Dedicated to providing the latest
HIPAA compliance news

The Health Insurance Portability and Accountability Act (HIPAA) is not technology specific, so HIPAA updates are not made frequently, although regulators do issue new guidance for covered entities on specific aspects of HIPAA Rules on a relatively frequent basis.

HIPAA was initially signed into the legislature by President Bill Clinton in 1996. As the name suggests, the legislation was primarily concerned with regulating the availability and breadth of health insurance policies for individuals and groups. However, in the two decades since the legislation was introduced there have been several major HIPAA updates.

The most notable HIPAA updates were the introduction of the HIPAA Privacy Rule and Security Rule in 2003, the HIPAA Enforcement Rule in 2006, the incorporation of HITECH Act requirements in 2009 and the HIPAA Omnibus Final Rule in 2013.

While compliance with HIPAA Rules was never optional, the HIPAA Enforcement Rule allowed OCR to take action against covered entities discovered to be in violation of HIPAA Rules. Even though the Enforcement Rule was written into the legislature in 2006, it took until 2009 for the first settlement to be reached with a covered entity for non-compliance with HIPAA Rules – A $2.25 million fine for CVS Pharmacy for the improper disposal of protected health information.

The most recent HIPAA updates were introduced with the passing of the Omnibus Final Rule, which amended the Privacy Rule, Security Rule, Breach Notification Rule and incorporated HITECH Act requirements into HIPAA. The Omnibus Rule also introduced new regulations for business associates of covered entities, allowing fines to be issued directly for the failure to comply with HIPAA Rules.

These key HIPAA updates have helped to ensure healthcare organizations protect the privacy of patients and safeguard the confidentiality, integrity, and availability of PHI, while placing restrictions on how patient health information can be used and shared.

This news section also includes details of new guidance for covered entities on HIPAA Rules. Guidance is issued primarily by the Department of Health and Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC), and to a lesser extent, other regulators such as the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).

The guidance is intended to help covered entities improve their compliance programs and address specific aspects of HIPAA Rules that are causing confusion or are proving to be problematic. Guidance is usually developed after issues have been identified during investigations of HIPAA breaches and privacy complaints, through HIPAA compliance audits and highlighted by questions submitted by HIPAA-covered entities via the HHS website.

It has now been four years since the last major HIPAA updates were issued and many healthcare professionals, privacy groups and security experts believe that further updates are long overdue. When updates to HIPAA are proposed, HIPAA requirements are changed, or when new guidance is issued, you will find the details in the posts below.

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep22

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands. As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security...

Read More
AHA Urges Congress to Reduce Regulatory Burden on Hospitals
Sep01

AHA Urges Congress to Reduce Regulatory Burden on Hospitals

In a recent letter to the House Ways and Means Health Subcommittee, the American Hospital Association (AHA) suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. The AHA says the regulatory burden on hospitals and health systems is substantial and unsustainable and increased regulatory activity is making the situation worse. One example provided refers to the...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery....

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of...

Read More
Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI
Jun09

Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI

The Mississippi Division of Medicaid (DOM) has announced that 5,220 Medicaid recipients have had some of their protected health information (PHI) exposed via email as a result of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to staff members, but those emails were not encrypted. The online service was used by staff members to create forms that were posted on its...

Read More
DA Launches Criminal Investigation into Actions of Curious Healthcare Employee
Mar22

DA Launches Criminal Investigation into Actions of Curious Healthcare Employee

Healthcare employees discovered to have improperly accessed the medical records of patients are likely to be terminated by their employers for breaching internal policies as well as HIPAA Rules. However, loss of employment is not the only punishment. Employees could also face a criminal investigation into their conduct, regardless of the reason why medical data were accessed. A criminal investigation is likely if medical records have...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations...

Read More
Will HHS Secretary Tom Price Ease HIPAA Regulations?
Feb13

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights. The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is...

Read More
OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals
Jan11

OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals

The Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance for healthcare professionals to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones. The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a...

Read More
Quest Diagnostics Announces 34,000-Record ePHI Breach
Dec13

Quest Diagnostics Announces 34,000-Record ePHI Breach

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen. Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach. On November 26, 2016, an unknown individual gained access to the...

Read More
Further 4,100 Cardiac Patients Notified of Breach of ePHI
Dec13

Further 4,100 Cardiac Patients Notified of Breach of ePHI

A further 4,100 cardiac patients have been notified that some of their protected health information was exposed due to a security breach at Wilmington, DE-based Ambucor Health Solutions (AHS). The patients had previously had cardiac devices fitted at the New Mexico Heart Institute in Albuquerque. The Heart Institute contracted Ambucor Health Solutions to provide a cardiac monitoring service for its patients. AHS had implemented...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few...

