Dedicated to providing the latest
HIPAA compliance news

Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Who Enforces HIPAA?
Oct25

Who Enforces HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) introduced many new rules for healthcare organizations, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates? Who Enforces HIPAA? The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, state attorneys general were also given the power to enforce HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) also have some powers, and are primarily responsible for enforcing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also enforce HIPAA with respect to medical devices and may take action against healthcare organizations in certain situations. HIPAA Enforcement by the HHS’ Office for Civil Rights As the main enforcer of HIPAA Rules, the Office for Civil Rights...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates. Summary of the HIPAA Breach Notification Requirements...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000. The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far...

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules. OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form. For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches. Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches. ITRC says it is becoming much more common to...

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought. One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely. For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
OCR Director Stresses Importance of Keeping Health Data Secure
Apr28

OCR Director Stresses Importance of Keeping Health Data Secure

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip. OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered entities are discovered to have committed serious violations of HIPAA Rules. Speaking at the Health Datapalooza yesterday, Severino said he viewed himself as the ‘top cop’ of health IT and confirmed he is taking his new role seriously and that he “came into this job with an enforcement mindset.” Further settlements with covered entities found to have ignored HIPAA Rules are to be expected. Severino highlighted the most recent OCR settlement – the $2.5 million penalty for CardioNet – as an example of just how important it is for healthcare organizations of all types to ensure that reasonable steps are taken to safeguard patient data and ensure ePHI remains...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate. OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules. The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is...

Read More
HHS Criticized by GAO for ePHI Security Guidance and CE Oversight
Sep27

HHS Criticized by GAO for ePHI Security Guidance and CE Oversight

The Government Accountability Office (GAO) has slammed the Department of Health and Human Services (HHS) for its lack of oversight of HIPAA covered entities and the guidance for covered entities on security controls to implement to keep electronic protected health information (ePHI) secure. A GAO study on the current health information cybersecurity infrastructure was requested by the U.S. Senate’s Chairman of the Committee on Health, Education, Labor and Pensions Sen. Lamar Alexander (R-Tenn.) and ranking member Sen. Patty Murray, (D-Wash.). GAO wanted to determine if standards and guidance issued by the HHS under HIPAA/HITECH were consistent with federal information security guidance, assess the extent to which the HHS is overseeing compliance with HIPAA Privacy and Security Rules, and find out if its efforts are being effectively executed. GAO also examined the benefits of using electronic health records and the cyber threats to electronic health data. The study was conducted following a particularly bad year for the healthcare industry. More than 113 million records were...

Read More
OCR to Receive $4 Million Budget Increase to Support Audit Program
Feb10

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost   The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016. The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the...

Read More
OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning
Nov06

OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning

Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights. OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies. HIPAA Requirements for Coping in Emergencies   The administrative safeguards of the HIPAA Security Rule (45 CFR, Part 164 § 308(7)(i)) require all covered entities to be able to continue to function during emergency situations. Access to Protected Health Information (PHI) must be maintained at all times. Should access be lost, it must be restored as a priority.  In order for covered entities to be able to do this, proactive steps must be taken. It is essential that policies and procedures are developed that can be implemented in case of disaster. Rapid action is required, and every individual must be aware of his or her responsibilities in case of emergency. This applies to emergency situations such as natural disasters, as well as at times when EHR...

Read More
New Basic Guide to HIPAA Compliance Released By HHS
Aug05

New Basic Guide to HIPAA Compliance Released By HHS

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities. A Basic Guide to HIPAA Compliance   The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI). HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures. The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to...

Read More
What are the Penalties for HIPAA Violations?
Jun24

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys
May08

HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys

According to a recent article in Lexology, the Department of Health and Human Services’ Office for Civil Rights has started transmitting pre-screening surveys to HIPAA-covered entities signaling the start of the long awaited second round of HIPAA compliance audits. However, the OCR has yet to post a notice on its website to that effect. OCR Prepares for the Second Phase of Compliance Audits   The OCR previously placed a notice in the Federal Register stating its intention to send out pre-audit screening questionnaires to up to 1200 covered entities and their Business Associates last year, allowing organizations to be contacted to assess their suitability for audit. The OCR must ensure that a representative sample of covered entities are audited, including both large and small healthcare providers, healthcare clearinghouses, insurers, health plans as well as Business Associates of covered entities. The audits must also be geographically representative, covering the whole of the United States. According to the OCRs Susan McAndrew, the screening questionnaires are to “assess the...

