OCR investigates all data breaches that impact more than 500 individuals to determine whether...

Read More
Recent Cases of Device Theft Highlight Importance of Data Encryption
Nov04

Recent Cases of Device Theft Highlight Importance of Data Encryption

Since January 1, 2015, HIPAA-covered entities have reported 102 cases of loss or theft of unencrypted devices to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have exposed the ePHI of more than 1.5 million individuals and could have been prevented had data encryption been employed. The Health Insurance Portability and Accountability Act (HIPAA) does not require covered entities to use data encryption on portable devices used to store ePHI. Encryption is an ‘addressable’ issue, not a ‘required’ element. (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)) This does not mean encryption can simply be ignored. HIPAA requires all covered entities to perform a comprehensive, organization-wide risk assessment (45 CFR § 164.308(a)(1)(ii)(A)). The purpose of the risk assessment is to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a HIPAA-covered entity. If, after performing a risk assessment, a covered entity determines that data encryption is not a reasonable...

Read More
Do Your HIPAA Authorizations Violate the FTC Act?
Oct25

Do Your HIPAA Authorizations Violate the FTC Act?

The Department of Health and Human Services’ Office for Civil Rights (OCR) has been vigorously providing guidance for covered entities on HIPAA Rules. Now, the Federal Trade Commission (FTC) has issued a reminder to covered entities of the need to comply not only with HIPAA Rules, but also the FTC Act. Under HIPAA, covered entities are permitted to share PHI with other covered entities or their business associates for treatment purposes, billing, and certain healthcare operations as detailed in the HIPAA Permitted Uses and Disclosures. Most other uses are prohibited unless prior authorization is obtained by the patient (or plan member) in writing. However, while authorizations may be compliant with HIPAA Rules, they might not satisfy the requirements of the FTC Act. The FTC Act protects consumers by preventing organizations from “engaging in deceptive or unfair acts or practices in or affecting commerce.” It is possible for a HIPAA-covered entity to comply with HIPAA Rules regarding patient authorizations, yet still violate the FTC Act. There is some overlap between the two...

Read More
EHNAC and HITRUST Streamline Accreditation Processes
Oct20

EHNAC and HITRUST Streamline Accreditation Processes

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) have announced a new collaboration. The aim is to reduce – and hopefully eliminate – redundant assessments and their associated costs. It is hoped by streamlining the organizations’ accreditation and certification programs the benefits for industry stakeholders will be preserved, while much of the complexity of information protection and compliance will be eliminated. EHNAC is an accreditation program for organizations that exchange healthcare information electronically, such as health information exchanges, health information service providers, accountable care organizations, medical billing companies, and electronic health networks. The HITRUST common risk and compliance management framework (CSF) is the most widely adopted security framework in the healthcare industry and is used by more than 84% of hospitals and health plans. EHNAC and HITRUST mapped their respective programs and discovered a considerable overlap between EHNAC HIPAA-related privacy and security...

Read More
St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case
Oct19

St. Joseph Health to Pay OCR $2.14 Million to Settle HIPAA Case

The Department of Health and Human Services’ Office for Civil Rights has announced it has agreed to settle potential violations of the HIPAA Privacy and Security Rules with St. Joseph Health (SJH). SJH is required to pay $2.140,500 to OCR and adopt a corrective action plan (CAP) to bring policies and procedures up to the standard demanded by HIPAA. SJH is a not-for-profit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry. SJH provides a wide range of medical services throughout California, New Mexico and Texas though 14 acute care hospitals and numerous community clinics, skilled nursing facilities, and home health agencies. SJH was investigated following an ePHI breach reported to OCR on February 14, 2012. Files containing ePHI were created by SJH under the Meaningful Use Program; however, those files were left unprotected and accessible on the Internet for more than a year from February 1, 2011 to February 13, 2012. The PDF files had been indexed by Google – and potentially other search engines. During that time the ePHI of 31,800...

Read More
OCR Laser-Focused on Data Breaches Says Samuels
Oct18

OCR Laser-Focused on Data Breaches Says Samuels

Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) explained OCR’s role in enforcing HIPAA Rules in a recent blog post and confirmed where enforcement activities will be focused over the coming 12 months. Samuels said OCR is “laser-focused on breaches occurring at health care entities, and any issues that lead to them” and that will not change. In the post, Samuels spoke of the increase in enforcement activities and pointed out OCR has entered into a record number of financial settlements with organizations that have been discovered to have violated HIPAA Rules. There are just over two months left of 2016, yet OCR has already entered into 11 financial settlement agreements with HIPAA-covered entities this year, compared to 5 settlements in 2013, six in 2014, and six in 2015. In the most part, investigations of covered entities were triggered after major data breaches were experienced rather than the investigation of complaints filed by individuals. Many complaints are submitted to OCR each year about potential HIPAA violations....

Read More
Guidance on HIPAA and Cloud Computing Issued by HHS
Oct10

Guidance on HIPAA and Cloud Computing Issued by HHS

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs). Cloud service providers that are legally separate entities from a HIPAA-covered entity are classed as business associates under HIPAA regulations if the CSP is required to create, receive, maintain, or transmit electronic protected health information (ePHI). A CSP is also classed as a business associate when a business associate of a covered entity subcontracts services to the CSP that involve creating, receiving, maintaining, or transmitting ePHI. It is important to note that even when a HIPAA covered entity, business associate, or subcontractor of a business associate provides ePHI to a CSP in encrypted form, the CSP is still classed as a business associate under HIPAA Rules, even if a key to decrypt the data is not provided. A CSP would not be classed as a business associate and would therefore not be required to...

Read More
EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI
Sep29

EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI

Yesterday, Office for Civil Rights (OCR) issued guidance for EHR vendors and other business associates of HIPAA covered entities explaining the need to ensure electronic protected health information (ePHI) is always available to covered entities. The guidance, which takes the form of a FAQ, also clarifies how the HIPAA Rules apply to the blocking or termination of access to ePHI maintained by a business associate. OCR has confirmed that blocking access to ePHI is a violation of the HIPAA Rules. EHR vendors that prevent a HIPAA-covered entity from accessing patient health records, such as during payment disputes, are violating HIPAA Rules and could potentially be fined for doing so. EHR vendors have been known to hit the kill switch and prevent access to patient data in the event of a payment dispute or after the termination of an agreement. OCR points out that the failure to return ePHI and/or blocking access to ePHI is a clear violation of the HIPAA Privacy Rule. The Privacy Rule requires a covered entity to allow patients to obtain copies of their ePHI on request. If a business...

Read More
$400,000 HIPAA Settlement for BAA Failures
Sep26

$400,000 HIPAA Settlement for BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Care New England Health System (CNE) provides centralized corporate support for a number of subsidiary affiliated HIPAA-covered entities throughout Massachusetts and Rhode Island. An OCR investigation was triggered following the receipt of a breach notification from one of CNE’s subsidiary affiliated covered entities – Woman & Infants Hospital of Rhode Island (WIH) – on November 5, 2012. WIH reported the loss of a number of unencrypted backup tapes that contained the PHI of around 14,000 patients. The exposed PHI included names, dates of birth, dates of medical examinations, names of referring physicians, and Social Security numbers. The breach...

Read More
WakeMed Health and Hospitals Fined for Patient Privacy Violations
Sep19

WakeMed Health and Hospitals Fined for Patient Privacy Violations

Raleigh-N.C-based WakeMed Health and Hospitals has been ordered to pay a fine of $70,000 by a North Carolina Bankruptcy Court for violating the privacy of patients. The privacy violations occurred when submitting proofs of claim to the bankruptcy court. Documents were submitted electronically; however, they contained the protected health information of debtors, including names, Social Security numbers, bank account numbers, and dates of birth. Under Bankruptcy Rule 9037, any proofs of claim submitted in court filings must have sensitive information redacted prior to transmission. Social Security numbers, taxpayer identification numbers, and account numbers must have all but the last four digits of the numbers redacted. Birthdates must also have the year of birth redacted. Additionally, if the filings include details of minors, only their initials must be included, not full names. WakeMed Health and Hospitals failed to redact this information, and further, a number of the proofs of claims also contained protected health information. It was alleged this was a violation of the Health...

Read More
The Importance of Auditing Business Associates Highlighted by OIG Investigation
Sep14

The Importance of Auditing Business Associates Highlighted by OIG Investigation

The Department of Veteran Affairs’ Office of Inspector General (OIG) has published a report on the investigation of a VA contractor that was alleged to be allowing employees to access, share, and store the protected health information of veterans on personally owned devices. Anchorage-based ProCare Home Medical Inc., a supplier of home oxygen services on behalf of the VA, was reported to OIG for breaching federal information security standards. The tipoff came via the VA OIG Hotline in December 2014. OIG was informed that the company’s employees were permitted to use personal computers and smartphones to access the company’s computer system. They were also alleged to have downloaded the PHI of veterans to their personal devices. OIG conducted an onsite review of ProCare facilities in May 2015. Staff were interviewed and contractor business processes were observed. VA staff were also interviewed to determine the level of oversight of contractors that was taking place. The allegations made against ProCare were substantiated by OIG, and while it was not possible to examine the devices...

