Dedicated to providing the latest
HIPAA compliance news

October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy
Oct31

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017. McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year. In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new. OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found....

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS
Oct10

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification: Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn. Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs. Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them...

Read More
HHS Secretary Tom Price Resigns
Sep30

HHS Secretary Tom Price Resigns

It has been a short stint as Secretary of the U.S. Department of Health and Human Services for Tom Price, who resigned from the post on September 29, 2017, two days shy of 8 months in the position. Spending only 231 days as Secretary, Price is the shortest serving HHS Secretary in U.S. history. Price was nominated for the position of HHS Secretary by President Trump on November 29, 2016. The nomination was approved by the Senate Health, Education, Labor, and Pensions Committee on February 1, 2017. However, Price resigned under pressure following revelations about his extensive use of charter jets and military aircraft to travel across the United States for government work. Rather than use commercial airlines for travel, Price had spent more than $400,000 on private jets, even though commercial airline flights were available. Price had vowed not refrain from using private charter flights for travel in the future and offered to pay back part of the costs incurred, reportedly $51,887, to cover the cost of seats. President Trump said that would be “unacceptable,” leaving him little...

Read More
The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit
Sep20

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018. Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules. In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website. The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived: 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 CFR 164.510(a) – Honor requests to opt out of the facility directory. 45 CFR 164.520 – Distribute a notice of...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)). In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed. However, disasters often call for a...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months. Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use. The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed...

Read More
How Often Should Healthcare Employees Receive Security Awareness Training?
Aug01

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training? Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails. In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%. In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised....

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
Only One Third of Patients Use Patient Portals to View Health Data
Jul27

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information. GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource. Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
Model HIPAA-Compliant PHI Access Request Form Released by AHIMA
Jul21

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

The American Healthcare Information Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data. The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization. AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing. AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data....

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought. One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
AMIA Urges HHS to Provide More Information on Common Rule Updates
Jul07

AMIA Urges HHS to Provide More Information on Common Rule Updates

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated. The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use. The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified. Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented. The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details. The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual. However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements
Jun01

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and healthcare IT security incidents last month have prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached. HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time. Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to...

Read More
OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements
Apr21

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois. On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI. The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules. CCDH had provided paper records relating...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
Roger Severino Named New Director of HHS’ Office for Civil Rights
Mar27

Roger Severino Named New Director of HHS’ Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights. Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015. A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief. Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI. AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data. AHIMA has explained to whom...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR. Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently,...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals. Multiple Areas of Noncompliance with HIPAA Rules Discovered During the course of the investigation,...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members. Late last week, OCR released its January Cyber Awareness Newsletter which explained the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users. Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on,...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate. OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules. The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily. Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to...

Read More
New York Rule Change Allows Clinicians to Access Minors’ PHI via State HIE
Jan06

New York Rule Change Allows Clinicians to Access Minors’ PHI via State HIE

Healthcare providers that participate in the Western New York health information exchange – HEALTHeLINK – are now able to access the health information of minors aged between 10 and 17 after the passing of a new rule covering patient data access through qualified information exchanges. The new rule allows the information of minors to be accessed if prior consent has been obtained by from parents or legal guardians via signed consent forms. To date, more than 870,000 adults in Western New York have already signed consent forms allowing their children’s information to be shared. The rule change will ensure that treating pediatricians have access to the most up to date information, thus allowing them to make informed decisions about the best treatments to provide. The move will help to ensure that full access to the full range of health information can always be obtained, which has previously been an issue when minors have received medical services from multiple healthcare providers. The rule change will help to ensure safer and more efficient provision of clinical care....

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk. The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted. Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs. The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used. The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected. The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product. While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated. ONC notes that...

Read More
National Governors Association Releases Roadmap for States to Improve Heath Data Sharing
Dec14

National Governors Association Releases Roadmap for States to Improve Heath Data Sharing

To support effective decision making, improve the care provided to patients, and cut the costs of healthcare provision, healthcare data must be readily available to all healthcare providers. While other industry sectors have taken great strides toward improving the flow of information to increase efficiency, the healthcare industry still lags behind other industries. There are still many barriers in place which are preventing the meaningful exchange of health information. There is currently considerable confusion about the restrictions imposed by the Health Insurance Portability and Accountability Act (HIPAA) and state laws on health information privacy. State governments in particular require assistance navigating these rules and regulations so they can play their part in improving the flow of healthcare data and can more effectively drive forward policies that support a fully interoperable nationwide healthcare system. The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) previously awarded a cooperative funding...

Read More
ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities
Dec09

ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules. The HIPAA Privacy Rule came into effect in April 2003 and set new standards to protect individuals’ personal health information. The HIPAA Privacy Rule sets limits and conditions on when personal health information can be used or disclosed without prior consent being obtained from patients. For example, the HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities) to share the personal health information of patients for treatment purposes and healthcare operations. Health information many need to be shared between two healthcare providers involved in the treatment of a patient and...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to hasten the development of new cures and medical devices to treat cancer and other diseases. The bill makes more funds available for mental health treatment as well as for programs to tackle the growing problem of opioid abuse in the United States. $500 million per year will be made available for the latter to prevent new cases of opioid abuse and to fund treatment programs for addicts. The bill had originally called for changes to be made to the Health Insurance Portability and Accountability Act to improve data sharing for research purposes. By classifying research under healthcare operations, it would have been possible for the identifiable protected...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st Century Cures Act is expected to be passed by the Senate. However, not unanimously. Some senators are certain to vote against the legislation, including Senators Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.). Both strongly oppose the changes that have been made to the legislation to appease the pharmaceutical industry. The main purpose of the $6.3 billion bill is to advance medical innovation. A sizable chunk of cash will be given to a number of programs introduced by the Obama administration. NIH will receive $4.8 billion in funding over the next 10 years which will go towards programs such as the cancer moonshot research project, the...

Read More
Warner Chilcott District Managers Sentenced for HIPAA Violations and Healthcare Fraud
Oct31

Warner Chilcott District Managers Sentenced for HIPAA Violations and Healthcare Fraud

The United States Attorney’s Office for the District of Massachusetts has announced three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act and committing healthcare fraud. The offenses date back to 2011, when Warner Chilcott launched the osteoporosis drug Atelvia®. The drug was not covered by many insurance companies due to a generic alternative being available. Coverage would only be provided if prior authorizations were filled out by physicians. In an effort to drive sales, Landon Eckles, a mid-Atlantic district manager in the osteoporosis division of Warner Chilcott, directed certain sales representatives to fill out prior authorizations for the drug, even if physicians refused to do so. Completing those prior authorizations required the representatives to access the protected health information of patients; a violation of HIPAA Rules. Patients diagnosed with osteoporosis also had Atelvia® brochures added to their medical charts to remind physicians to prescribe the drug....