Read More
OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits
Apr16

OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits

The Department of Health and Human Services’ Office for Civil Rights has not used the HIMSS 2015 conference as a podium to announce the start of the long awaited second round of HIPAA compliance audits; although a number of OCR officials have given an insight into what it has in store for 2015. HIMSS 2015 is a time of learning for healthcare professionals. The protection of EHRs – and best practices and technology to adopt to protect them – is a major focus at this year’s conference. Cybersecurity is top of the agenda, and the recent high profile “mega-breaches” of recent months has got healthcare IT professionals looking for answers. The words “data breach” may be enough to bring out a cold sweat at the conference, although there were plenty in attendance on Monday for Marion Jenkins’s session – Chief Strategy Officer at 3t Systems- which gave a brief history of HIPAA, which examined a decade of data breaches. Jenkins recounted the enforcement actions already made by the OCR since it took charge of policing HIPAA, and pointed out that it has increased its enforcement...

Read More
Delegates Prepare for the 23rd National HIPAA Summit
Mar09

Delegates Prepare for the 23rd National HIPAA Summit

Next week, government department heads and industry leaders will meet at the 23rd National HIPAA Summit to give updates on the progress that has been made over the past 12 months and to provide information on new laws and regulations. The summit also offers an opportunity for compliance officers and other healthcare professionals to receive training on a wide range of healthcare IT and HIPAA-compliance issues. The threat of cyberattacks on healthcare providers has risen to an all time high and healthcare costs are spiraling out of control. The industry may be in critical condition, yet healthcare providers, health plans and other covered entities must find the funding to improve data security and protect the privacy of patients and health plan members. Since the introduction of HIPAA this has been a major challenge, but with the introduction of HITECH, the Affordable Care Act (Obamacare), the move to IC10 coding and the passing of the HIPAA Omnibus Rule the challenge has grown. HIPAA-covered entities now face a huge financial and administrative burden to comply with these...

Read More
Why is the OCR Not Issuing More HIPAA Fines?
Feb28

Why is the OCR Not Issuing More HIPAA Fines?

The Department of Health and Human Services’ Office for Civil Rights is tasked with policing HIPAA, and there have been no shortage of HIPAA violations of late, so why is the OCR not issuing more HIPAA fines? Huge Data Breaches – Numerous HIPAA Violations – 22 Financial Penalties Since October 2009, 1,140 data breaches affecting more than 500 individuals were reported to the OCR, while there were more than 120,000 breaches involving fewer than 500 individuals. Out of those incidents – including a large number that involved or directly resulted from HIPAA violations – only 22 have warranted OCR HIPAA penalties according to research conducted by ProPublica. The OCR has been reserving financial penalties for organizations that “have involved systemic and/or long-standing”, and is cautious about exercising its rights and fining HIPAA violators. Interestingly, the California Department of Public Health is more active when it comes to holding healthcare organizations accountable for their lack of attention to HIPAA legislation. It too has issued 22 fines to HIPAA...

Read More
Should HIPAA be Expanded to Improve Defenses Against Hackers?
Feb12

Should HIPAA be Expanded to Improve Defenses Against Hackers?

The recent massive data breach at Anthem Inc., has caused HIPAA Privacy and Security Rules to come under the spotlight, with many asking if the legislation – in its current format – goes far enough to protect the privacy of patients and health plan members. The Anthem breach could potentially have been avoided had the insurer used full data encryption along with the appropriate security controls to keep the security keys private. HIPAA Rules could certainly be tightened to improve data security, but that is no guarantee that healthcare organizations would comply promptly and implement those additional controls. HIPAA does not currently specify that an organization must use data encryption, only that the issue should be addressed. Data encryption is therefore voluntary and according to a Forrester Research report released in September 2014, only 59% of healthcare organizations had implemented full-disk encryption or partial encryption of healthcare data. Before covering the question of whether legislation needs to be tightened, here is a refresher of what legislation has been...

