Dedicated to providing the latest
HIPAA compliance news

Our HIPAA news for small and mid-sized practices section covers common aspects of HIPAA Rules that are often neglected by small to medium-sized covered entities. This news section also includes the latest information for healthcare professionals and small to mid-sized clinics that are concerned about HIPAA-compliance and avoiding HIPAA Privacy, Security and Breach Notification Rule violations.

News items have been selected as they are of particular relevance for small to mid-sized healthcare practices.

The news items and articles in this section cover HIPAA violations and data breaches at small to mid-sized healthcare providers, settlements and regulatory fines issued by state attorneys general and the Department of Health and Human Services’ Office for Civil Rights (OCR), new state and federal compliance requirements and the latest news and guidance on HIPAA compliance from OCR and the ONC.

For up to date information delivered direct to your inbox, be sure to sign up for our weekly HIPAA newsletter.

Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI
Jan24

Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI

Los Angeles-based Wonderful Health and Wellness has notified patents that their electronic protected health information (ePHI) was exposed in early December, 2016 when an unencrypted laptop computer was stolen from the company’s Wonderful Center for Health Innovation. Staff at the Center discovered the laptop computer was missing on December 12 when they returned to work after the weekend, with the theft having occurred at some point between December 9 and 12. The theft was immediately reported to law enforcement, although the device has not been recovered. The laptop contained a range of protected health information including patients’ names along with their home addresses, telephone numbers, dates of birth, email addresses, clinical account numbers, medical conditions, treatment information, treatment dates, and test results. No Social Security numbers or financial information were stored on the device. While the laptop computer was not encrypted, software had been installed which allows data on the device to be remotely deleted, although only if the laptop is used to connect to...

Read More
NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework. The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families. The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay. Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals. Multiple Areas of Noncompliance with HIPAA Rules Discovered During the course of the investigation,...

Read More
Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach
Jan17

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers. While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed patients that the virus rendered ePHI inaccessible. In order to regain access to files it was necessary to restore files from data backups. The virus infection was discovered on October 25, 2016, sparking a full investigation. A third-party computer forensics expert was contracted to conduct an investigation. That investigation revealed that a number of practice files containing ePHI had potentially been accessed. Sensitive data in the files included names, addresses, medical information, and health insurance details of patients. Brandywine Pediatrics has confirmed that Social Security numbers, credit card/debit card numbers and financial data were not...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members. Late last week, OCR released its January Cyber Awareness Newsletter which explained the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users. Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on,...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily. Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases...

Read More
OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals
Jan11

OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals

The Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance for healthcare professionals to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones. The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a relative or loved one. However, the 2016 Orlando nightclub shooting incident revealed that many healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR 164.510(b) – applies to same sex couples. OCR has confirmed that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities are allowed to disclose relevant information “to notify, or assist...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate. OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules. The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily. Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches. 2016 Healthcare Data Breaches of 500 or More Records   Year Number of Breaches (500+) Number of Records Exposed 2016 329 16,471,765 2015 270 113,267,174 2014 307 12,737,973 2013 274 6,950,118 2012 209 2,808,042 2011 196 13,150,298 2010 198 5,534,276 2009 18 134,773 Total 1801 171,054,419   Largest Healthcare Data Breaches of 2016 While the above...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data. The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure. If a wearable device is provided to a patient by a HIPAA-covered entity, the...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk. The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted. Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls...

Read More
Nurse Fired for HIPAA Violation
Dec20

Nurse Fired for HIPAA Violation

Can a nurse be fired for a HIPAA violation? Certainly. Violate HIPAA Rules and having your employment contract terminated may not be the worst thing that will happen. There may also be criminal charges for HIPAA violations. Jail time is likely if protected health information (PHI) is stolen and passed on to an identity thief, although HIPAA Privacy Rule violations alone can result in a jail term. If there is aggregated identity theft, there will be a mandatory two-year sentence tacked on to the sentence. When a nurse is fired for a HIPAA violation, finding alternative employment can be problematic. Few healthcare organizations would be willing to hire an employee that has previously been fired for violated HIPAA Rules. In January this year, a nurse aide was fired from Wayne Memorial Hospital for a HIPAA violation after the inappropriate accessing of 390 patients’ records was discovered. One notable incident in 2011 saw nurses and other healthcare staff snoop on patient records. In that case, there had been a party in a neighboring town where there were multiple drug overdoses....

Read More