Read More
Vindell Washington: HIPAA Not a Barrier to the Sharing of ePHI
Sep23

Vindell Washington: HIPAA Not a Barrier to the Sharing of ePHI

This Week, Vindell Washington – the recently appointed National Coordinator for Health Information Technology at the ONC – confirmed that one of his main priorities is to continue the work of Karen DeSalvo and implement the ONC’s Interoperability Roadmap. Washington believes the ONC’s Interoperability Framework is foundational for a number of the administration’s priorities, in particular the Precision Medicine Initiative and the Cancer Moonshot. In order for those initiatives to be successful, patients must be able to obtain copies of their health data and barriers that are currently preventing information exchange must be removed. Washington explained to reporters on Monday that the ONC is committed to laying the foundations that will enable patients to contribute their data to these initiatives. “The work that we have to do in the short term is increasing the flow of information and empowering patients in this space to have their information and be able to use it and send it forward for the purposes that they choose.” He also explained that many healthcare providers see...

Read More
OCR to Increase Investigations of Small PHI Breaches
Aug18

OCR to Increase Investigations of Small PHI Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it will be stepping up investigations of small PHI breaches with immediate effect. Breaches impacting fewer than 500 individuals will now be subjected to closer scrutiny, with the responsibility for investigating those breaches falling to the OCR’s Regional Offices. OCR currently investigates all PHI breaches that impact more than 500 individuals, although investigations of small PHI breaches – those that affect fewer than 500 individuals – have only been performed as resources permit. The responsibility for investigating small breaches has fallen to the OCRs Regional Offices, but due to limited resources, investigations of small breaches have been limited up until now. However, a new initiative has now been launched that will see Regional Offices investigate small PHI breaches much more widely, although OCR will continue to prioritize investigations of large-scale breaches of protected health information. According to a recent news release, each of the OCRs Regional Offices has been instructed...

Read More
Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans
Jul26

Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans

According to a recent report issued by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have HIPAA-compliant EHR contingency plans in place, although most are “largely addressing” HIPAA requirements for EHRs. In September 2014, OIG sent a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to determine whether HIPAA-compliant EHR contingency plans had been developed and implemented. Respondents were also asked about the extent to which EHR systems had been disrupted in the past. In addition to the survey, six hospitals were also selected for in-depth investigations involving site visits, interviews with hospital staff, documentation checks, and reviews of EHR contingency plans. The purpose of the study was to assess the state of hospitals’ EHR contingency planning and to determine whether patient health information could still be accessed during natural disasters and other situations where EHR system downtime occurs. In light of the recent ransomware attacks on hospitals in recent...

Read More
Hospitals Saying No to Pokemon Go
Jul25

Hospitals Saying No to Pokemon Go

The Pokemon Go craze sweeping the globe is causing a number of problems for U.S. hospitals leading many to issue bans on playing the game anywhere on hospital premises. The location-based augmented reality mobile game requires players to get out and about and use their smartphone cameras and GPS to find and catch Pokemon – virtual reality critters that can be found in real world locations. The scavenger hunt requires players to go to “Pokestops” to pick up free items. The Pokestops are located in popular locations such as memorials, museums, public buildings, and in some cases, hospitals. Game players are visiting these locations to collect items and this can cause problems. Recently, the U.S. Holocaust Memorial Museum banned visitors from playing the game as it was deemed to be inappropriate on the premises. A number of hospitals have also implemented bans on visitors, staff, and patients from playing the game on the premises for a variety of reasons. Some hospitals have cited security concerns as players are entering hospital buildings searching for Pokemon to catch. Utah Valley...

Read More
2.75 Million Dollar HIPAA Settlement Reached with UMMC
Jul22

2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university. The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. UMMC Investigated After Theft of Unencrypted Laptop Computer The settlement stems from a breach of patients’ protected health information (PHI) in 2013. A laptop computer issued to UMMC’s Medical Intensive Care Unit (MICU) was discovered to be missing. The laptop computer contained the PHI of 500 patients. The data were not encrypted, although the laptop computer was password protected. The laptop is believed to have been stolen by a visitor who had asked about borrowing one of MICU’s laptops. OCR conducted an investigation into the...

Read More
How Does OCR Deal with HIPAA Complaints?
Jul21

How Does OCR Deal with HIPAA Complaints?

The Department of Health and Human Services’ Office for Civil Rights (OCR) encourages individuals to file complaints about HIPAA-covered entities, or their business associates, if they feel that their privacy has been violated. Individuals are also able to file complaints if they believe the privacy of other individuals have been violated. Complaints about potential HIPAA violations are investigated by OCR, and while many prove to be unsubstantiated, oftentimes a HIPAA covered entity or an employee of that organization, is discovered to have violated patient privacy or breached HIPAA Rules. OCR receives many complaints and the breach portal contains many hundreds of breach reports from covered entities that have experienced major breaches of PHI, yet only a tiny percentage result in civil monetary penalties being issued or financial settlements being agreed. What happens to all the other complaints that involve violations of HIPAA Rules? What action does OCR take against covered entities that violate the privacy of patients or failed to adhere to HIPAA Rules? In the vast majority...

Read More
House Passes Mental Health Reform Bill (Without the HIPAA Changes)
Jul14

House Passes Mental Health Reform Bill (Without the HIPAA Changes)

A mental health bill that aims to improve mental healthcare in the United States has been passed by the House. The bill – H.R. 2646 – which was first introduced three years ago, was intended to usher in sweeping changes to improve the treatment of mental illness in the United States. While the bill was passed with an overwhelming majority of 422-2 last Wednesday, a number of the more contentious issues needed to be removed from the bill. One of the sticking points that was dropped from the bill were the changes to the Health Insurance Portability and Accountability Act (HIPAA). The bill introduces a number of important changes that will improve mental health care; however, the proposed changes to HIPAA were opposed by a number of Democrats and Republicans. In order for the bill to be passed, the HIPAA changes had to be dropped. In its original form, the bill would have changed HIPAA Rules to permit healthcare providers to share mental health data about patients with their caregivers. Instead, the Department of Health and Human Services is now required to clarify the law...