Read More
No Timetable for HIPAA Audits Provided by OCR Director
Jan14

No Timetable for HIPAA Audits Provided by OCR Director

OCR Director Jocelyn Samuels has revealed the expected round of HIPAA audits are could still be some time off. In a Jan 13 media briefing the OCR Director refused to commit to a timescale for the next round of audits, which were originally expected to take place in the fall of 2014. The delay has previously been attributed to issues with the implementation of new technology to allow audit documents to be collected and processed. No reason was given for the continued delay to the audit program, other than the fact that the OCR still has plenty of work still to do before the audits program can be launched. The pilot audits first took place in 2012, with an initial 115 organizations assessed for compliance. KPMG conducted the audits and the procedures and protocols have needed to be revised to accommodate the changes made by the introduction of the Omnibus Final Rule in 2013. The delay gives healthcare organizations some more time to conduct risk assessments, review and revise business associate agreements and make sure all HIPAA regulations are being followed. Samuels confirmed that...

Read More
HIPAA Compliance: A Year on from the Omnibus Rule
Apr24

HIPAA Compliance: A Year on from the Omnibus Rule

It has been a little over a year since the Omnibus Rule brought HIPAA legislation in line with HITECH, and it has now been six months since adoption of all aspects of the rule became mandatory, and compliance has been enforceable. The Omnibus Rule may not have introduced any major legislation changes, although it did contain a huge number of amendments to HIPAA to fine tune the bill and tighten up the language, as well as bring Business Associates into the fold and increase the financial penalties for non-compliance. The Department of Health and Human Services’ Office for Civil Rights will need to assess for compliance with the Omnibus Rule and is expected to do so in the next round of audits scheduled to commence in the fall of this year. While covered organizations have a few months before the auditors come knocking. However when they do, they will be looking for evidence of measures that have been implemented to comply with HIPAA Privacy and Security Regulations; now is therefore no time for rest. It’s time to get prepared. There are also many government agencies looking closely...

Read More
First Anniversary of the HIPAA Omnibus Rule
Apr16

First Anniversary of the HIPAA Omnibus Rule

Just over 12 months ago the HIPAA Omnibus Rule was introduced to plug a number of gaps in the legislation and bring Business Associates more comprehensively under HIPAA Rules. The new Rule also brought financial penalties in line with the HITECH Act. The amendment to HIPAA has been effective for a year now and it has been enforceable for 6 months. Not long is left before the Department of Health and Human Services’ Office for Civil Rights (OCR) starts conducting compliance audits again. It is currently preparing the second round of HIPAA compliance audits, in addition to investigating organizations reporting breaches of Protected Health Information (PHI) The anniversary of the introduction of the rule will probably not feel like something worth celebrating for many organizations, especially those that have struggled under the new requirements. For those that have made the necessary updates to policies and procedures already, standards must not be allowed to slip. Now is a good time to take stock and assess compliance before the audits commence. HIPAA Compliance Audits are Coming...

Read More
Study Shows Healthcare IT Security is in a Shocking State
Mar04

Study Shows Healthcare IT Security is in a Shocking State

Two recent studies confirm that the healthcare industry has not invested sufficiently in IT and the general state of healthcare cybersecurity is dire. There has been a marked rise in reported data breaches in recent years and while the increase has been, in part, attributed to increased reporting of security breaches – as required by HIPAA and HITECH – there are two areas of healthcare IT security that must be immediately addressed; certainly if HIPAA violations and penalties are to be avoided. The first is training. Data breaches have many causes, although a substantial percentage result from carelessness. Doctors and nurses unaware of the rules covering the disclosure of PHI are also inadvertently causing HIPAA breaches. Hospital administrators are improperly disposing of paper records and failing to securely delete electronic health records. Physicians are still leaving laptops containing unencrypted PHI in plain sight in unattended vehicles. Tackling these issues will prevent the majority of data breaches reported to the OCR each year. The Future of Healthcare Data Security...

