Dedicated to providing the latest
HIPAA compliance news

August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches...

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that...

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of...

Read More
OCR Director Stresses Importance of Keeping Health Data Secure
Apr28

OCR Director Stresses Importance of Keeping Health Data Secure

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip. OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit,...

Read More
HHS Criticized by GAO for ePHI Security Guidance and CE Oversight
Sep27

HHS Criticized by GAO for ePHI Security Guidance and CE Oversight

The Government Accountability Office (GAO) has slammed the Department of Health and Human Services (HHS) for its lack of oversight of HIPAA covered entities and the guidance for covered entities on security controls to implement to keep electronic protected health information (ePHI) secure. A GAO study on the current health information cybersecurity infrastructure was requested by the U.S. Senate’s Chairman of the Committee on Health,...

Read More
OCR to Receive $4 Million Budget Increase to Support Audit Program
Feb10

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost   The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR...

Read More
OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning
Nov06

OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning

Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights. OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies. HIPAA Requirements for Coping in Emergencies   The administrative safeguards of the HIPAA Security Rule...

Read More
New Basic Guide to HIPAA Compliance Released By HHS
Aug05

New Basic Guide to HIPAA Compliance Released By HHS

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities. A Basic Guide to HIPAA Compliance   The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard...

Read More
What are the Penalties for HIPAA Violations?
Jun24

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on...

Read More
HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys
May08

HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys

According to a recent article in Lexology, the Department of Health and Human Services’ Office for Civil Rights has started transmitting pre-screening surveys to HIPAA-covered entities signaling the start of the long awaited second round of HIPAA compliance audits. However, the OCR has yet to post a notice on its website to that effect. OCR Prepares for the Second Phase of Compliance Audits   The OCR previously placed a notice in...

Read More
OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits
Apr16

OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits

The Department of Health and Human Services’ Office for Civil Rights has not used the HIMSS 2015 conference as a podium to announce the start of the long awaited second round of HIPAA compliance audits; although a number of OCR officials have given an insight into what it has in store for 2015. HIMSS 2015 is a time of learning for healthcare professionals. The protection of EHRs – and best practices and technology to adopt to protect...

Read More
Delegates Prepare for the 23rd National HIPAA Summit
Mar09

Delegates Prepare for the 23rd National HIPAA Summit

Next week, government department heads and industry leaders will meet at the 23rd National HIPAA Summit to give updates on the progress that has been made over the past 12 months and to provide information on new laws and regulations. The summit also offers an opportunity for compliance officers and other healthcare professionals to receive training on a wide range of healthcare IT and HIPAA-compliance issues. The threat of...

Read More
Why is the OCR Not Issuing More HIPAA Fines?
Feb28

Why is the OCR Not Issuing More HIPAA Fines?

The Department of Health and Human Services’ Office for Civil Rights is tasked with policing HIPAA, and there have been no shortage of HIPAA violations of late, so why is the OCR not issuing more HIPAA fines? Huge Data Breaches – Numerous HIPAA Violations – 22 Financial Penalties Since October 2009, 1,140 data breaches affecting more than 500 individuals were reported to the OCR, while there were more than 120,000 breaches involving...

Read More
Should HIPAA be Expanded to Improve Defenses Against Hackers?
Feb12

Should HIPAA be Expanded to Improve Defenses Against Hackers?

The recent massive data breach at Anthem Inc., has caused HIPAA Privacy and Security Rules to come under the spotlight, with many asking if the legislation – in its current format – goes far enough to protect the privacy of patients and health plan members. The Anthem breach could potentially have been avoided had the insurer used full data encryption along with the appropriate security controls to keep the security keys...

Read More
No Timetable for HIPAA Audits Provided by OCR Director
Jan14

No Timetable for HIPAA Audits Provided by OCR Director

OCR Director Jocelyn Samuels has revealed the expected round of HIPAA audits are could still be some time off. In a Jan 13 media briefing the OCR Director refused to commit to a timescale for the next round of audits, which were originally expected to take place in the fall of 2014. The delay has previously been attributed to issues with the implementation of new technology to allow audit documents to be collected and processed. No...

Read More
HIPAA Compliance: A Year on from the Omnibus Rule
Apr24

HIPAA Compliance: A Year on from the Omnibus Rule

It has been a little over a year since the Omnibus Rule brought HIPAA legislation in line with HITECH, and it has now been six months since adoption of all aspects of the rule became mandatory, and compliance has been enforceable. The Omnibus Rule may not have introduced any major legislation changes, although it did contain a huge number of amendments to HIPAA to fine tune the bill and tighten up the language, as well as bring...