Read More
OCR Phase 2 HIPAA Audits: Documentation Requests Issued
Jul13

OCR Phase 2 HIPAA Audits: Documentation Requests Issued

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. Covered entities selected for a compliance audit have now been notified by email. Those organizations now have just 10 days to respond to the emails and submit the requested documentation to the OCR. The audits – which are desk based – have been split between healthcare providers, health plans, and healthcare clearinghouses. The audits are being conducted on a geographically representative sample that includes healthcare organizations of all sizes. Desk audits of HIPAA business associates will follow in the fall. The desk audits comprise of a documentation check to ensure compliance with the Health Insurance Portability and Accountability Act’s Privacy, Security, and Breach Notification Rules. Earlier this year the OCR published details of the new audit protocol. The protocol contains a long list of different aspects of HIPAA Rules that could potentially be assessed by OCR...

Read More
OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches
Jul12

OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance on ransomware. A fact sheet on healthcare ransomware attacks has been published along with a 12-page document providing technical guidance for CIOs and CISOs on best practices to adopt to prevent ransomware infections, mitigation strategies to adopt when ransomware is installed on computers or healthcare networks, and detailed information on the correct ransomware response. The new guidance is essential reading for CISOs, CIOs, and all members of the senior leadership team. Ransomware and HIPAA The OCR has confirmed the proactive measures that covered entities should take to prevent ransomware infections: Perform a comprehensive, organization-wide risk analysis Establish a plan to remediate any identified risks to the confidentiality, integrity, or availability of ePHI Implement policies and procedures to safeguard ePHI against malicious software – including malware and ransomware Provide staff members with training on cybersecurity best practices Train authorized users to detect malicious...

Read More
CMS Finalizes New Rules for QEs on Sale and Sharing of Medicare Claims Data
Jul05

CMS Finalizes New Rules for QEs on Sale and Sharing of Medicare Claims Data

The Centers for Medicare and Medicaid Services (CMS) has finalized a new set of Rules for qualified entities that will allow the sharing or sale of Medicare claims data to healthcare providers, employers, and other entities. The rule changes will help to ensure that healthcare organizations, employers, and other organizations have access to the data they need to make informed decisions about the provision of care to patients. With access to all Medicare and private sector claims data, it is hoped that the quality of care provided to patients will be improved. The rule changes, which were required under the Medicare Access and CHIP Reauthorization Act (MACRA), will permit organizations classed as qualified entities to confidentially share analyses of Medicare and private sector claims with healthcare providers, employers, and other groups that are able to use the data to improve patient care. The sale of data is also permitted. Qualified entities will be permitted to sell data to healthcare providers such as doctors, nurses, and skilled nursing facilities. While data can be sold or...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules. In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach. A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45...

Read More
Call Issued for Further Guidance on HIPAA Minimum Necessary Standard
Jun23

Call Issued for Further Guidance on HIPAA Minimum Necessary Standard

Melissa Martin, Board President for the American Health Information Management Association (AHIMA) gave a testimony at a National Committee on Vital and Health Statistics (NCVHS) hearing last week on the minimum necessary standard of the HIPAA Privacy Rule. The aim of the hearing was to determine whether the Department of Health and Human Services should issue an update to the standard to ensure it can continue to be met by healthcare organizations, and to assess whether there is a need for further guidance in light of the technology changes in the healthcare industry since its introduction. According to Martin’s testimony, there is still considerable confusion over the standard and what constitutes the “minimum necessary information”. Under the minimum necessary standard, HIPAA -covered entities are required to make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of the use, disclosure or request. Organizations must identify individuals or groups of persons within the organization who are required...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
OCR Rules Townsend Violated the HIPAA Privacy Rule
Jun02

OCR Rules Townsend Violated the HIPAA Privacy Rule

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently ruled that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year when he posting an “information packet” online containing the protected health information of individuals who had used the town’s ambulance service. The information was intended to be viewed by Selectmen in order that a vote could be taken about whether or not to write off the unpaid bills. Rather than sharing the document securely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only accessible for 18 hours before it was removed, but during that time it had been downloaded and shared on social media. The privacy breach was also reported to the OCR. The information packet contained the names of patients who had not yet paid their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now living in a hospice. Prior to the uploading of the files, all...

Read More
Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews
Jun01

Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews

Some healthcare providers have violated patient privacy and HIPAA Rules when responding to negative comments on Yelp and similar review sites according to a recent ProPublica report. For the report, ProPublica was provided with access to around 1.7 million Yelp reviews of healthcare providers. The researchers used a tool to sift through the reviews and isolated approximately 3,500 one-star ratings of healthcare providers – the lowest possible rating on the review site – that mentioned “Privacy” or “HIPAA”. ProPublica researchers discovered “dozens” of instances where healthcare providers had breached HIPAA Rules when responding to comments. In some cases, the responses to the negative comments involved the disclosure of patients’ protected health Information. ProPublica cited one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had performed and information about her medical condition. Another example involved a dentist who responded to a comment about an alleged unnecessary tooth...

Read More
Apple to Recruit HIPAA Expert as Privacy Counsel
May25

Apple to Recruit HIPAA Expert as Privacy Counsel

Apple is seeking a Privacy Counsel with extensive experience in healthcare privacy and a thorough understanding of HIPAA regulations. The new position confirms that Apple is planning on developing its products to be more valuable to healthcare professionals and patients, and that the company is intent on making more of a mark in the healthcare sector. The new recruit will be required to work on cutting edge projects, providing essential input on privacy and security, working on privacy by design reviews, supporting compliance and auditing frameworks, drafting policies and procedures to ensure compliance with privacy laws, and assisting with privacy complaints and breaches. The individual will also play a major part in designing privacy solutions for Apple products. The new position could indicate Apple is intent on developing HIPAA-compliant apps or may be working on a HIPAA-compliant backend for its frameworks to enable patient data to be stored and transmitted securely, in accordance with HIPAA Rules. Apple has already developed products and frameworks for monitoring patient...