Read More
OCR to Commence Round 2 HIPAA Compliance Audits
Feb28

OCR to Commence Round 2 HIPAA Compliance Audits

The Office for Civil Rights of the Department of Health and Human Services is a step closer to commencing the second round of HIPAA compliance audits issuing a notice in the Federal Register announcing its intention to start a series 1,200 pre-audit surveys. The OCR is authorized to conduct compliance audits under Section 13411 of the HITECH Act and intends to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules. The notice states that the OCR intends to survey 800 healthcare providers, clearing houses and health plans in addition to 400 of their business associates as part of the next round of compliance audits. Since the introduction of the Omnibus Rule, Business Associates can be held liable for HIPAA non-compliance issues and data breaches and the OCR wants to ensure that the new legislation is being followed. OCR Deputy Director, Susan McAndrew, announced at the 2014 HIMSS Annual Conference on February 24 that the aim of the survey is to assess suitability for audit. Since the sample was taken at random, the OCR must first weed out organizations in its...

Read More
Healthcare Organizations Concerned about HIPAA Security and Compliance
Jan29

Healthcare Organizations Concerned about HIPAA Security and Compliance

A recent survey conducted by eFax aimed to discover some of the main issues faced by HIPAA-covered entities when it comes to the transmission of Protected Health Information (PHI). The survey was conducted to allow the company to explore healthcare communications and to identify some of the key issues which need to be addressed to help IT administrators become, and stay, compliant with HIPAA. The survey was sent to the company’s corporate healthcare customers, which included large healthcare providers and hospitals, physician, group practices and medical suppliers. HIPAA Compliance is the Major Concern 54.1% of respondents said that HIPAA compliance was their biggest area of concern for dealing with the increase in paperwork that comes with healthcare exchanges and the Affordable Care Act. It is now 6 months on from the issuing of the Omnibus Rule and compliance is still clearly a major problem, as are the huge financial penalties that can be issued for HIPAA violations. 37.1% of respondents said that their biggest security concern about PHI and sensitive data was financial...

Read More
Office of Civil Rights Responds to OIG HIPAA Enforcement Criticisms
Dec31

Office of Civil Rights Responds to OIG HIPAA Enforcement Criticisms

The Office of the Inspector General of the Department of Health and Human Services has recently issued a report stating that the Office for Civil Rights failed to meet all the federal requirements that it was set and specifically criticized it for not having overseen and enforced the HIPAA Security Rule to the required degree. According to the OIG, there were two key requirements under the Security Rule that the OCR had not met: OCR had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation. The OIG recommended immediate action is taken to address these failures including conducting periodic audits of covered entities to ensure that the amendments to HIPAA due to the HITECH Act are assessed. It...

Read More
How to Reduce Human Error and Prevent HIPAA Breaches
Dec30

How to Reduce Human Error and Prevent HIPAA Breaches

This year has seen a number of large data breaches which have exposed the Protected Health Information of millions of Americans, placing them at an increased risk of becoming victims of identity theft and medical fraud. While some deliberate attacks have infiltrated computer networks, in many cases it is human error that exposes patient data to unauthorized third parties. Misplaced or unguarded portable devices have resulted in massive data breaches and many simple errors and oversights have resulted in patient details being exposed. Healthcare organizations are now required to store an increasing volume of data in electronic format. While data security used to mean locked filing cabinets and a small security presence, the increased risks faced by today’s healthcare providers requires an increasingly technical array of security measures to be employed to keep patient data secure. Even when legislation is followed to the letter and all of the appropriate technical, physical and administrative safeguards are put in place, a simple mistake by a member of staff can easily cause a data...

Read More

2014 Likely to See Surge in HIPAA Data Breaches

A new report released by the Experian credit bureau predicts that 2014 is likely to be a major year for data breaches, with a surge in numbers expected over the course of the year. The report also predicts the healthcare industry will be hit hard. The report says that the reason healthcare is so susceptible to attack is the sheer size of the industry. There is what the report calls an “expanded attack surface for breaches,” due to new EHRs and Health Insurance Exchanges (HIEs), while the value and volume of data held hakes healthcare providers attractive targets for cyber criminals. Experian offers credit monitoring services, but also assists customers to recover from data breaches. The company indicated that 46% of data breaches that it dealt with last year were from the healthcare industry. The report cites a number of reasons why data breaches are expected to rise, and indicates it is mainly due to the huge organizational infrastructure changes that are required under the Affordable Care Act, HIPAA, HITECH and other legislation together with general unpreparedness, a huge number...