Read More
Updated Security Risk Assessment Tool Released by ONC
Sep07

Updated Security Risk Assessment Tool Released by ONC

OCR prefers to settle HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more commonplace. If OCR investigators uncover HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be issued for each violation category discovered. One of the most common reasons for a financial penalty is the failure to conduct a comprehensive, organization-wide risk assessment. The risk assessment is a foundational requirement of the HIPAA Security Rule – 45 C.F.R. §§ 164.308(a)(1)(ii)(A), and is one of four required implementation specifications in the Security Management Process. The purpose of the risk assessment is to identify all potential risks to the confidentiality, integrity, and availability of all ePHI that a covered entity creates, receives, maintains, or transmits. The risk assessment must cover all forms of ePHI, and all devices and systems that touch ePHI. As was seen with the pilot phase of the HIPAA compliance audits and subsequent PHI breach investigations, small to medium-sized covered...

Read More
OCR Investigation into Bizmatics Data Breach is Closed
Aug29

OCR Investigation into Bizmatics Data Breach is Closed

The Department of Health and Human Services’ Office for Civil Rights has closed the investigation into the 2015 Bizmatics data breach. The breach, which was discovered in late 2015, affected many of the company’s clients. The malware was discovered to have been installed on a server in early 2015. The server was used to house the company’s PrognoCIS EMR database. At least 300,000 patients were impacted and potentially had their PHI exposed as a result of a malware infection. A thorough breach investigation was conducted but Bizmatics was unable to confirm whether data were actually viewed or copied by the malicious actor responsible for installing the malware. No public breach announcement was issued by Bizmatics, although all affected clients were notified if the PHI of their patients was potentially accessed. The Office for Civil Rights conducted an investigation into the breach, but it would appear that the case has now been closed with no action against the business associate deemed necessary. When OCR conducts data breach investigations, investigators assess the company to...

Read More
OCR to Increase Investigations of Small PHI Breaches
Aug18

OCR to Increase Investigations of Small PHI Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it will be stepping up investigations of small PHI breaches with immediate effect. Breaches impacting fewer than 500 individuals will now be subjected to closer scrutiny, with the responsibility for investigating those breaches falling to the OCR’s Regional Offices. OCR currently investigates all PHI breaches that impact more than 500 individuals, although investigations of small PHI breaches – those that affect fewer than 500 individuals – have only been performed as resources permit. The responsibility for investigating small breaches has fallen to the OCRs Regional Offices, but due to limited resources, investigations of small breaches have been limited up until now. However, a new initiative has now been launched that will see Regional Offices investigate small PHI breaches much more widely, although OCR will continue to prioritize investigations of large-scale breaches of protected health information. According to a recent news release, each of the OCRs Regional Offices has been instructed...

Read More
CMS Cracks Down on Social Media Abuse of Nursing Home Residents
Aug15

CMS Cracks Down on Social Media Abuse of Nursing Home Residents

A significant number of cases of abuse of nursing home and assisted living center residents have come to light in recent months. The cases involved the taking of degrading and demeaning photographs and videos of residents by employees of nursing facilities, and sharing the images and videos on social media websites. Photographs of residents in various states of undress, covered in feces, or made to pose in degrading positions have been published on social media websites such as Snapchat, Instagram, and Facebook. The cases were recently highlighted in a ProPublica report, which uncovered 47 reports of such abuse since 2012. That report, along with other media coverage of abuse in nursing facilities, has spurred the Centers for Medicare and Medicaid Services (CMS) to take action. The CMS recently sent a memo to state health departments reminding them of facility and state agency responsibilities and the rights of residents to be free from all types of abuse, including mental abuse. The taking of demeaning videos and/or photographs and publishing the imagery on social media websites...

Read More
Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years
Aug15

Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years

Ten years ago, WTHR 13 conducted an investigation into the improper disposal of sensitive information by pharmacies. The investigation was conducted following a robbery that took place at the home of an Indiana resident. A drug addict targeted the individual knowing that she had pain medication. That information was obtained from a pharmacy dumpster. The investigation involved reporters checking the dumpsters behind a number of pharmacies in Indiana. The reporters discovered bags of trash, many of which contained sensitive information such as prescription details, names, addresses, and phone numbers. Reporters also discovered that in some cases, credit card details were also printed on documents discarded with regular trash. The investigation was first conducted on Walgreens, although it was later expanded to a number of other pharmacy chains including CVS and Rite Aid. The investigation was expanded to 12 states. Initially reporters were told by Walgreen’s representatives that the improper dumping of sensitive information was not company policy and occurred in isolated incidents....

Read More
Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud
Aug09

Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud

A former employee of Tampa General Hospital was recently convicted of wrongful disclosure of individually identifiable health information and wire fraud. Shanakia Benton was accused of stealing the protected health information of patients during the time she was employed at Tampa General Hospital. According to court documents, between June 2011 and December 2012, Benton improperly accessed the computer system of Tampa General Hospital and printed out and removed the individually identifiable information of 644 patients. The stolen data included names, Social Security numbers, dates of birth, addresses, and medical diagnoses. In addition to using the information to file fraudulent tax returns in the names of the victims, Benton planned to sell the stolen data to other individuals. In total, Benton filed 29 fraudulent tax returns totaling $226,000. Benton had previously signed a document stating she was aware of the rules regarding the accessing of patient information and was aware that she was required to protect the privacy of patients. Benton’s actions were discovered and she was...

Read More
Med Students Violating HIPAA by Tracking Patients on EHRs
Aug02

Med Students Violating HIPAA by Tracking Patients on EHRs

Medical students are using hospital electronic health records to track former patients, even though by doing so they are potentially violating the Health Insurance Portability and Accountability Act (HIPAA). While it is known that the practice occurs, little research has been performed to determine the extent to which EHRs are accessed and the exact reasons why patients are tracked. In August 2013, Gregory E. Brisson, MD of Northwestern University Feinberg School of Medicine in Chicago, IL and Patrick D. Tyler, MD of Beth Israel Deaconess Medical Center in Boston, MA conducted a survey on 169 students from one academic healthcare center to investigate medical students’ use of EHRs to track patients. The findings of the study have recently been published in JAMA Internal Medicine. The study revealed that the vast majority of medical students were using EHRs to track former patients. 96.1% of medical students admitted that they had previously used EHRs to track former patients. 92.9% of students said there were educational benefits to be gained from following up on patients’ progress...

Read More
Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans
Jul26

Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans

According to a recent report issued by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have HIPAA-compliant EHR contingency plans in place, although most are “largely addressing” HIPAA requirements for EHRs. In September 2014, OIG sent a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to determine whether HIPAA-compliant EHR contingency plans had been developed and implemented. Respondents were also asked about the extent to which EHR systems had been disrupted in the past. In addition to the survey, six hospitals were also selected for in-depth investigations involving site visits, interviews with hospital staff, documentation checks, and reviews of EHR contingency plans. The purpose of the study was to assess the state of hospitals’ EHR contingency planning and to determine whether patient health information could still be accessed during natural disasters and other situations where EHR system downtime occurs. In light of the recent ransomware attacks on hospitals in recent...

Read More
2.75 Million Dollar HIPAA Settlement Reached with UMMC
Jul22

2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university. The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. UMMC Investigated After Theft of Unencrypted Laptop Computer The settlement stems from a breach of patients’ protected health information (PHI) in 2013. A laptop computer issued to UMMC’s Medical Intensive Care Unit (MICU) was discovered to be missing. The laptop computer contained the PHI of 500 patients. The data were not encrypted, although the laptop computer was password protected. The laptop is believed to have been stolen by a visitor who had asked about borrowing one of MICU’s laptops. OCR conducted an investigation into the...

Read More
How Does OCR Deal with HIPAA Complaints?
Jul21

How Does OCR Deal with HIPAA Complaints?

The Department of Health and Human Services’ Office for Civil Rights (OCR) encourages individuals to file complaints about HIPAA-covered entities, or their business associates, if they feel that their privacy has been violated. Individuals are also able to file complaints if they believe the privacy of other individuals have been violated. Complaints about potential HIPAA violations are investigated by OCR, and while many prove to be unsubstantiated, oftentimes a HIPAA covered entity or an employee of that organization, is discovered to have violated patient privacy or breached HIPAA Rules. OCR receives many complaints and the breach portal contains many hundreds of breach reports from covered entities that have experienced major breaches of PHI, yet only a tiny percentage result in civil monetary penalties being issued or financial settlements being agreed. What happens to all the other complaints that involve violations of HIPAA Rules? What action does OCR take against covered entities that violate the privacy of patients or failed to adhere to HIPAA Rules? In the vast majority...

Read More
Oregon Health & Science University to Pay OCR $2.7 Million for 2013 Data Breaches
Jul14

Oregon Health & Science University to Pay OCR $2.7 Million for 2013 Data Breaches

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed. The first breach of patient data involved the theft of an unencrypted laptop computer from a vacation apartment in Hawaii that was rented by an OHSU physician. The laptop computer contained the PHI of 4,022 patients. The second incident involved the accidental disclosure of PHI via a cloud storage service. Physicians were using the Internet service to share a spreadsheet containing patient data. However, the cloud service provider was a HIPAA business associate of OHSU and no business associate agreement had been obtained prior to the service being used. Consequently, the data of 3,044 patients was placed at...