Read More
OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI
May24

OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI

Earlier this year the Office for Civil Rights issued guidance for healthcare providers and health plans on the general right of patients to obtain copies of their protected health information on request. The HIPAA Privacy Rule allows patients to obtain one or more designated record sets which a covered entity holds and maintains. By obtaining copies of their PHI, patients can take control of their own healthcare and wellbeing. Providing copies of PHI to patients involves a cost to the covered entity, such as the time taken to obtain and copy records and prepare summaries, the cost of paper and printing if record sets are supplied in physical form, the cost of media devices for electronic copies of PHI, and the cost of mailing records to patients if they are not collected in person. Covered entities are permitted to charge patients for providing copies of their PHI, which was explained in the OCR guidance; however, based on the questions submitted by covered entities there appeared to be some confusion over allowable charges, in particular regarding the charging of flat rate fees to...

Read More
Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits
May20

Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits

Deven McGraw – deputy director of health information privacy at the Office for Civil Rights (OCR) – has offered some advice to covered entities ahead of the HIPAA-compliance audits which are scheduled to take place later this year. The second round of HIPAA-compliance audits will be conducted on covered entities first, followed by business associates. OCR contacted covered entities earlier this year to verify contact information. That process is almost complete and a pool of healthcare providers, health plans, and healthcare clearinghouses will soon be finalized. OCR will select approximately 200 organizations from that pool for a desk audit. Covered entities selected for audit will be notified and given 10 days to submit the requested documentation to the OCR. This does not give covered entities much time so it is important that preparations are made early. In an interview with the Information Security Media Group, McGraw suggested that covered entities should start preparing now in case they are selected for a desk audit. Last month, OCR released the updated audit protocol which...

Read More
Illinois Data Breach Notification Law Updated
May20

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches. A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements: Driver’s license number Social Security number Credit or debit card number Biometric data Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained) Medical information Health insurance information Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available. The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition. The exposure of information relating...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Compliance Assistance Provided to Mobile Health App Developers by FTC
Apr07

Compliance Assistance Provided to Mobile Health App Developers by FTC

A new interactive tool has been released by the Federal Trade Commission (FTC) to help mobile health app developers determine whether their apps need to comply with federal regulations. The new web-based tool was developed with assistance from the U.S Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). By answering a series of 10 questions, mobile app developers can determine whether their health care products are covered under the Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug, and Cosmetic Act (FD&C Act), Federal Trade Commission Act (FTC Act) or need to comply with the FTC’s Health Breach Notification Rule. In many cases, app developers will be required to comply with more than one set of federal laws. According to Jessica Rich, FTC Bureau of Consumer Protection director, “Mobile app developers need clear information about the laws that apply to their health-related products.” The tool aims to...

Read More
OCR Publishes New HIPAA Audit Protocol
Apr05

OCR Publishes New HIPAA Audit Protocol

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...

Read More
Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH
Mar31

Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH

On Wednesday this week, the 2015 CAQH Index was released. The data show that many healthcare organizations are continuing to rely on manual administrative processes for basic transactions such as verifying patient coverage, submitting claims, prior authorization, and referral certification, even though these tasks can easily be performed electronically. The CAQH Index is released once a year and is a measure of the adoption of electronic transactions for routine business processes in the healthcare industry. The aim of the report is to raise awareness of the potential cost savings that can be made by switching to electronic HIPAA transactions. The data used for the CAQH Index in 2015 represents some 440 million transactions relating to 92 million patients. The reliance on manual processes rather than HIPAA electronic administrative transactions is costing the healthcare industry dearly. CAQH believes the continued reliance on resource-intensive manual processes is costing the healthcare industry $8 billion each year. Each time health plans and healthcare providers perform a manual...

Read More
Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws
Mar29

Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws

A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification or loss.” Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub. GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures. The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in...

Read More
Phase 2 HIPAA Compliance Audits Commence
Mar21

Phase 2 HIPAA Compliance Audits Commence

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started. According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.” Start Date for the Second Phase of HIPAA Compliance Audits While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin. The OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016. The date when the first desk audits will actually be conducted was not detailed in the...

Read More
OCR Announces $3.6 Million Settlement with Feinstein Institute for Medical Research
Mar17

OCR Announces $3.6 Million Settlement with Feinstein Institute for Medical Research

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care. Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY. The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach...

Read More
$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures
Mar17

$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Following a PHI breach reported on September 27, 2011, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation revealed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels. The data breach involved the theft of a laptop computer from a business associate of North Memorial. The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted. The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to be...

Read More
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Mar03

Deven McGraw Gives Update on OCR HIPAA Compliance Audits

Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...

Read More
OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges
Mar02

OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges

The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524) While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights. To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA covered entities to comply with this aspect of the Privacy Rule. The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing. Provided that the healthcare provider...

Read More
Permitted Uses and Disclosures of PHI Clarified by OCR
Feb27

Permitted Uses and Disclosures of PHI Clarified by OCR

The Office for Civil Rights welcomes feedback from HIPAA-covered entities about aspects of HIPAA that are unclear or need further clarification. Some of the questions asked via the OCR website indicate some covered entities are struggling to understand the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI). HIPAA permits the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be used to help patients receive medical care, as well as for the evaluation of care provided to patients. It is necessary to use PHI to co-ordinate care between different healthcare providers, and PHI is needed for billing purposes. Patients must also be allowed access to their health information so they can take a more active role in their own healthcare. HIPAA allows patient health information to be shared for all of these reasons provided PHI is secured at all times. However, a number of restrictions to apply. Even though the HIPAA Privacy and Security Rules have been in effect for many years, and...

Read More
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
Feb26

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...

Read More
480,000 Patients Notified of Radiology Regional Center PHI Exposure
Feb19

480,000 Patients Notified of Radiology Regional Center PHI Exposure

In December, Radiology Regional Center, PA., was alerted to a privacy breach by Lee County Solid Waste Division following the accidental release of medical documents in the street. The privacy breach occurred on December 19, 2015. Medical documents were being transported by Lee County Solid Waste Division for secure disposal. The paper files were due to be incinerated in accordance with Health Insurance Portability and Accountability Act Rules, but were accidentally released during transportation. The failure to secure the records resulted in them falling off the vehicle used to transport them. The documents containing highly sensitive medical data were strewn across the street and found their way into doorways, driveways, canals, and were blown all over the sidewalk. Patients Have Now Been Notified of the Privacy Breach   Patients were notified of the breach of their private and confidential medical data on February 12, 2016, the same date that Office for Civil Rights received a HIPAA data breach report. Initially it was unclear exactly how many patients had been affected....