Read More
HIPAA Omnibus Rule Places Further Restrictions on Marketing
May05

HIPAA Omnibus Rule Places Further Restrictions on Marketing

The introduction of the Omnibus Final Rule, also known as the HIPAA Mega Rule due to the extent of that it alters the current legislation, tightens up many loose ends that existed from the HIPAA Privacy Rule with regards to marketing. The use of Protected Health Information (PHI) for marketing purposes was restricted by the Privacy Rule, which required patients to provide written consent allowing the use of their health information for marketing purposes. Further restrictions were placed on the use of PHI data with the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This last piece of legislative change prevented further marketing practices that could previously be performed without prior consent being obtained. The introduction of the Omnibus Final Rule in January this year completed the changes concerning marketing, and all organizations are now required to abide by the new rules, with the final date for full adoption being October 23, 2013; the date the Final Rule will be enforced. Marketing has long been a target for the...

Read More
HIPAA Omnibus Rule Comes into Force
Mar31

HIPAA Omnibus Rule Comes into Force

The HIPAA Omnibus Rule was published on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA). The new rule came into force on March 26, 2013 and modifies existing HIPAA regulations to provide greater protection of patient data; extending the reach of HIPAA and modifying regulations to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Omnibus Rule contains many amendments, although it introduces four new rules: The HIPAA Privacy, Security and Enforcement regulations have been updated as follows: Liability for HIPAA compliance extended to include business associates and subcontractors Sale of PHI prohibited without authorization and the use of PHI for marketing or fundraising has been prohibited. Greater powers for patients allowing them access to their electronic medical and health data, while restricting information which must be disclosed to a health plan if treatment has been paid in full by the patient. Notices of...

Read More
Data Encryption Advisable but not Mandatory Under HIPAA
Feb01

Data Encryption Advisable but not Mandatory Under HIPAA

Healthcare organizations must take steps to prevent confidential patient health data from being viewed, accessed or used by unauthorized individuals, although current HIPAA regulations do not require healthcare organizations – or their business associates – to encrypt PHI data. However, according to the Director of the Office for Civil Rights, Leon Rodriguez, it is strongly advisable. The HIPAA data breach rule requires healthcare organizations to report any loss of laptop or mobile device containing patient data as a HIPAA breach since the introduction of the HITECH Act (2009); however the loss is not reportable if the data on the device has been encrypted (provided the data encryption is in accordance with the guidance issued by the National Institute of Standards and Technology). According to Rodriguez, in all cases of laptop or computer theft reported to date, financial penalties would have been avoided if the data contained on the lost/stolen devices had been encrypted. Following a data breach, HIPAA covered entities are required to notify all individuals affected by the...

Read More
HIPAA Omnibus Rule Final Release Issued
Jan25

HIPAA Omnibus Rule Final Release Issued

The HIPAA Omnibus Rule (Health Insurance Portability and Accountability Act of 1996 Omnibus Rule) was drafted in July 2010; however the final release has been delayed until this month in order to address some of the concerns raised by stakeholders about the latest HIPAA amendment. The final rule has been held by the Office of Management and Budget since March last year although the final release has now been issued. All HIPAA-covered entities – and their business associates – must read the new rule and make changes to existing policies and procedures and factor in the new amendments. Healthcare organizations have 180 days in order to effect the changes as the Final Rule will not be enforced until Sept 22, 2013. The new rule has been issued to bring HIPAA in line with HITECH, and was introduced by the U.S. Department of Health and Human Services’ Office of Civil Rights to cover the use of Health Information Technology (HIT) and ensure that patient health information is properly protected. The final rule represents a major change to the legislation and is the most extensive...