Read More
OCR Phase 2 HIPAA Audits: Documentation Requests Issued
Jul13

OCR Phase 2 HIPAA Audits: Documentation Requests Issued

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. Covered entities selected for a compliance audit have now been notified by email. Those organizations now have just 10 days to respond to the emails and submit the requested documentation to the OCR. The audits – which are desk based – have been split between healthcare providers, health plans, and healthcare clearinghouses. The audits are being conducted on a geographically representative sample that includes healthcare organizations of all sizes. Desk audits of HIPAA business associates will follow in the fall. The desk audits comprise of a documentation check to ensure compliance with the Health Insurance Portability and Accountability Act’s Privacy, Security, and Breach Notification Rules. Earlier this year the OCR published details of the new audit protocol. The protocol contains a long list of different aspects of HIPAA Rules that could potentially be assessed by OCR...

Read More
OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches
Jul12

OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance on ransomware. A fact sheet on healthcare ransomware attacks has been published along with a 12-page document providing technical guidance for CIOs and CISOs on best practices to adopt to prevent ransomware infections, mitigation strategies to adopt when ransomware is installed on computers or healthcare networks, and detailed information on the correct ransomware response. The new guidance is essential reading for CISOs, CIOs, and all members of the senior leadership team. Ransomware and HIPAA The OCR has confirmed the proactive measures that covered entities should take to prevent ransomware infections: Perform a comprehensive, organization-wide risk analysis Establish a plan to remediate any identified risks to the confidentiality, integrity, or availability of ePHI Implement policies and procedures to safeguard ePHI against malicious software – including malware and ransomware Provide staff members with training on cybersecurity best practices Train authorized users to detect malicious...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules. In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach. A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45...

Read More
ONC Reminds App Developers to Check Regulatory Requirements
Jun22

ONC Reminds App Developers to Check Regulatory Requirements

The Office of the National Coordinator for Health Information Technology (ONC) has reminded developers of health apps not only to put more thought into data security, but also to build security controls into the core of their apps. Data security features should not simply be bolted as an afterthought. They are an essential part of the design of the apps and therefore must be incorporated during the initial design process. The ONC points out that health apps are no longer just being developed by computer science graduates. Health apps have been developed by clinicians who have identified a need for an app and a gap in the market. Even patients have been working on health apps to log and record a wide variety of health data or to issue appointment and medication reminders. No matter who conceives and develops a new health app, it is essential that the legal implications are considered and incorporated into the design. App developers must become familiar with the legislation covering health apps and the data they record. The Health Insurance Portability and Accountability Act (HIPAA)...

Read More
Indiana Attorney General’s Office Investigates Dumping of Medical Records
Jun18

Indiana Attorney General’s Office Investigates Dumping of Medical Records

Earlier this week, an officer from the Indianapolis Metropolitan Police Department (IMPD) discovered a number of medical records in a public recycling dumpster in Broad Ripple Park, Indianapolis. A number of confidential documents were found in file folders in the dumpster which had been mixed up with newspapers and other paper and cardboard. IMPD recovered the files and folders from the recycling dumpster, although there is no way of telling whether any documents had been removed by members of the public. It is also unclear whether files had been dumped on a single occasion, or whether material had been disposed of over an extended period of time. The Indiana Attorney General’s Office is now involved and efforts have been made to contact recycling and waste disposal companies who potentially may have come into contact with dumped medical records. If any further files and folders are recovered the attorney general’s office will arrange for the files to be collected and secured. According to the police report, the files contain highly sensitive data including patient names,...

Read More
Head of House Select Investigative Panel Calls for HIPAA Investigation into Abortion Clinic PHI Disclosures
Jun06

Head of House Select Investigative Panel Calls for HIPAA Investigation into Abortion Clinic PHI Disclosures

Last week, the head of the House Select Investigative Panel tasked with investigating the trade of baby body parts by abortion clinics wrote to the director of the Department of Health and Human Services’ Office for Civil Rights requesting an investigation into violations of the Health Insurance Portability and Accountability Act (HIPAA). It is alleged that Planned Parenthood – Planned Parenthood Mar Monte (PPMM) and Planned Parenthood Shasta Pacific (PPSP) – and Family Planning Specialists Medical Group (FPS) improperly disclosed the protected health information (PHI) and personally identifiable information (PII) of female patients to StemExpress. In her June 1 letter to Jocelyn Samuels, Rep. Marsha Blackburn explains that employees of StemExpress were provided with details of the abortions that were scheduled to take place on each day and were also given access to the medical files of patients who would be likely to provide fetal tissue donations. Blackburn claims that StemExpress employees were allowed inside of clinics and were given permission to interview patients in...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
OCR Rules Townsend Violated the HIPAA Privacy Rule
Jun02

OCR Rules Townsend Violated the HIPAA Privacy Rule

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently ruled that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year when he posting an “information packet” online containing the protected health information of individuals who had used the town’s ambulance service. The information was intended to be viewed by Selectmen in order that a vote could be taken about whether or not to write off the unpaid bills. Rather than sharing the document securely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only accessible for 18 hours before it was removed, but during that time it had been downloaded and shared on social media. The privacy breach was also reported to the OCR. The information packet contained the names of patients who had not yet paid their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now living in a hospice. Prior to the uploading of the files, all...

Read More
Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews
Jun01

Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews

Some healthcare providers have violated patient privacy and HIPAA Rules when responding to negative comments on Yelp and similar review sites according to a recent ProPublica report. For the report, ProPublica was provided with access to around 1.7 million Yelp reviews of healthcare providers. The researchers used a tool to sift through the reviews and isolated approximately 3,500 one-star ratings of healthcare providers – the lowest possible rating on the review site – that mentioned “Privacy” or “HIPAA”. ProPublica researchers discovered “dozens” of instances where healthcare providers had breached HIPAA Rules when responding to comments. In some cases, the responses to the negative comments involved the disclosure of patients’ protected health Information. ProPublica cited one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had performed and information about her medical condition. Another example involved a dentist who responded to a comment about an alleged unnecessary tooth...

Read More
OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI
May24

OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI

Earlier this year the Office for Civil Rights issued guidance for healthcare providers and health plans on the general right of patients to obtain copies of their protected health information on request. The HIPAA Privacy Rule allows patients to obtain one or more designated record sets which a covered entity holds and maintains. By obtaining copies of their PHI, patients can take control of their own healthcare and wellbeing. Providing copies of PHI to patients involves a cost to the covered entity, such as the time taken to obtain and copy records and prepare summaries, the cost of paper and printing if record sets are supplied in physical form, the cost of media devices for electronic copies of PHI, and the cost of mailing records to patients if they are not collected in person. Covered entities are permitted to charge patients for providing copies of their PHI, which was explained in the OCR guidance; however, based on the questions submitted by covered entities there appeared to be some confusion over allowable charges, in particular regarding the charging of flat rate fees to...

Read More
Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits
May20

Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits

Deven McGraw – deputy director of health information privacy at the Office for Civil Rights (OCR) – has offered some advice to covered entities ahead of the HIPAA-compliance audits which are scheduled to take place later this year. The second round of HIPAA-compliance audits will be conducted on covered entities first, followed by business associates. OCR contacted covered entities earlier this year to verify contact information. That process is almost complete and a pool of healthcare providers, health plans, and healthcare clearinghouses will soon be finalized. OCR will select approximately 200 organizations from that pool for a desk audit. Covered entities selected for audit will be notified and given 10 days to submit the requested documentation to the OCR. This does not give covered entities much time so it is important that preparations are made early. In an interview with the Information Security Media Group, McGraw suggested that covered entities should start preparing now in case they are selected for a desk audit. Last month, OCR released the updated audit protocol which...

Read More
Are You Prepared for A Business Associate Data Breach?
May09

Are You Prepared for A Business Associate Data Breach?

HIPAA-covered entities may be prepared to execute their breach response procedures for a security breach that exposes patients’ Protected Health Information (PHI), but what about business associate data breaches? Have policies and procedures been developed to ensure a rapid breach response can be executed if a business associate suffers a data breach? The Department of Health and Human Services’ Office for Civil Rights has recently warned HIPAA-covered entities that they must take steps to ensure they can deal with a business associate data breach should one occur. OCR: HIPAA-Covered Entities Find Business Associate Data Breach Management Difficult The recent OCR cyber-awareness bulletin confirmed the need for action to be taken by HIPAA-covered entities to prepare for data breaches experienced by their vendors. The bulletin indicates a large percentage of covered entities are concerned that business associate data breaches may not be reported to them. OCR also suggests that when a business associate data breach does occur, covered entities are often unsure whether their vendors’...