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
OCR Issues Further Guidance on Health App Use
Feb12

OCR Issues Further Guidance on Health App Use

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate. Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers. The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked. There...

Read More
OCR to Receive $4 Million Budget Increase to Support Audit Program
Feb10

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost   The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016. The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the...

Read More
Apple Health HIPAA Breach Affects 91K Medicaid Recipients
Feb10

Apple Health HIPAA Breach Affects 91K Medicaid Recipients

The protected health information of 91,000 Apple Health Medicaid program clients has been compromised by a Washington State Health Care Authority (HCA) employee over a period of almost 3 years, according to a statement issued by HCA risk manager, Steve Dotson. All affected individuals are in the process of being notified that their name, date of birth, Apple Health ID number, Social Security number, and private health information were improperly disclosed between early 2013 and late 2015. The repeated privacy breaches involved two state department employees who exchanged emails containing the highly sensitive data. A woman working as a medical assistance specialist for the HCA regularly sent spreadsheets containing patient health information and Social Security numbers to her brother, who worked as an Internet technician for the Department of Social and Health Services (DSHS). The unauthorized sharing of patient data is a breach of Health Insurance Portability and Accountability Act rules and warrants the sending of breach notification letters. Those letters were dispatched on...

Read More
Two Employees Fired for Jason Pierre-Paul HIPAA Breach
Feb09

Two Employees Fired for Jason Pierre-Paul HIPAA Breach

Back in July 2015, New York Giants football player Jason Pierre-Paul visited Miami’s Jackson Memorial Hospital for treatment after a fireworks accident. News reports emerged soon after confirming Pierre-Paul had suffered a major hand injury. At the time of the accident, the football player was negotiating a new $60 million contract with the Giants. ESPN’s Adam Schefter managed to get hold of Pierre-Paul’s medical records and posted details of the injury on Twitter, confirming Pierre-Paul had had the middle finger of his right hand amputated. There was much debate at the time about the legality of Schefter’s disclosure, with many claiming HIPAA had been violated. Of course, journalists and news reporters are not HIPAA-covered entities, and as such are not obliged to abide by HIPAA rules. While Schefter could not have violated HIPAA, the medical information could only have come from the hospital where Pierre-Paul was being treated. HIPAA Rules did appear to have been violated, just not by Schefter. Jackson Memorial Hospital conducted an internal investigation into the potential...

Read More
OIG Publishes Findings of Utah Department of Health Security Audit
Feb08

OIG Publishes Findings of Utah Department of Health Security Audit

The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.” The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers. The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals. The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was...

Read More
Deadline for Reporting 2015 Data Breaches
Feb04

Deadline for Reporting 2015 Data Breaches

The deadline for reporting 2015 data breaches is fast approaching. Covered entities must submit all 2015 data breach reports to OCR before the end of the month. The final date for submitting reports of security incidents that affected fewer than 500 individuals is February 29, 2016. Deadline for Reporting 2015 Data Breaches – Monday February 29, 2016   The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows covered entities up to 60 days after the discovery of a large-scale data breach to report the incident to the Department of Health and Human Services’ Office for Civil Rights. A large data breach is defined as one which affects more than 500 individuals. HIPAA also requires all covered organizations to report smaller data breaches, although they are considered lower priority. Small data breaches can be reported at any time during the calendar year in which they are discovered, although the maximum time limit for submission is 60 days from the end of the Calendar year in which they were first identified. Since 2016 is a leap year, the deadline...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
98 Percent of Compromised Healthcare Records Due to Hacking
Jan29

98 Percent of Compromised Healthcare Records Due to Hacking

2015 was the worst ever year for healthcare data breaches. The top three largest data healthcare data breaches were all discovered in 2015, including the massive cyberattack on Anthem Inc., that exposed a staggering 78.8 million healthcare records. The mega data breach at Anthem made the breaches at Premera Blue Cross and Excellus look small by comparison, yet they too were larger than any healthcare data breach previously reported to Office for Civil Rights. Just those three data breaches alone exposed almost 100 million healthcare records. Add in the 4.5 million-record data breach at UCLA Health, the 3.9 million-record breach at Medical Informatics Engineering and the one suffered by CareFirst BlueCross BlueShield and the total number of breached records rises to 110 million. Something all the major healthcare data breaches of 2015 had in common was they were the result of the actions of hackers. Human error may have played a part in the exposure of data, and the majority of breaches reported to OCR last year involved errors of judgement or negligence (loss of devices, theft of...

Read More
CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem
Jan22

CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem

Matching patient records to the correct patient is a complicated business. In theory at least, with patient information recorded digitally, it should be possible to match records with the correct patient no matter where the patient information is accessed or where the data is located. In an ideal world this would happen 100% of the time. Unfortunately, this is not an ideal world and patients and records are frequently mismatched. This can naturally have serious consequences for patients. Records and Patients only Correctly Matched 90% of the Time Studies suggest that the probability of records and patients being paired correctly is around 90% on average. Provided of course, that the records are located within a single health system. Should some records be located in a different health system, the chance of those records being correctly matched is much lower. In fact, when records are shared across different health systems the figure falls to around 80%. If a patient is to receive the best possible level of care, this is a problem that must be resolved. Solving the Problem of...

Read More
EHR Incentive Program to Come to an End in 2016
Jan19

EHR Incentive Program to Come to an End in 2016

Andy Slavitt, acting administrator for the Centers for Medicare & Medicaid Services, has announced the HITECH Act’s Meaningful Use incentive program is soon to be retired. 2016 will see the program finally come to an end now that the vast majority of healthcare providers have made the transition to electronic health records, although an end date for the incentive program has not yet been announced. The program has by and large been successful in encouraging healthcare providers to make the transition to EHRs, but it is now time to move to a new regime according to Slavitt. He recently announced at the J.P. Morgan Annual Health Care Conference that “The Meaningful Use program as it has existed, will now be effectively over and replaced with something better.” That ‘something better’ will be a new regime that rewards healthcare providers for the value they offer and the outcomes they manage to achieve with patients, marking a substantial shift of emphasis from Meaningful Use that provided incentives based on the use of technology. Slavitt pointed out the Meaningful Use has...

Read More
Upgrade Internet Explorer to Remain HIPAA Compliant
Jan11

Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches. 18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete. Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage. Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.” Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between...