Read More
Penalties for Data Breaches Increased Under HIPAA Omnibus Rule
Jan23

Penalties for Data Breaches Increased Under HIPAA Omnibus Rule

Financial penalties for healthcare organizations found in violation of HIPAA regulations are to be increased substantially as part of the HIPAA Omnibus Rule, which will also be applied to business associates and their subcontractors. The original fine structure was established by the American Recovery and Reinvestment Act of 2009 (ARRA), although no further increases have been made in the following four years. The new tiered financial penalties have been introduced in line with the Health Information Technology for Economic and Clinical Health Act (HITECH) and increases the maximum penalties for each non-compliance offense, in addition to increasing the maximum penalty for repeat violations. Healthcare organizations committing a one-time violation will still receive a maximum penalty of $50,000; however repeat violations can now see fines of up to $1.5 million issued, with the maximum penalty now applying to all HIPAA violation categories. While willful neglect carries a $50,000 penalty for each violation, a lack of knowledge of HIPAA and its subsequent amendments is not a...

Read More
Massachusetts Healthcare Provider to pay $1.5M HIPAA Settlement to HHS
Dec17

Massachusetts Healthcare Provider to pay $1.5M HIPAA Settlement to HHS

The theft of a laptop computer from a healthcare center belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has resulted in a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA violations. The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was deemed to have violated the Security Rule by failing to take adequate precautions to protect the health information of its patients and research subjects. The laptop contained unencrypted data which could be accessed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to commit medical and identity fraud. Under the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be notified of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR investigation....

Read More
Healthcare Data Breaches Exceed 500
Nov02

Healthcare Data Breaches Exceed 500

In September 2009, following the incorporation of the requirements of the HITECH Act into HIPAA legislation, the Department of Health and Human Services started monitoring healthcare data breaches. Since that date all data breaches affecting over 500 individuals must be reported within 60 days of the breach being discovered. Over 21.2 million individuals have been affected by healthcare data breaches since records started being kept, and the tally of data braches has now exceeded the 500 milestone. The Health Insurance Portability and Accountability Act was introduced with a number of aims, one of which was to ensure Protected Health Information is safeguarded and protected from unauthorized access, disclosure, hacking, loss and theft. The legislation also covers patient privacy and restricts the information that can be disclosed without authorization. HIPAA is supposed to ensure that all covered entities implement administrative, technical and physical safeguards to protect PHI and meet a minimum national standard of data security. The problem is that covered entities are not...

Read More
HIPAA Audit Protocol Published by Office for Civil Rights
Jul24

HIPAA Audit Protocol Published by Office for Civil Rights

The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 updated HIPAA, and as such it required the Department of Health & Human Services’ Office for Civil Rights (OCR) to conduct a program of compliance audits to ensure the new rules had been applied. Following a series of 20 preliminary pilot audits the OCR has devised an audit protocol which will be used to assess compliance at a total of 155 HIPAA-covered entities, with the audits concluding in December 2012. Since any entity can be audited – not just large healthcare providers – it is important that all organizations check their procedures and revised them as appropriate to take the new Security Rule requirements into account. The OCR has now published the long awaited details of the audit program on its website detailing the specific aspects of HIPAA, the Privacy Rule, Security Rule and Breach Notification Rules that will be assessed. OCR Pilot Audit Protocol 2012 There are three main aspects of the legislation which are being specifically tested under the audit...

Read More
Alaska DHSS Reaches $1.7M Settlement with OCR for HIPAA Security Rule Violations
Jun26

Alaska DHSS Reaches $1.7M Settlement with OCR for HIPAA Security Rule Violations

The theft of a portable hard drive from an employee of the Alaska Department of Health and Social Services (DHSS) potentially exposed the ePHI of an estimated 2,000 individuals. Following an investigation by the HHS Office for Civil Rights (OCR), a settlement has been reached and the DHHS must pay the HHS $1.7 million for the HIPAA Security Rule violations. The U.S. Department of Health and Human Services’ Office for Civil Rights was alerted to the breach when the Alaska DHSS reported the hard drive theft. All healthcare organizations must submit a report of data security breaches affecting more than 500 individuals to the HHS Secretary Sebelius under Health Information Technology for Economic and Clinical Health (HITECH) regulations (Smaller breaches need only to be reported annually). A media announcement must also be made to alert potential victims and Breach Notification Rules require all individuals to be contacted and advised of the security breach to allow them to take action to protect their identities and finances. The investigation unearthed a number of non-compliance...