Read More
Joint Commission Ends Ban on Clinician Text Messaging
Apr29

Joint Commission Ends Ban on Clinician Text Messaging

For the past five years the Joint Commission has banned the use of text messaging by licensed independent practitioners (and other practitioners) due to security risks. That ban has now been lifted with immediate effect, although there are conditions. Test messaging is permissible, although only if a secure text messaging platform is used. Furthermore, that secure text messaging platform must meet the following criteria: The text messaging platform must incorporate a secure sign-on process All text messages must be protected by end to end encryption The platform must incorporate read and delivery receipts Messages must include a date and time stamp The platform must incorporate a contact list of individuals authorized to receive and record orders, and The platform must allow customized message retention time frames to be set Standard text messaging is still prohibited as encryption is not used, there are no authentication controls to ensure that only the intended recipient can view the messages, and original messages cannot be retained in order to validate information entered into...

Read More
New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients
Apr22

New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. In 2011, an ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed including a dying man and another patient who was seriously distressed. The footage was aired in 2012. Authorization to film had been given by NYP, although not all patients gave their consent to be filmed. One of the patients was Mark Chanko . He had been rushed to hospital after being hit by a sanitation truck. He was filmed receiving treatment from chief surgery resident Sebastian Schubl. Despite the best efforts of Schubl, Chanko died from the injuries sustained in the accident. Chanko had not given NYP permission to film him. To hide his identity ABC used blurring and voice alteration software. This did not prevent the crew from viewing Chanko’s PHI and it was not sufficient to hide his identity from...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation
Apr15

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes. The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited. Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical...

Read More
Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention
Apr15

Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention

A recent survey conducted by 451 Research on behalf of security firm Vormetric indicates 96% of IT managers expect their organizations to be attacked by cybercriminals. The survey was conducted on 1,100 IT managers including over 100 working in healthcare organizations. One in five organizations have experienced a data breach in the past 12 months, while 63% of respondents said they have experienced a data breach in the past. Even though the threat of a data breach is considerable, a majority of healthcare IT managers say their organizations are prioritizing compliance over data breach prevention. 61% of healthcare IT managers said compliance was their main priority, compared to just 40% that said it was data breach prevention. Other priorities were preventing reputation and brand damage and implementing security best practices, rated as the main priorities by 49% and 46% of respondents respectively. More than Two Thirds of Respondents Said Achieving Compliance Was an Effective Way of Protecting Data   69% of healthcare IT managers said achieving compliance with EPCS, FDA CFR...

Read More
Compliance Assistance Provided to Mobile Health App Developers by FTC
Apr07

Compliance Assistance Provided to Mobile Health App Developers by FTC

A new interactive tool has been released by the Federal Trade Commission (FTC) to help mobile health app developers determine whether their apps need to comply with federal regulations. The new web-based tool was developed with assistance from the U.S Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). By answering a series of 10 questions, mobile app developers can determine whether their health care products are covered under the Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug, and Cosmetic Act (FD&C Act), Federal Trade Commission Act (FTC Act) or need to comply with the FTC’s Health Breach Notification Rule. In many cases, app developers will be required to comply with more than one set of federal laws. According to Jessica Rich, FTC Bureau of Consumer Protection director, “Mobile app developers need clear information about the laws that apply to their health-related products.” The tool aims to...

Read More
OCR Publishes New HIPAA Audit Protocol
Apr05

OCR Publishes New HIPAA Audit Protocol

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...

Read More
Breach Notification Laws in Tennessee Updated
Apr04

Breach Notification Laws in Tennessee Updated

Data breach notification laws in Tennessee have been updated to better protect state residents. The new law requires organizations to issue notifications to state residents more quickly, while the range of information covered has been broadened. When the new laws come into effect, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data exposure. Originally the bill required entities to issue notifications within 14 days of discovery, although this was later amended to 45 days. Previously, data breach notification laws in Tennessee required all businesses to issue breach notifications in a reasonable time frame after a breach was discovered. Tennessee is the eighth state to introduce a time frame for sending breach notification letters. Tennessee is not the only state to introduce laws that reduce the timescale for notifying breach victims – it is the eight state to add a timescale for sending notifications – but in contrast to many states, information holders are...

Read More
Phase 2 HIPAA Compliance Audits Commence
Mar21

Phase 2 HIPAA Compliance Audits Commence

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started. According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.” Start Date for the Second Phase of HIPAA Compliance Audits While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin. The OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016. The date when the first desk audits will actually be conducted was not detailed in the...

Read More
Non-Compliant Hospital Pager Use Persists
Mar18

Non-Compliant Hospital Pager Use Persists

Communicating protected health information (PHI) over unsecured networks is not permitted under Health Insurance Portability and Accountability Act (HIPAA) Rules, which means pagers cannot be used to send PHI unless messages are encrypted. Encryption alone is not sufficient to ensure compliance with HIPAA. Not only must messages be encrypted to prevent interception, there must be a means of verifying the identity of the user. User authentication is essential, as there is no guarantee that a message containing PHI will be received by the intended recipient. If a pager is lost, stolen, or is left unattended, PHI could potentially be accessed by an unauthorized individual. It is also necessary to implement controls to automatically log off users and allow messages to be remotely erased in the event that a pager is lost or stolen. Due to the cost implications of applying these safeguards, and the difficult in doing so, many hospitals implement policies that prohibit the transmission of PHI over the pager network. If PHI needs to be communicated, a pager message is sent and the...

Read More
OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research
Mar17

OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care. Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY. The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach...

Read More
$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures
Mar17

$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Following a PHI breach reported on September 27, 2011, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation revealed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels. The data breach involved the theft of a laptop computer from a business associate of North Memorial. The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted. The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to be...

Read More
OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs
Mar16

OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs

Office for Civil Rights Director Jocelyn Samuels has written a blog post to clear up confusion about how HIPAA Rules apply to workplace wellness programs provided through employer-sponsored group health plans. Workplace wellness programs have become increasingly popular in recent months and more employers are now offering workplace wellness programs to employees to improve their health. Providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means, and those data must be protected under Health Insurance Portability and Accountability Act Rules. HIPAA also places severe restrictions on how health data can be used. HIPAA does not apply to all workplace wellness programs, only those that are offered through an employer-sponsored group health plan. Samuels explained in the post that employers are not permitted to disclose any health data for employment-related actions, nor are data allowed to be used for marketing purposes or any other reason not permitted by HIPAA Rules. The HIPAA Security Rule...

Read More
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Mar03

Deven McGraw Gives Update on OCR HIPAA Compliance Audits

Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...

Read More
OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges
Mar02

OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges

The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524) While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights. To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA covered entities to comply with this aspect of the Privacy Rule. The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing. Provided that the healthcare provider...

Read More
HIPAA Compliance for Small Medical Practices Remains a Problem
Mar01

HIPAA Compliance for Small Medical Practices Remains a Problem

While large healthcare systems have mostly got to grips with HIPAA Rules and implemented controls to safeguard ePHI from external and internal threats, HIPAA compliance for small medical practices remains a problem according to a recent survey conducted by NueMD. NueMD surveyed 900 healthcare professionals last month to gain an insight into how small medical practices are faring with their compliance efforts ahead of the next round of OCR compliance audits due later this year. 588 respondents worked in practices employing 1-3 physicians, 131 were from practices employing 4-10 providers. 80 larger practices that employ over 10 healthcare providers also took part in the survey. 86% of respondents were from medical practices and 6% worked in billing companies. The survey produced some surprising and worrying results. 60% of respondents were unaware of the upcoming HIPAA compliance audits Only 69% of respondents were aware of the 2013 Omnibus Rule 30% did not have a HIPAA compliance plan in place Only 58% conducted annual staff training on HIPAA Rules Only 68% were aware they needed...

Read More
Permitted Uses and Disclosures of PHI Clarified by OCR
Feb27

Permitted Uses and Disclosures of PHI Clarified by OCR

The Office for Civil Rights welcomes feedback from HIPAA-covered entities about aspects of HIPAA that are unclear or need further clarification. Some of the questions asked via the OCR website indicate some covered entities are struggling to understand the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI). HIPAA permits the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be used to help patients receive medical care, as well as for the evaluation of care provided to patients. It is necessary to use PHI to co-ordinate care between different healthcare providers, and PHI is needed for billing purposes. Patients must also be allowed access to their health information so they can take a more active role in their own healthcare. HIPAA allows patient health information to be shared for all of these reasons provided PHI is secured at all times. However, a number of restrictions to apply. Even though the HIPAA Privacy and Security Rules have been in effect for many years, and...

Read More
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
Feb26

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...

Read More
OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency
Feb22

OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency

The U.S. Department of Health and Human Services’ Office of Inspector General has published a report of an investigation into South Carolina’s Medicaid agency. The investigation was conducted in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services the same year. 74 gigabytes of data were stolen from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also stolen. An employee of the Department of Health and Human Services was discovered to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the data to a personal email account. The employee was arrested and was sentenced to three years of probation and community service, although the hackers responsible for the cyberattack on the Revenue department were never caught. The purpose of the investigation was to determine whether the state had properly safeguarded data stored in the Medicaid...

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
OCR Issues Further Guidance on Health App Use
Feb12

OCR Issues Further Guidance on Health App Use

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate. Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers. The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked. There...

Read More
OCR to Receive $4 Million Budget Increase to Support Audit Program
Feb10

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost   The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016. The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the...

Read More
OIG Publishes Findings of Utah Department of Health Security Audit
Feb08

OIG Publishes Findings of Utah Department of Health Security Audit

The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.” The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers. The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals. The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was...