Read More
A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015
Jan10

A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015

In its capacity as enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Rules, the Department of Health and Human Services’ Office for Civil Rights (OCR) can issue fines to HIPAA-covered entities that fail to implement sufficient safeguards to keep the Protected Health Information (PHI) of patients and health plan members secure. OCR has been criticized in recent years for an apparent lack of enforcement, specifically for failing to issue financial penalties for clear violations of the HIPAA Privacy, Security, and Breach Notification Rules by HIPAA-covered entities. Covered entities are required to self-report data breaches to OCR under the Breach Notification Rule of 2009, and all data breaches that expose the PHI of more than 500 patients are investigated. Sometimes, those data breaches occur even when covered entities have implemented all of the administrative, technical, and physical controls that are required by the HIPAA Security Rule. However, in many cases, data breaches are suffered as a result of HIPAA failures. In such cases, action is taken by OCR...

Read More
OCR Issues New Guidance on Patient Data Access
Jan10

OCR Issues New Guidance on Patient Data Access

Healthcare providers should be aware that patients are permitted access to their medical records under HIPAA rules; however, not all patients are aware of their legal rights. Not only are patient data access rights under HIPAA not well understood, many patients who have attempted to access their medical records have faced problems. There is also a misconception that HIPAA – specifically the HIPAA Privacy Rule – prevents healthcare providers from disclosing medical records. While it is true when it comes to disclosing Protected Health Information (PHI) of patients to individuals unauthorized to view that information, HIPAA does allow patients to access their own records. In fact, any healthcare provider who fails to allow patients to access their medical records could be fined. OCR Issues Guidance on Patient Data Access Rights Under HIPAA   The Department of Health and Human Services’ Office for Civil Rights has started the year with the launch of a brand new website interface, and has now followed up on previous promises by issuing new guidance on HIPAA. This is the...

Read More
OCR Website Receives Long Awaited Upgrade
Jan07

OCR Website Receives Long Awaited Upgrade

The Department of Health and Human Services’ Office for Civil Rights website has been redesigned and upgraded, and features a responsive design and a more user-friendly interface. The redesign was part of the Reimagined HHS.gov initiative. The aim was to create a website that is faster, easier to use, and makes content sharing and syndication much more straightforward. The HHS site-wide overhaul has taken well over a year so far, with the OCR the first HHS department to receive its site upgrade. The upgrade and redesign was conducted in phases, with phase 1 of the project completed in May, 2015. OCRs overhaul was finished on schedule and was made live this week in time for the January 6 launch. The new crisp, clean, and simplistic design presents information clearly, while a fast and powerful search function has been incorporated to ensure visitors can quickly and easily gain access to the information they need. Typing in a search term will offer numerous suggestions based on the most common searches of the site, ensuring the most relevant information can be quickly retrieved. In...

Read More
HIPAA Privacy Rule Updated to Permit NICS Reports
Jan05

HIPAA Privacy Rule Updated to Permit NICS Reports

The Department of Health and Human Services has issued a final rule permitting certain covered entities to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), changing the HIPAA Privacy Rule. At the time of writing, HIPAA prevents healthcare providers from disclosing PHI, except in a very limited number of circumstances, without first having obtained permission from a patient. The rule change, which will become effective 30 days after publication in the federal register, will allow certain information about individuals to be divulged and entered into NICS by some HIPAA-covered entities. NICS is maintained by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is permitted to purchase a firearm. When an FFL starts a NICS background check on an individual, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on individuals who have...

Read More
No Action Over Patient Privacy Violation Due to HIPAA Loophole
Jan03

No Action Over Patient Privacy Violation Due to HIPAA Loophole

Recently, a New Jersey lawyer discovered that confidential information classed as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) is not necessarily kept private by providers of healthcare services. Under certain circumstances, the holder of those data may disclose the information publicly without penalty, as recently happened in his case. The lawyer had received treatment for mental health issues at Short Hills Associates in Clinical Psychology between 2012 and 2014. Some of the meetings had not been paid for, and Short Hills Associates filed a lawsuit for non-payment of $4,400 last year. Short Hills Associates is within its rights to take legal action against individuals who do not pay for chargeable medical services; however, in the lawsuit the organization listed the lawyer’s diagnosis and services he had received. That information was detailed in publicly filed court documents. HIPAA does permit the disclosure of PHI under certain circumstances, but this should be limited to the minimum necessary information for a...

Read More
Online Medical Record Access Not Possible for the Majority of Patients
Dec31

Online Medical Record Access Not Possible for the Majority of Patients

A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access patient medical data. The recent survey was conducted on 502 consumers that intended to enroll in a 2016 health plan. The survey took place between October and November, 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and medical...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More
HealthSouth Rehabilitation Hospital Announces 1,359-Record Data Breach
Dec23

HealthSouth Rehabilitation Hospital Announces 1,359-Record Data Breach

Only a few hours after the announcement of the theft of an unencrypted laptop computer from the vehicle of an employee of the New Mexico Department of Health comes news of another. The latest laptop theft affects 1,359 patients of the HealthSouth Rehabilitation Hospital in Round Rock, TX. An employee of the hospital left an unencrypted laptop computer in the trunk of a vehicle from where it was stolen. As with the NM Department of Health laptop theft, the incident occurred in October. Covered entities have up to two months to issue breach notification letters to patients and the Department of Health and Human Services’ Office for Civil Rights. The notification letters were sent on Tuesday 22, December and OCR has now been notified. The theft was discovered by HealthSouth on October 26, 2015, five days after the theft actually took place. Once the theft was discovered, the incident was reported to Austin law enforcement. It is not clear why it took five days for hospital staff and law enforcement officers to be notified. The laptop computer has not subsequently been recovered. The...

Read More
Nursing Home Snapchat Photo Sharing Scandal Uncovered
Dec22

Nursing Home Snapchat Photo Sharing Scandal Uncovered

An investigation by ProPublica has revealed widespread abuse of patient privacy, and dignity, by workers from nursing homes and assisted living facilities across the country. Nursing facility workers have taken embarrassing photographs of patients and have shared them on social media websites such as Snapchat. Some of the photographs and videos that have been shared by nursing facility workers show physical and mental abuse of patients suffering dementia. The ProPublica review uncovered 22 cases of HIPAA-violating photo and video sharing that had been reported since 2012, with 35 instances of inappropriate image and video sharing found in total. Some cases involved workers taking photos of naked or semi-naked patients and posting them on Snapchat, others involved humiliating and degrading videos of patients. Once case involved residents being coached to sing “I’m in love with the coco,” while one held a banner saying “Got these hoes trained.” Inhuman treatment and violations of patient privacy and dignity The cases show widespread abuses of patient privacy, with the victims...