Read More
First Anniversary of the HIPAA Omnibus Rule
Apr16

First Anniversary of the HIPAA Omnibus Rule

Just over 12 months ago the HIPAA Omnibus Rule was introduced to plug a number of gaps in the legislation and bring Business Associates more comprehensively under HIPAA Rules. The new Rule also brought financial penalties in line with the HITECH Act. The amendment to HIPAA has been effective for a year now and it has been enforceable for 6 months. Not long is left before the Department of Health and Human Services’ Office for Civil...

Read More
Study Shows Healthcare IT Security is in a Shocking State
Mar04

Study Shows Healthcare IT Security is in a Shocking State

Two recent studies confirm that the healthcare industry has not invested sufficiently in IT and the general state of healthcare cybersecurity is dire. There has been a marked rise in reported data breaches in recent years and while the increase has been, in part, attributed to increased reporting of security breaches – as required by HIPAA and HITECH – there are two areas of healthcare IT security that must be immediately addressed;...

Read More
OCR to Commence Round 2 HIPAA Compliance Audits
Feb28

OCR to Commence Round 2 HIPAA Compliance Audits

The Office for Civil Rights of the Department of Health and Human Services is a step closer to commencing the second round of HIPAA compliance audits issuing a notice in the Federal Register announcing its intention to start a series 1,200 pre-audit surveys. The OCR is authorized to conduct compliance audits under Section 13411 of the HITECH Act and intends to assess compliance with HIPAA Privacy, Security, and Breach Notification...

Read More
Healthcare Organizations Concerned about HIPAA Security and Compliance
Jan29

Healthcare Organizations Concerned about HIPAA Security and Compliance

A recent survey conducted by eFax aimed to discover some of the main issues faced by HIPAA-covered entities when it comes to the transmission of Protected Health Information (PHI). The survey was conducted to allow the company to explore healthcare communications and to identify some of the key issues which need to be addressed to help IT administrators become, and stay, compliant with HIPAA. The survey was sent to the company’s...

Read More
Office of Civil Rights Responds to OIG HIPAA Enforcement Criticisms
Dec31

Office of Civil Rights Responds to OIG HIPAA Enforcement Criticisms

The Office of the Inspector General of the Department of Health and Human Services has recently issued a report stating that the Office for Civil Rights failed to meet all the federal requirements that it was set and specifically criticized it for not having overseen and enforced the HIPAA Security Rule to the required degree. According to the OIG, there were two key requirements under the Security Rule that the OCR had not met: OCR...

Read More
How to Reduce Human Error and Prevent HIPAA Breaches
Dec30

How to Reduce Human Error and Prevent HIPAA Breaches

This year has seen a number of large data breaches which have exposed the Protected Health Information of millions of Americans, placing them at an increased risk of becoming victims of identity theft and medical fraud. While some deliberate attacks have infiltrated computer networks, in many cases it is human error that exposes patient data to unauthorized third parties. Misplaced or unguarded portable devices have resulted in...

Read More

2014 Likely to See Surge in HIPAA Data Breaches

A new report released by the Experian credit bureau predicts that 2014 is likely to be a major year for data breaches, with a surge in numbers expected over the course of the year. The report also predicts the healthcare industry will be hit hard. The report says that the reason healthcare is so susceptible to attack is the sheer size of the industry. There is what the report calls an “expanded attack surface for breaches,” due to new...

Read More
HIPAA Omnibus Rule Places Further Restrictions on Marketing
May05

HIPAA Omnibus Rule Places Further Restrictions on Marketing

The introduction of the Omnibus Final Rule, also known as the HIPAA Mega Rule due to the extent of that it alters the current legislation, tightens up many loose ends that existed from the HIPAA Privacy Rule with regards to marketing. The use of Protected Health Information (PHI) for marketing purposes was restricted by the Privacy Rule, which required patients to provide written consent allowing the use of their health information...

Read More
HIPAA Omnibus Rule Comes into Force
Mar31

HIPAA Omnibus Rule Comes into Force

The HIPAA Omnibus Rule was published on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA). The new rule came into force on March 26, 2013 and modifies existing HIPAA regulations to provide greater protection of patient data; extending the reach of HIPAA and modifying regulations to bring them in line with the Health Information...

Read More
Data Encryption Advisable but not Mandatory Under HIPAA
Feb01

Data Encryption Advisable but not Mandatory Under HIPAA

Healthcare organizations must take steps to prevent confidential patient health data from being viewed, accessed or used by unauthorized individuals, although current HIPAA regulations do not require healthcare organizations – or their business associates – to encrypt PHI data. However, according to the Director of the Office for Civil Rights, Leon Rodriguez, it is strongly advisable. The HIPAA data breach rule requires...

Read More