Read More
Deadline for Reporting 2015 Data Breaches
Feb04

Deadline for Reporting 2015 Data Breaches

The deadline for reporting 2015 data breaches is fast approaching. Covered entities must submit all 2015 data breach reports to OCR before the end of the month. The final date for submitting reports of security incidents that affected fewer than 500 individuals is February 29, 2016. Deadline for Reporting 2015 Data Breaches – Monday February 29, 2016   The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows covered entities up to 60 days after the discovery of a large-scale data breach to report the incident to the Department of Health and Human Services’ Office for Civil Rights. A large data breach is defined as one which affects more than 500 individuals. HIPAA also requires all covered organizations to report smaller data breaches, although they are considered lower priority. Small data breaches can be reported at any time during the calendar year in which they are discovered, although the maximum time limit for submission is 60 days from the end of the Calendar year in which they were first identified. Since 2016 is a leap year, the deadline...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
Secure Healthcare Messaging Vendors Assessed by KLAS
Jan29

Secure Healthcare Messaging Vendors Assessed by KLAS

Which is the top vendor for HIPAA-compliant secure messaging? It depends. Established players and up and coming companies have recently been assessed by KLAS. The independent research company has rated the current options available to healthcare providers looking to improve communication between care teams without falling afoul of HIPAA Regulations. The cost of healthcare provisioning is rising, placing increasing pressure on healthcare providers to reduce operational costs, improve efficiency, and increase the productivity of healthcare employees. Currently many physicians, nurses and other healthcare professionals are forced to use slow and inefficient communications systems, resulting in many hours of wasted time each week per employee. The use of SMS text messages would solve many of these problems. The communication channel is fast, convenient, and practical, but SMS messages are unsecure. This poses a problem for healthcare providers and other HIPAA-liable entities. HIPAA Rules prohibit the transmission of Protected Health Information (PHI) via SMS as the messages can all too...

Read More
TigerText Launches Healthcare Pager and Fax Replacement
Jan15

TigerText Launches Healthcare Pager and Fax Replacement

TigertText has announced the release of two new communication solutions for healthcare providers. The two new products have clear potential, and could convince many healthcare providers to start phasing out pagers and faxes. The new products, named TigerPage & TigerFax, are aimed at healthcare providers that would like to transition to a more secure, HIPAA-compliant method of communication but who are reluctant to give up the communication tools they have relied on for decades. Rather than totally replacing pagers and faxes, the new solutions allow them to continue to be used. If fact, the speed and efficiency that pages and faxes can be received and responded to is greatly improved. Rather than carrying a pager and a Smartphone, healthcare workers can have pages and faxes sent directly to their Smartphone. Healthcare Providers Reluctant to Relinquish the Pager Pagers and faxes have been an essential communication tool for the healthcare industry for decades, yet despite reliable, HIPAA-compliant communication systems being available for some time, healthcare providers are...

Read More
Upgrade Internet Explorer to Remain HIPAA Compliant
Jan11

Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches. 18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete. Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage. Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.” Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between...

Read More
A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015
Jan10

A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015

In its capacity as enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Rules, the Department of Health and Human Services’ Office for Civil Rights (OCR) can issue fines to HIPAA-covered entities that fail to implement sufficient safeguards to keep the Protected Health Information (PHI) of patients and health plan members secure. OCR has been criticized in recent years for an apparent lack of enforcement, specifically for failing to issue financial penalties for clear violations of the HIPAA Privacy, Security, and Breach Notification Rules by HIPAA-covered entities. Covered entities are required to self-report data breaches to OCR under the Breach Notification Rule of 2009, and all data breaches that expose the PHI of more than 500 patients are investigated. Sometimes, those data breaches occur even when covered entities have implemented all of the administrative, technical, and physical controls that are required by the HIPAA Security Rule. However, in many cases, data breaches are suffered as a result of HIPAA failures. In such cases, action is taken by OCR...

Read More
OCR Issues New Guidance on Patient Data Access
Jan10

OCR Issues New Guidance on Patient Data Access

Healthcare providers should be aware that patients are permitted access to their medical records under HIPAA rules; however, not all patients are aware of their legal rights. Not only are patient data access rights under HIPAA not well understood, many patients who have attempted to access their medical records have faced problems. There is also a misconception that HIPAA – specifically the HIPAA Privacy Rule – prevents healthcare providers from disclosing medical records. While it is true when it comes to disclosing Protected Health Information (PHI) of patients to individuals unauthorized to view that information, HIPAA does allow patients to access their own records. In fact, any healthcare provider who fails to allow patients to access their medical records could be fined. OCR Issues Guidance on Patient Data Access Rights Under HIPAA   The Department of Health and Human Services’ Office for Civil Rights has started the year with the launch of a brand new website interface, and has now followed up on previous promises by issuing new guidance on HIPAA. This is the...

Read More
NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool
Jan08

NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool

Many mHealth apps lack sufficient controls to keep patient data secure. In late 2014, a Trustworthy Health and Wellness (THaW) project funded by the National Science Foundation (NSF) determined that 63% of popular mHealth apps were not encrypting data (out of a test sample of 22), potentially placing data at risk of theft. Furthermore, 81% of mHealth apps were using third party storage or hosting services. The benefits of mHealth apps for patients and healthcare providers are considerable. Unfortunately, healthcare providers wishing to use mHealth apps are prevented from doing so by HIPAA. Unless developers of mHealth apps encrypt stored and transmitted data to a nationally accepted standard, or implement other controls to keep data secure, use of the apps by the healthcare industry will be limited. Secure Mobile Cloud Dietary Assessment Tool Under Development University of Massachusetts Medical School and UMass Lowell have recently embarked on a new National Science Foundation grant funded project to test a new mHealth infrastructure that will allow patient data to be collected...

Read More
Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption
Jan08

Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption

The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption. The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST). Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders. Dentists are covered under HIPAA and must...

Read More
OCR Website Receives Long Awaited Upgrade
Jan07

OCR Website Receives Long Awaited Upgrade

The Department of Health and Human Services’ Office for Civil Rights website has been redesigned and upgraded, and features a responsive design and a more user-friendly interface. The redesign was part of the Reimagined HHS.gov initiative. The aim was to create a website that is faster, easier to use, and makes content sharing and syndication much more straightforward. The HHS site-wide overhaul has taken well over a year so far, with the OCR the first HHS department to receive its site upgrade. The upgrade and redesign was conducted in phases, with phase 1 of the project completed in May, 2015. OCRs overhaul was finished on schedule and was made live this week in time for the January 6 launch. The new crisp, clean, and simplistic design presents information clearly, while a fast and powerful search function has been incorporated to ensure visitors can quickly and easily gain access to the information they need. Typing in a search term will offer numerous suggestions based on the most common searches of the site, ensuring the most relevant information can be quickly retrieved. In...

Read More
HIPAA Privacy Rule Updated to Permit NICS Reports
Jan05

HIPAA Privacy Rule Updated to Permit NICS Reports

The Department of Health and Human Services has issued a final rule permitting certain covered entities to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), changing the HIPAA Privacy Rule. At the time of writing, HIPAA prevents healthcare providers from disclosing PHI, except in a very limited number of circumstances, without first having obtained permission from a patient. The rule change, which will become effective 30 days after publication in the federal register, will allow certain information about individuals to be divulged and entered into NICS by some HIPAA-covered entities. NICS is maintained by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is permitted to purchase a firearm. When an FFL starts a NICS background check on an individual, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on individuals who have...

Read More
Online Medical Record Access Not Possible for the Majority of Patients
Dec31

Online Medical Record Access Not Possible for the Majority of Patients

A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access patient medical data. The recent survey was conducted on 502 consumers that intended to enroll in a 2016 health plan. The survey took place between October and November, 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and medical...

Read More
Improper Dumping of Patient Medical Records Continues
Dec30

Improper Dumping of Patient Medical Records Continues

This month, Allina Health System and Springfield Community Hospital discovered that medical records had been disposed of without first rendering them indecipherable as required by HIPAA. A third healthcare provider has also just been alerted that some of its confidential patient data have allegedly been illegally dumped. New Alleged Case of PHI Dumping Reported   The latest case of improper dumping of PHI came to light when a local man reported discovering paperwork from the Cottonwood Comfort Dental clinic on the West Mesa, close to Albuquerque. The man had been on the West Mesa collecting shell casings when he discovered hundreds of paper medical records, according to a KRQE News 13 report. The paperwork allegedly contained patient names, Social Security numbers, insurance information and patient addresses. The man who discovered the records allegedly took them to a recycling center, although reporters from KRQE claim to have seen some of the data and taken it to the Cottonwood clinic. An investigation into the alleged privacy breach has been launched by Cottonwood Comfort...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More
Allina Health System Alerts 6,000 About Improper PHI Disposal
Dec24

Allina Health System Alerts 6,000 About Improper PHI Disposal

The Minneapolis Isles clinic run by Allina Health System has notified approximately 6,000 patients of a breach of their Protected Health Information (PHI). The clinic, located at 2800 Hennepin Avenue, discovered instances of improper PHI disposal had occurred after documents containing sensitive information were found in regular trash. HIPAA rules require all documents containing PHI to be rendered unreadable, indecipherable, and incapable of being reconstructed prior to disposal. The HIPAA breach is not understood to have resulted in any patient health information being viewed by unauthorized individuals, although the clinic is unable to guarantee that to be the case. According to a statement released by Allina Spokesman, David Kanihan, the incident is considered only to be a “technical breach of unsecured protected health information.” Because a risk does exist, out of an abundance of caution Allina Health System will be offering all affected patients a year of credit monitoring services without charge. The data potentially exposed include names of patients, their mailing...