Read More
Healthcare Cybersecurity Addressed in Omnibus Bill
Dec20

Healthcare Cybersecurity Addressed in Omnibus Bill

New cybersecurity provisions specifically for the healthcare industry have been added to the Omnibus bill passed by congress late last week. The aim of their inclusion is to assist healthcare organizations tackle the growing risk of cyberattacks, and provide them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less pregnable to cyberattacks. The new legislation is part of the Cybersecurity Information Sharing Act, passed by Congress on Friday. One of the ways that the new legislation will help healthcare organizations is with the formation of a new Cybersecurity Task Force. This is scheduled to take place during the first 90 days following the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats faced by the healthcare industry. The methods used by cybercriminals to break through security defenses will be analyzed and vulnerabilities assessed. The task force will also study how other industries are managing to repel attacks. Healthcare organizations will then be...

Read More
OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs
Dec15

OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs). OIG Audits Reveal 74 High Risk Security Vulnerabilities at 3 Medi-Cal MCOs The OIG audits revealed numerous, significant security vulnerabilities at the three Medi-Cal MCOs being assessed. In total, 74 high-risk security vulnerabilities were discovered across 14 separate security control areas. Many of the vulnerabilities existed at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the vulnerabilities had potential to place patient data at risk of exposure. In some cases, the security vulnerabilities were extremely serious. The vulnerabilities were categorized into three broad areas: Access controls, security management and configuration management. Access Management Controls Access controls included password and login controls, database security controls, the use of backup storage media, and portable device...

Read More
$750,000 HIPAA Fine for University of Washington Medicine
Dec14

$750,000 HIPAA Fine for University of Washington Medicine

University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights, and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013 Flurry of HIPAA Enforcement Activity as 2015 Draws to a Close   There has been a flurry of HIPAA enforcement activity over the past few weeks. First came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, then news of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. That was closely followed by the announcement of a $3.5 million settlement between OCR Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA violations with OCR. Spam Email Behind 90,000-Record Data Breach   On November 27, 2013, University of Washington Medicine alerted OCR to a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients. The data breach occurred as a result of an employee falling...

Read More
Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security
Dec13

Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security

Under HIPAA Rules, access to Protected Health Information must be strictly controlled. HIPAA-covered entities must therefore implement technical safeguards to ensure that only authorized individuals are able to gain access to data. EHRs and other software systems that are used to store or send ePHI must be protected by a minimum of a username and password, and any attempt to gain access to ePHI must be logged and periodically audited. Improving ePHI Security with Two-Factor Authentication Data security can be greatly enhanced by the use of two-factor authentication. Two factor authentication requires an additional identification factor (other than a username/password combo) to be entered prior to access to ePHI being granted. Under the HIPAA Security Rule – 45 CFR § 164 – this control is strongly advisable but not mandatory; however, under the DEA’s Electronic Prescription for Controlled Substances rules, it is mandatory for 2-factor authentication to be used by all entities that e-prescribe controlled substances. Typically, the additional factor is a security question,...

Read More
Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing
Dec12

Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing

A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk. HIPAA and Data Sharing Under the HIPAA Privacy Rule, covered entities are not permitted to share the Protected Health Information unless prior authorization has been obtained from the patient, unless those data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b). When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third party for research studies, policy assessment, etc. Unfortunately, removing this...

Read More
Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016
Dec10

Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016

2014 was widely considered to be “The Year of the Data Breach.” Then came 2015. The year of the mega healthcare data breach. Now the year is coming to an end, it is time to look to the next 12 months and what could possibly be in store. If the upward trend continues, 2016 could really be an annus horribilis. According to a recent white paper issued by Experian, the next twelve months are likely to see more of the same. We can expect the large-scale healthcare data breaches to continue as the industry is targeted by cybercriminals seeking the highly valuable data stored by HIPAA-covered entities. The high value of healthcare data combined with relatively weak defenses and the continued digitization of medical records will see even more attacks launched by cybercriminals on healthcare organizations, according to the Experian Data Breach Resolution White Paper. Large Healthcare Data Breaches Will Occur, But Small Breaches Are Likely to Cause the Most Damage This year has seen some mega data breaches suffered by health insurers, and those organizations will continue to be targeted in...

Read More
NY Attorney General HIPAA Fine for URMC
Dec08

NY Attorney General HIPAA Fine for URMC

An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015. An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules It is not only Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA. The first attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals....

Read More
Another HIPAA Breach Courtesy of a Printing Error
Dec08

Another HIPAA Breach Courtesy of a Printing Error

Over the course of the last three months, HIPAA covered entities have reported 54 data breaches to the Office for Civil Rights. The majority of those data breaches can be attributed to human error. 15% of the breaches have resulted from errors made when printing and mailing letters to patients and health plan members. While these privacy breaches do not affect anywhere near as many patients/plan members as hacking incidents (which have resulted in 10,134,208 records being stolen since September 9, 2015), they still require a breach response and result in considerable costs to the covered entity. The breach victims can be adversely affected, and the incidents tarnish the organizations’ reputations. They are also some of the easiest data breaches to prevent. On Friday last week, another covered entity, BlueCross Blue Shield of Nebraska, reported a printing error had been made during a patient mailing, and each month in its report to congress, the Department of Veteran Affairs lists numerous examples of errors made when sending letters/prescription information to veterans. Efforts...

Read More
Cyberattack Simulation Exercise Tests Incident Response Readiness
Dec07

Cyberattack Simulation Exercise Tests Incident Response Readiness

It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved. Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved. Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted,...

Read More
Guidance on Patient Rights Under HIPAA Due this Month
Dec04

Guidance on Patient Rights Under HIPAA Due this Month

This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative. Clarification Due on Patient Rights Under HIPAA to Access their Own PHI The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data. While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA. Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under...

Read More
HIPAA Violation Fine of $3.5 Million for Triple-S
Dec02

HIPAA Violation Fine of $3.5 Million for Triple-S

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. This is the second HIPAA violation fine to be announced in the space of a week, with the latest financial penalty closely following the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine highlights just how costly non-compliance can be. This does not need to be explained to Triple S Management Corporation. The company was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. The PRHIA fine was issued following the mailing of a pamphlet that displayed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 members of the insurer’s Medicare...