Read More
Attorney General’s Office Confirms HIPAA Settlement Reached with South Shore Hospital
May27

Attorney General’s Office Confirms HIPAA Settlement Reached with South Shore Hospital

An announcement has been made by the Office of the Massachusetts Attorney General that a settlement has now been reached with South Shore Hospital. The healthcare provider will be required to pay a fine of $750,000 for violations of the state Consumer Protection Act (Massachusetts General Law Chapter 93A) and also violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement was reached for the accidental exposure of Protected Health Information and for failing to securely erase ePHI. The violation occurring when three backup tapes containing unencrypted ePHI were accidentally sent to a data archiving company to be erased and resold; however that company was not informed of the contents of the tapes. Two of those tapes were subsequently lost and have not been recovered. The Attorney General’s investigation revealed that a number of errors had been made by the hospital. The hospital had failed to obtain a signed business agreement and did not determine whether its choice of data company complied with HIPAA regulations. The passing of the Health...

Read More
Blue Cross Blue Shield to Pay HHS $1.5M for HIPAA Breach
Mar13

Blue Cross Blue Shield to Pay HHS $1.5M for HIPAA Breach

The Office for Civil Rights has made its first enforcement action stemming from the HITECH Breach Notification Rule and has fined Blue Cross Blue Shield of Tennessee (BCBST) for violating the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (1996). BCBST has now negotiated a settlement with the HHS and will pay $1.5 million for the security breach for its potential HIPAA violations. The data breach was one of the largest ever reported, involving the PHI of over 1 million individuals. Substantial patient information was exposed including Social Security numbers, dates of birth, health plan numbers, contact information and medical diagnosis codes. The data was stored on 57 unencrypted hard drives which were stolen from its facilities in Tennessee. Under the HIPAA Security Rule, healthcare organizations must ensure that the appropriate physical, technical and administrative safeguards are put in place to protect ePHI of patients. When the OCR conducted its investigation it determined that BCBST had not taken sufficient precautions to protect...

Read More
Sutter Health Sued for 4.24M HIPAA Mega Breach
Nov30

Sutter Health Sued for 4.24M HIPAA Mega Breach

Two class action lawsuits have now been filed against the Sutter Health hospital system in Northern California after a burglary at its administrative offices in Sacramento potentially exposed the Protected Health Information of 4.24 million patients. Over the weekend of Oct 15-16 thieves gained access to the offices by throwing a rock through the window. Once inside they cleared the office of electrical equipment including a PC, mouse and computer monitors. The PC contained data relating to 3.3 million former and current patients of Sutter Physician Services (SPS) with the records dating back to 1995. Social Security numbers were not included in the data although some personally identifiable information could potentially have been accessed by the thieves. The data included names, dates of births, addresses, phone numbers and some email addresses. The breach also exposed the medical records of 943,000 patients from the Placer, Sacramento, Solano, Sutter, Yolo and Yuba counties who had been treated by Sutter Medical Foundation doctors from January 2005 to the present. One of the...

Read More
Texas Expands HIPAA Privacy Laws to Bolster EHR Security
Aug04

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients. Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected. HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a...

Read More
Connecticut Attorney General First to Take Action for HIPAA Violations
Jul07

Connecticut Attorney General First to Take Action for HIPAA Violations

The Connecticut Attorney General, Richard Blumenthal, has announced that a settlement has been reached with healthcare provider, Health Net, over violations of the Health Insurance Portability and Accountability Act (HIPAAA). The Connecticut AG is the first to exercise the right to enforce HIPAA since the power to do so was given to AGs following amendments to HIPAA brought about by the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). Health Net was fined £250,000 for failing to implement adequate controls to protect the health data of its patients and for violations of Breach Notification Rules. Legal action was taken against Health Net following the loss of an unencrypted disc drive in May 2009 which exposed the data of 1.5 million Americans, 446,000 of which were Connecticut residents. The incident exposed Social Security Numbers, financial information and personal identifiers, with the subsequent investigation concluding that the drive was most likely stolen. In addition to the fine, Health Net has been ordered to provide two...

Read More