Read More
Study Shows Value of Phishing Simulation Exercises
Dec23

Study Shows Value of Phishing Simulation Exercises

A recent report indicates the probability of members of staff responding to a phishing campaign can be effectively reduced to zero if phishing simulation exercises are completed regularly. The Growing Threat of Healthcare Phishing Attacks The Office for Civil Rights recently issued its first financial penalty to an organization that suffered a data breach after its employees responded to a phishing campaign. The case resulted in University of Washington Medicine agreeing to a $750,000 fine to settle potential HIPAA violations. UWM had already had to cover significant data breach resolution costs after suffering a 90,000-record breach. The fine and data breach costs could potentially have been avoided if staff members had been trained how to identify phishing emails. The healthcare industry is now being targeted by cybercriminals, and phishing is the most commonly used method of gaining access to patient data. Even when multi-million-dollar security defenses are employed to keep networks secure, a single response to a phishing email can be all it takes to compromise the records of...

Read More
Healthcare Cybersecurity Addressed in Omnibus Bill
Dec20

Healthcare Cybersecurity Addressed in Omnibus Bill

New cybersecurity provisions specifically for the healthcare industry have been added to the Omnibus bill passed by congress late last week. The aim of their inclusion is to assist healthcare organizations tackle the growing risk of cyberattacks, and provide them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less pregnable to cyberattacks. The new legislation is part of the Cybersecurity Information Sharing Act, passed by Congress on Friday. One of the ways that the new legislation will help healthcare organizations is with the formation of a new Cybersecurity Task Force. This is scheduled to take place during the first 90 days following the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats faced by the healthcare industry. The methods used by cybercriminals to break through security defenses will be analyzed and vulnerabilities assessed. The task force will also study how other industries are managing to repel attacks. Healthcare organizations will then be...

Read More
TigerText Launches HIPAA Compliant Secure Texting App for Desktops
Dec18

TigerText Launches HIPAA Compliant Secure Texting App for Desktops

TigerText, the leading provider of secure text messaging solutions for the enterprise, has announced the launch of its latest initiative, TigerText Anywhere: A HIPAA compliant secure texting app for desktop computers. TigerText’s HIPAA compliant text message platform is already hugely successful. To date, more than 250,000 healthcare professionals have adopted the secure messaging platform. The company now counts 4 out of 5 of the largest for-profit healthcare systems in the United States among its clients. According to TigerText co-founder and CEO, Brad Brooks, “TigerText has reached the scale necessary to truly improve the quality of care our healthcare customers deliver, while at the same time reducing the costs to do so.” In fact, the potential cost savings from using the HIPAA compliant secure texting app are considerable, as Brooks explains. “By connecting electronic health records, critical alerts, real time shift data, and other essential components of patient care and productivity, we think that secure, real-time messaging could save the healthcare industry $30-$50 billion...

Read More
Day Pitney Launches New HIPAA Self-Assessment Tool Ahead of Compliance Audits
Dec16

Day Pitney Launches New HIPAA Self-Assessment Tool Ahead of Compliance Audits

Hartford, Conn., Dec. 14, 2015 – – Day Pitney LLP has announced the launch of a new HIPAA Self-Assessment Tool ahead of the second round of Dept. Health and Human Services’ Office for Civil Rights HIPAA-compliance audits. New HIPAA Self-Assessment Tool Launched Day Pitney, a full service law firm employing approximately 300 attorneys in it its Connecticut, New Jersey, New York, and Washington, D.C.  offices, has developed the HIPAA Self-Assessment Tool to assist covered entities with their final compliance efforts before the audits commence next quarter. James Bowers, Day Pitney director of Compliance Risk Services and former chief compliance officer at Aetna Inc., recently pointed out that “Companies should really start self-audits as soon as possible to make sure they are in compliance with the HIPAA rules.” The HIPAA Self-Assessment Tool allows covered entities to assess their organization for potential HIPAA violations, allowing them time to take action to address any issues before they are discovered by auditors. Covered entities should already have conducted risk...

Read More
OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs
Dec15

OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs). OIG Audits Reveal 74 High Risk Security Vulnerabilities at 3 Medi-Cal MCOs The OIG audits revealed numerous, significant security vulnerabilities at the three Medi-Cal MCOs being assessed. In total, 74 high-risk security vulnerabilities were discovered across 14 separate security control areas. Many of the vulnerabilities existed at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the vulnerabilities had potential to place patient data at risk of exposure. In some cases, the security vulnerabilities were extremely serious. The vulnerabilities were categorized into three broad areas: Access controls, security management and configuration management. Access Management Controls Access controls included password and login controls, database security controls, the use of backup storage media, and portable device...

Read More
$750,000 HIPAA Fine for University of Washington Medicine
Dec14

$750,000 HIPAA Fine for University of Washington Medicine

University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights, and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013 Flurry of HIPAA Enforcement Activity as 2015 Draws to a Close   There has been a flurry of HIPAA enforcement activity over the past few weeks. First came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, then news of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. That was closely followed by the announcement of a $3.5 million settlement between OCR and Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA violations with OCR. Spam Email Behind 90,000-Record Data Breach   On November 27, 2013, University of Washington Medicine alerted OCR to a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients. The data breach occurred as a result of an employee...

Read More
NY Attorney General HIPAA Fine for URMC
Dec08

NY Attorney General HIPAA Fine for URMC

An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015. An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules It is not only Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA. The first attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals....

Read More
Cyberattack Simulation Exercise Tests Incident Response Readiness
Dec07

Cyberattack Simulation Exercise Tests Incident Response Readiness

It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved. Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved. Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted,...

Read More
Guidance on Patient Rights Under HIPAA Due this Month
Dec04

Guidance on Patient Rights Under HIPAA Due this Month

This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative. Clarification Due on Patient Rights Under HIPAA to Access their Own PHI The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data. While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA. Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under...

Read More
HIPAA Violation Fine of $3.5 Million for Triple-S
Dec02

HIPAA Violation Fine of $3.5 Million for Triple-S

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. This is the second HIPAA violation fine to be announced in the space of a week, with the latest financial penalty closely following the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine highlights just how costly non-compliance can be. This does not need to be explained to Triple S Management Corporation. The company was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. The PRHIA fine was issued following the mailing of a pamphlet that displayed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 members of the insurer’s Medicare...

Read More
OCR Settlement Reached with Lahey Hospital
Nov25

OCR Settlement Reached with Lahey Hospital

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI. Failure to Safeguard ePHI Results in $850,000 Settlement The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners.  The laptop contained electronic Protected Health Information of 599 patients. A financial penalty was...

Read More
Texas Attorney General Takes Action over Improper Disposal of PHI
Nov25

Texas Attorney General Takes Action over Improper Disposal of PHI

Legal action has been taken by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients. The home healthcare management company is no longer in business, having ceased trading in July 2009; however last year, documents containing the PHI of patients were discovered to have been discarded in a dumpster without first having been rendered indecipherable. HIPAA Rules Covering the Disposal of Protected Health Information The HIPAA Privacy Rule requires covered entities to implement physical safeguards to keep all forms of PHI secured at all times. When PHI is no longer required by a covered entity it must be disposed of securely (45 CFR 164.310(d)(2)(i) and (ii)). PHI must be destroyed, or rendered unreadable and indecipherable. It must not be possible for any element of PHI to be reconstructed. The exact method that must be used to destroy records is not stipulated by HIPAA Rules, although for physical records the OCR recommends pulping, burning, shredding, or pulverizing....

Read More
Healthcare Provider Not Liable for Social Media HIPAA Violation
Nov12

Healthcare Provider Not Liable for Social Media HIPAA Violation

On Monday this week, a case against University of Cincinnati Medical Center (UCMC) was heard by Judge Jody Luebbers in the Hamilton County Common Pleas Court regarding the posting of Protected Health Information of a patient on social media. The incident that triggered the lawsuit concerned the posting of a patient’s medical records by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of her medical records and uploaded the image to her Facebook account. The image was then shared with members of a Facebook group. The same image was also emailed to the same individuals. The group in question had been named “Team No Hoes.” The patient in question had contracted syphilis and was pregnant at the time. The naming and shaming of the patient on social media was investigated by the hospital as soon as the privacy violation was discovered, and the employee lost her job as a result. Cases involving vicarious liability are often filed by co-workers who have suffered sexual harassment in the...