Read More
ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities
Dec09

ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules. The HIPAA Privacy Rule came into...

Read More
Malvertising Campaign Highlights Importance of Patching Browsers
Dec09

Malvertising Campaign Highlights Importance of Patching Browsers

The importance of ensuring browsers and plugins are kept up to date has been highlighted by the discovery of a malverstising campaign that is targeting readers of popular news websites such as Yahoo and MSN. In the past two months, millions of individuals have been exposed to malicious adverts which automatically redirect users to websites where malware is downloaded. The campaign – termed Stegano – is being used to distribute a range...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent...

Read More
Lost CD Contained Social Security Numbers of 18,854 Health Plan Members
Dec08

Lost CD Contained Social Security Numbers of 18,854 Health Plan Members

18,854 health plan members have been notified of a potential breach of their protected health information following the loss of a compact disc in the mail. An employee at Aetna Signature Administrators (ASA), a provider of network and management services to group health plans, mailed a CD containing sensitive health plan members’ information to another ASA employee. The CD was mailed on September 6 and the envelope was delivered on...

Read More
Ransomware Attack Reported by East Valley Community Health Center
Dec08

Ransomware Attack Reported by East Valley Community Health Center

West Covina, CA-based East Valley Community Health Center (EVCHC) has started notifying patients that some of their electronic protected health information was compromised when ransomware was installed on one of its servers. The ransomware attack occurred on October 18, 2016 and involved a ransomware variant called Troldesh/Shade. As with other forms of ransomware, Troldesh conducts scans of its local environment and encrypts a wide...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to...

Read More
Tampa General Hospital Settles Class Action Data Breach Lawsuit
Dec07

Tampa General Hospital Settles Class Action Data Breach Lawsuit

According to figures from the Federal Trade Commission, Florida is one of the top three states for fraud and identity theft. Criminals in the state use stolen consumer data to steal identities and file fraudulent tax returns, with the data often coming from healthcare organizations. Fraudsters often target the lowest paid healthcare workers and pay them to steal patients’ personal information and Social Security numbers. Many Florida...

Read More
Half of IT Pros Most Concerned About Insider Threats
Dec06

Half of IT Pros Most Concerned About Insider Threats

A considerable proportion of IT security budgets are directed to securing the network perimeter and with good reason. Hackers are breaking through security defenses with increasing frequency and this year has seen some of the biggest cyberattacks ever reported. However, internal threats should not be ignored. According to a recent Dimensional Research/Preempt study, most IT security professionals believe internal threats have...

Read More
Medical Devices Can Be Hacked Using Black Box Approach
Dec05

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries. The study was conducted by researchers...

Read More
Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI
Dec05

Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI

A nurse employed by Glendale Adventist Medical Center in Glendale, CA has been fired for inappropriately accessing the medical records of 528 patients of the medical center and White Memorial Medical Center in Boyle Heights, CA. The privacy breach was discovered in June 2016, although it is unclear when the nurse first started inappropriately accessing patient data. Glendale Adventist Medical Center discovered patient data were being...

Read More
Sagewood Retirement Community Attacked with Ransomware
Dec02

Sagewood Retirement Community Attacked with Ransomware

Sagewood, a retirement community in Phoenix, AZ, has notified 800 current and former residents about a ransomware attack that has potentially resulted in some of their electronic protected health information (ePHI) being accessed by the attackers. Sagewood enlisted the services of a computer forensics firm to investigate the attack. According to the substitute breach notice on the Sagewood website, the attack was short-lived. It was...

Read More
OptumHealth New Mexico Announces 2000-Record Data Breach
Dec02

OptumHealth New Mexico Announces 2000-Record Data Breach

OptumHealth New Mexico has notified 2,006 patients of a privacy breach that was caused by one of its vendors. The vendor had downloaded some electronic protected health information to a flash drive, which was then sent to an undisclosed recipient by mail using the U.S. Postal Service. The flash drive did not arrive at its destination. Upon discovery of the loss, the U.S. Postal Service was notified but attempts to locate the device...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st...

Read More
OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails
Dec01

OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning to healthcare organizations about a new phishing email campaign that uses an official-looking OCR letterhead and the signature of OCR Director Jocelyn Samuels. Phishing emails usually encourage the recipients to click on malicious links that direct them to websites where malware is downloaded, to open infected email attachments, or to...

Read More
Healthcare Organizations Main Target for Hackers in 2017
Nov30

Healthcare Organizations Main Target for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year. One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare...

Read More