Read More
Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft
Nov10

Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft

Hartford Hospital and one of its Business Associates, EMC Corporation (EMC), have agreed to a settlement with the Connecticut Office of the Inspector General over the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents. Hartford Hospital and EMC have agreed to a settlement of $90,000 to resolve the incident.  The agreement was reached voluntarily, and no admission of liability has been accepted by either party. EMC was contracted by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The aim of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to conduct an analysis of patient data, and EMC was provided with the Protected Health Information of patients for this purpose. However, on June 25, 2012 an unencrypted laptop computer containing patient data was stolen from the home of an EMC employee. The data does not appear to have been used inappropriately according to Hartford Hospital. After...

Read More
OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning
Nov06

OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning

Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights. OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies. HIPAA Requirements for Coping in Emergencies   The administrative safeguards of the HIPAA Security Rule (45 CFR, Part 164 § 308(7)(i)) require all covered entities to be able to continue to function during emergency situations. Access to Protected Health Information (PHI) must be maintained at all times. Should access be lost, it must be restored as a priority.  In order for covered entities to be able to do this, proactive steps must be taken. It is essential that policies and procedures are developed that can be implemented in case of disaster. Rapid action is required, and every individual must be aware of his or her responsibilities in case of emergency. This applies to emergency situations such as natural disasters, as well as at times when EHR...

Read More
Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million
Nov05

Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million

A unit of pharmaceutical company Warner Chilcott has agreed to plead guilty to healthcare fraud, and will be required to pay $125 million to resolve civil and criminal liability, according to the Boston US Attorney’s Office. The case against the pharmaceutical company is concerned with the illegal promotion of seven drugs. Payments were made to physicians to prescribe pharmaceuticals to patients over other drugs. This is of course not the first time such allegations have been made against drug firms, and nor is it the first time that pharmaceutical companies have been found to be liable. What makes this case different is the fact that charges have been filed against employees of Warner Chilcott and Warner Chilcott U.S. Sales LLC under HIPAA Rules. The case was possible under the False Claims Act, which permits private individuals to sue companies on behalf of the government under the Act’s whistleblower provisions. Two whistleblowers brought the case against the company and are being represented by law firms MoloLamken, Seeger Weiss, and the Simmer Law Group. The criminal charges...

Read More
Did Siobhan Dunnavant Violate HIPAA? Senate Candidate Investigated by OCR
Nov05

Did Siobhan Dunnavant Violate HIPAA? Senate Candidate Investigated by OCR

A complaint has been sent to the Department of Health and Human Services’ Office for Civil Rights regarding a Republican State Senate Candidate who sent a mailing to her patients to notify them of her intention to stand for office, and to solicit assistance with her campaign. Questions have been raised about whether Dr. Siobhan Dunnavant violated the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule by doing so. Did Siobhan Dunnavant Violate HIPAA? Dr. Dunnavant used her patient database to obtain the contact information of her patients, and subsequently sent emails and a letter announcing her candidacy, in an apparent effort to secure votes, contributions and volunteers to help her with her campaign. Emails and letters are to be expected from a state senate candidate; however due to the strict rules covering the use of patient information under HIPAA, Dr. Dunnavant may have violated HIPAA Rules by doing so. Dr. Dunnavant also emailed her patients on three separate occasions in the run up to the primary elections in June. HIPAA Rules cover a number of...

Read More
SecurityMetrics Reports on HIPAA Security Rule Compliance
Oct16

SecurityMetrics Reports on HIPAA Security Rule Compliance

What steps are U.S healthcare organizations taking to ensure HIPAA Security Rule compliance? How well are HIPAA rules understood? Are healthcare providers actually now compliant with HIPAA Rules? These questions will naturally be answered when the Office for Civil Rights compliance audit program recommences early in 2016. In the meantime, SecurityMetrics – a Utah-based merchant data security and compliance company – decided to get some answers now and conducted a survey of health IT professionals to gain a better understanding of the general state of HIPAA compliance among healthcare organizations. Attitudes on HIPAA-Compliance Probed Security Metrics compiled a survey to probe attitudes on common patient health data protection issues, network security measures used to safeguard data, and other security issues such as Wi-Fi encryption. The aim was to gain a better understanding of the efforts U.S healthcare organizations are making to comply with the HIPAA Security Rule. Over 300 healthcare professionals took part in the survey and were asked over 40 questions relating to...

Read More
Physicians Choose Secure Texts to Engage Patients
Oct10

Physicians Choose Secure Texts to Engage Patients

In today’s healthcare environment it is essential to involve patients more in their own healthcare and greater efforts must be made to engage patients. Physicians are now expected to achieve more during patient consultations, yet the cost of healthcare provision must also be decreased. There are numerous ways this can be achieved. Pre-visit check-ins can be performed, patients can be enrolled in remote health monitoring programs, and offered telehealth services. More online visits should also be conducted. However, the Health Insurance Portability and Accountability Act, specifically the Security Rule, poses problems for physicians looking to improve care and engage patients in their own healthcare. The Security Rule places a number of requirements on HIPAA covered entities to ensure that patients’ Protected Health Information (PHI) is protected at all times. Any healthcare provider wishing to take advantage of the wealth of new technology now available must ensure that efforts are made to keep private data secure. If insecure communication channels are used to communicate with...

Read More
OCR Web Portal for Mobile Health App Developers Launched
Oct06

OCR Web Portal for Mobile Health App Developers Launched

The Department of Health and Human Services’ Office for Civil Rights has launched a new web portal for mobile health app developers. The portal will allow application developers to get answers to the burning questions they have about HIPAA Rules and compliance requirements. The new portal is intended to encourage application developers, in particular mobile app developers, to submit comments and questions regarding HIPAA. In a recent email bulletin following the launch, the OCR explained the sort of questions it hopes will be asked. “We are asking stakeholders to provide input on the following issues: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? The information gathered via the portal will also help the OCR develop future guidance covering mobile health apps. New mHealth Guidance has been a Long Time Coming   The Health Insurance Portability and Accountability Act was first introduced in 1996, many years before the first Smartphones...

Read More
7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness
Oct05

7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness

The 7th Annual mHealth Summit is fast approaching. This year, the 4-day conference will be bigger and better than ever before, exploring the impact mobile health, telehealth and connected health are having on healthcare delivery, clinical care management and patient/consumer engagement. The event will also focus on how mobile solutions for health and wellness can improve the delivery of healthcare and patient outcomes. This year the event will take a slightly different format, including the new HIMSS Connected Health Conference, which has been billed as an “all-inclusive event highlighting how technology is enabling the transformation of healthcare delivery.” It promises to be the most comprehensive event in its seven-year history, incorporating industry-leading keynote presentations covering mHealth, mobile apps, wearable technology, interoperability, the Internet of Things, as well as the usual presentations to assist HIPAA-covered entities achieve and maintain compliance. The event offers attendees the opportunity to network, discuss new ideas, and learn about the latest...

Read More
How to Respond to a Healthcare Data Breach
Oct02

How to Respond to a Healthcare Data Breach

HIPAA-covered entities that have spent time developing and testing a health data breach response plan will be able to respond more quickly to a suspected data breach and execute an efficient HIPAA breach response. Those that have not invested time and effort into planning, are likely to struggle to react quickly and delays can prove costly. As the Ponemon Institute’s 2017 Cost of a Data Breach study showed, having a health data breach response plan helps organizations to execute an efficient HIPAA breach response. The faster the response, the easier it will be to contain the breach quickly and limit the harm caused. Organizations that are able to respond to a data breach quickly end up paying less in breach resolution costs. The cost of a data breach increases the longer it takes to respond and deal with the breach. Cyberattacks and Data Breaches Are Inevitable With hackers targeting healthcare providers for the protected health information (PHI) they hold, data breaches are no longer a probability but an inevitability. If fact, it is now highly likely that healthcare providers,...

Read More
OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016
Oct02

OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016

The Director of the Department of Health and Human Services’ Office for Civil Rights, Jocelyn Samuels, has confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016. No more delays are expected. HIPAA-covered entities will soon have their compliance efforts put to the test and Business Associates will also not escape. They too will be assessed on compliance with the HIPAA Privacy, Security and Breach Notification Rules. Samuels recently wrote to the HHS Inspector General following strong criticism received about the OCR’s enforcement activities in addition to inconsistencies enforcing HIPAA Rules. At present, the OCR relies heavily on reports of privacy violations from the general public and self-reporting of data breaches to identify HIPAA violations and to choose which entities to investigate. The agency has yet to develop a permanent HIPAA-compliance audit program, even though such a program was much talked about early in Leon Rodriguez’s tenure as head of the OCR. According to a recent OIG report, released on Tuesday, “Without fully implementing...

Read More
OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities
Oct02

OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities

Take a look at the Department of Health and Human Services’ Office for Civil Rights website and you will discover relatively few financial penalties have been issued for HIPAA Privacy violations. Even apparently serious violations of HIPAA Rules have not always resulted in financial penalties being issued. Out of the thousands of data breaches listed on the website, only a tiny percentage have resulted in a financial penalties being issued, with the OCR often favoring other enforcement actions. This has not gone unnoticed by the Office of the Inspector General (OIG). The OIG has just published the findings from two studies conducted on the OCR to assess how well the agency is enforcing HIPAA Rules. Poor Oversight of HIPAA Covered Entities   The first study was conducted to assess the OCR’s oversight of covered entities’ compliance with the Privacy Rule. OIG investigators took a sample of Medicare Part B providers that had reported data breaches to the OCR between September 2009 and March 2011. The OIG then assessed the extent to which those organizations had addressed five privacy...

Read More
New Rules for Electronic HIPAA Transactions Approved by CAQH CORE
Sep28

New Rules for Electronic HIPAA Transactions Approved by CAQH CORE

Last week, the CAQH® Committee on Operating Rules for Information Exchange (CORE®) approved a new set of national rules for electronic HIPAA transactions, as part of Phase IV of the CAQH® CORE® Operating Rules. The new rules for electronic HIPAA transactions cover four groups of healthcare business transactions – prior authorizations, employee premium payment, enrollment/disenrollment in health plans, and healthcare claims. The aim of the new rules is to facilitate the exchange of healthcare information, as mandated by the Affordable Care Act (ACA). The new rules will augment existing HIPAA administrative standards to ensure uniform transmission of electronic healthcare data. Phase IV of the CAQH® CORE® Operating Rules address infrastructure requirements such as connectivity, system availability and response times. Rules covering data content of transactions are due to be added to the Operating Rules at a later date. The approval process involves a vote on the new rules by the subgroups and work groups responsible for preparing the draft version of the Operating Rules. If the new...

Read More
HIPAA Compliant Wellness Platform Launched By Fitbit
Sep17

HIPAA Compliant Wellness Platform Launched By Fitbit

Yesterday, Fitbit, America’s leading manufacturer of activity and fitness trackers, announced it has developed a HIPAA compliant wellness platform which it aims to use to corner the lucrative healthcare market. The company has flirted with health and fitness trackers for the healthcare sector for some time; however, until now one of the major stumbling blocks has been the Health Insurance Portability and Accountability Act (HIPAA), which places a number of restrictions on the use of electronic devices capable of recording, storing and transmitting Protected Health Information (PHI). No electronic device can be fully HIPAA-compliant, as compliance with HIPAA Rules is dependent on the actions of the users of the devices. Therefore, rather than being billed as a HIPAA compliant wellness platform, Fitbit announced that it ‘supports’ HIPAA compliance, having incorporated the necessary safeguards – as demanded by HIPAA – to keep stored and transmitted data protected from prying eyes. According to James Park, CEO and Co-Founder of Fitbit, “We prioritize protecting our consumers’...

Read More
WEDI Issues New Resources to Assist with ICD-10 Transition
Sep14

WEDI Issues New Resources to Assist with ICD-10 Transition

The Workgroup for Electronic Data Interchange (WEDI), the country’s leading authority on the use of IT in healthcare to improve health information exchange, has developed two new resources to assist organizations implement the new ICD-10 codes required by the Health Insurance Portability and Accountability Act (HIPAA). The new resources, ICD-10 State Workers’ Compensation Readiness List and the List of State Medicaid Sites with ICD-10 Information, have been developed with the aim of “Ensuring that all entities are adopting and or are aligning with ICD-10”. The resources will “help further [the health] industry’s movement towards streamlining and automating end-to-end workflow processes.” The new ICD-10 codes must be adopted by HIPAA-covered entities under federal law; but the new codes do not need to be adopted by the workers’ compensation industry. The industry is now becoming more aligned with HIPAA Transaction and Code Set rules, but rather than being covered by a national mandate, the industry is instead subject to state laws. A number of states will be adopting ICD-10 codes,...

Read More
OCR HIPAA Compliance Audits to Commence in 2016
Sep09

OCR HIPAA Compliance Audits to Commence in 2016

The new Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights has been adjusting to life at the OCR since her appointment earlier this year, but until now she has not given an interview to the news media. However, she recently gave an exclusive interview to the Security Media Group, in which she cast some light on planned OCR activities, including the upcoming HIPAA compliance audits. Deven McGraw Gives First News Media Interview   McGraw spoke with HealthcareInfoSecurity.com’s Executive Editor, Marianne Kolbasuk McGee, and was quizzed on OCR enforcement activities, current and future OCR initiatives, and was asked the question that is on everyone’s lips at the moment: When will the HIPAA compliance audits take place? A Shortage of Resources has been McGraw’s Biggest Challenge   The program of random HIPAA audits was penciled in for 2014; however the sheer scale of the job has caused problems. Audits take a considerable amount of time and resources, something which the OCR lacks. McGraw confirmed that the current...

Read More
Recent Cases of Portable Device Theft Highlight Need for Healthcare Data Encryption
Sep07

Recent Cases of Portable Device Theft Highlight Need for Healthcare Data Encryption

Healthcare professionals can be given training on the importance of keeping electronic equipment secure; however, even the most security minded healthcare professional can make an error of judgement that results in PHI being exposed, such as leaving a laptop computer in a vehicle while patients are attended to. Theft of medical devices containing Protected Health Information (PHI) had declined in recent months; but the HHS’ Office for Civil Rights breach portal now displays a high number of cases of portable device theft, highlighting the importance of using data encryption software to safeguard PHI. While portable devices carry the highest risk of data exposure, a number of recent burglaries of physicians’ offices show that even data stored on less portable computer hardware, such as desktop computers and servers, is not secure without robust security measures such as encryption. Stolen Portable Electronic Devices Cited in Numerous Recent Breach Reports   In June, a physician from the University of Oklahoma’s Department of Obstetrics and Gynecology had a laptop computer...

Read More
Jocelyn Samuels Gives Update on OCR Compliance Audits
Sep04

Jocelyn Samuels Gives Update on OCR Compliance Audits

Since the announcement that the second phase of compliance audits would be delayed, the Department of Health and Human Services’ Office for Civil Rights has remained tight-lipped over timescales. Now, a year on from the original proposed start date, many expected OCR Director, Jocelyn Samuels, to give a timescale for the HIPAA audit program at the Safeguarding Health Information: Building Assurance through HIPAA Security HIPAA Security Conference in Washington this month. Samuels gave a keynote address at the National Institute of Standards and Technology (NIST) and Office for Civil Rights (OCR) hosted conference, and while she did not provide a date or a timeline for the compliance audits, she did indicate the audits are now very close to becoming a reality. She explained that the OCR has many roles, with compliance audits a part of its enforcement activities. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our...

Read More
New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000
Sep02

New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000

A new OCR HIPAA penalty has been issued for a breach of HIPAA regulations. Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Back in August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. The stolen device contained highly sensitive data, which included the Social Security numbers of patients: Exactly the data need by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives was not encrypted. HIPAA Does Not Demand Data Encryption   Under the HIPAA Security Rule, data encryption is only an addressable issue. This means that a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered entity can make an...

Read More
Employees’ Social Media App use makes VA Vulnerable to Data Exposure, says OIG
Aug31

Employees’ Social Media App use makes VA Vulnerable to Data Exposure, says OIG

The VA Office of the Inspector General (OIG) has recently published the findings of its administrative investigation into improper web-based collaboration technology by the Department of Veteran Affairs (VA). It determined the agency is particularly vulnerable to data exposure from employees’ social media app use. Employee’s use of the social media application from Yammer.com could potentially result in the expose of sensitive veteran data. The OIG discovered employees have been using the social media app, even though the app had not been sanctioned by the VA. VA policy requires all social media applications to be approved before use, and have usage monitored. The OIG determined that the application “had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources.” Yammer Notifier, a desktop application, was approved by one Technical Reference Model (TRM) with constraints; however use of the Yammer social network was not. The application has a lack of security controls and it was too easy for Protected Health Information...

Read More
Health Net Federal Services Achieves URAC HIPAA Privacy Reaccreditation
Aug16

Health Net Federal Services Achieves URAC HIPAA Privacy Reaccreditation

Health Net Federal Services, LLC., has received URAC HIPAA Privacy reaccreditation, assuring current policyholders that their privacy is treated seriously, and HIPAA standards are being met. URAC – the new name for the former Utilization Review Accreditation Commission – is an independent, non-profit organization that accredits health care organizations, including health plans, in this case on HIPAA standards. Health Net Federal Services, LLC was awarded full reaccreditation for HIPAA privacy standards, effective from May 1, 2018. Health Net has been accredited with URAC since 2008. According to URAC President and CEO Kylanne Green, “By applying for and receiving URAC accreditation, Health Net Federal Services has demonstrated a commitment to quality health care,” she went on to say, “Quality health care is crucial to our nation’s welfare and it is important to have organizations that are willing to measure themselves against national standards and undergo rigorous evaluation by an independent accrediting body.” President of Health Net Federal Services, Billy Maynard, said “Health...

Read More
New Basic Guide to HIPAA Compliance Released By HHS
Aug05

New Basic Guide to HIPAA Compliance Released By HHS

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities. A Basic Guide to HIPAA Compliance   The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI). HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures. The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to...

Read More
FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls
Jul30

FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls

The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls. Some healthcare providers have had trouble understanding the rules regarding HIPAA and patient telephone calls, and how the rules comply with the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were introduced, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any confusion. The ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities and their Business Associates. The ruling also exempts covered entities and Business Entities from certain TCPA legislation in certain circumstances. Rules Regarding HIPAA and Patient Telephone Calls The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls states that, if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to...

Read More