Read More
Major Mobile Health Application Growth Predicted
Nov29

Major Mobile Health Application Growth Predicted

Mobile technology has potential to revolutionize the provision of healthcare. Mobile technology is already having a major impact on the industry. According to PwC, one of the few limiting factors is how the technology can be implemented to allow healthcare providers to obtain the full benefits of the technology. This does not appear to have hindered growth in the sector. PwC has predicted growth to increase six-fold over the course of the next two years. Growth in the sector will mostly come from the development of new mHealth applications and from monitoring services. A new report published by healthcare market research firm Kalorama Information suggests that the growth of mobile health applications will outstrip all other mobile application areas over the next four years. The Kalorama report highlights the substantial growth already seen in the mHealth market so far in 2015. Manufacturers of devices, software developers, and providers of wireless services are capitalizing on growing demand. By the end of the year, the industry is expected to have generated close to $34 billion....

Read More
OCR Settlement Reached with Lahey Hospital
Nov25

OCR Settlement Reached with Lahey Hospital

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI. Failure to Safeguard ePHI Results in $850,000 Settlement The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners.  The laptop contained electronic Protected Health Information of 599 patients. A financial penalty was...

Read More
PHI Data Breaches Occur in Most Industry Sectors
Nov23

PHI Data Breaches Occur in Most Industry Sectors

Healthcare organizations and other HIPAA-covered entities are required to report PHI data breaches to the Department of Health and Human Services’ Office for Civil Rights, so it is easy to track the security breaches suffered over the past few years. However, PHI breaches are not specific to the healthcare industry. Protected Health Information is stored by all manner of organizations, and all are at risk of suffering PHI data breaches. According to a recent study conducted by Verizon Enterprise Solutions, PHI data breaches have been suffered by 90% of companies, including non-healthcare organizations. PHI is not just stored by healthcare providers and insurers. PHI is contained in HR files, in addition to employee program data and workers’ compensation schemes. Verizon completed an analysis of PHI data breaches that have occurred over the course of the past 20 years. 1,931 individual PHI data breaches were analyzed as part of the study. Those data security incidents exposed the PHI of 392 million patients and employees. The HHS’ Office for Civil Rights and the Department of...

Read More
FTC Data Breach Case Against LabMD Dismissed
Nov22

FTC Data Breach Case Against LabMD Dismissed

The Federal Trade Commission’s case against healthcare service provider LabMD has been dismissed by a Chief Administrative Judge due to a lack of evidence that patients were exposed to a significant risk of suffering a substantial injury as a result of their personal information being exposed. This is the first time a decision has gone against the FTC after a data breach case has been challenged. The initial decision on November, 13, went against the FTC, although the FTC can lodge an appeal in the next 30 days. At the present time, the FTC is currently considering the matter and deciding whether to appeal and send the case against LabMD to federal court to be decided. Judge Michael Chappell ruled that the FTC “failed to prove its case” that affected individuals were placed at a considerable risk of suffering harm or losses as a result of the incidents. Consequently, they were unlikely to constitute unfair trade practices. The case was originally filed against LabMD in August 2013. The security breaches cited in the case occurred in 2008 and 2012. In 2008, a document containing...

Read More
Even HHS Involvement Did Not Stop Months of Patient Privacy Breaches
Nov18

Even HHS Involvement Did Not Stop Months of Patient Privacy Breaches

A simple mistake can lead to the exposure of hundreds of private and confidential medical records, as discovered by Brooklyn marketing firm, APS Marketing Group. The company started receiving faxes containing the medical information of patients of an unnamed medical clinic in April, 2015. Despite efforts to contact the sender, the intended recipient, and the Department of Health and Human Services, the faxes kept on arriving. APS ended up receiving faxed medical documents for months on end and hundreds of patients had their medical records exposed. The information contained in the documents included patient names, contact information, the medical test that had been requested, and in some cases, also Social Security numbers. The error was caused as a result of a member of staff entering a fax number incorrectly. That simple mistake resulted in documents being sent to the wrong company, exposing the data of hundreds of patients. However, it is not the error that is worrying in this case, but how long it took for the HIPAA breaches to stop, even after the HHS got involved. The faxes...

Read More
Senators Demand Answers from CMS and OCR About Medical Identity Theft and Fraud
Nov13

Senators Demand Answers from CMS and OCR About Medical Identity Theft and Fraud

Four senators have put their names to a letter sent to Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), and Centers for Medicare and Medicaid Services (CMS) Acting Administrator Andy Slavitt, requesting answers about the growing issue of medical identity theft. Sen. Lamar Alexander, R-Tenn., Sen. Patty Murray, D-Wash.; Sen. Orrin Hatch, R-Utah, and Sen. Ron Wyden, D-Ore have signed the letter, which demands answers to nine questions relating to the role the HHS, OCR and CMS play in monitoring and addressing medical fraud and identity theft stemming from healthcare data breaches. Healthcare data breaches have exposed the Protected Health Information of over 105,000,000 individuals so far this year, and there are still over six weeks of 2015 to go. That figure is certain to rise. The problem is a growing concern. The total number of breach victims created over the past 6 years stands at 154 million, which equates to close to half the population of the United States. The senators point out that the situation is only likely to get...

Read More
Healthcare Provider Not Liable for Social Media HIPAA Violation
Nov12

Healthcare Provider Not Liable for Social Media HIPAA Violation

On Monday this week, a case against University of Cincinnati Medical Center (UCMC) was heard by Judge Jody Luebbers in the Hamilton County Common Pleas Court regarding the posting of Protected Health Information of a patient on social media. The incident that triggered the lawsuit concerned the posting of a patient’s medical records by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of her medical records and uploaded the image to her Facebook account. The image was then shared with members of a Facebook group. The same image was also emailed to the same individuals. The group in question had been named “Team No Hoes.” The patient in question had contracted syphilis and was pregnant at the time. The naming and shaming of the patient on social media was investigated by the hospital as soon as the privacy violation was discovered, and the employee lost her job as a result. Cases involving vicarious liability are often filed by co-workers who have suffered sexual harassment in the...

Read More
Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft
Nov10

Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft

Hartford Hospital and one of its Business Associates, EMC Corporation (EMC), have agreed to a settlement with the Connecticut Office of the Inspector General over the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents. Hartford Hospital and EMC have agreed to a settlement of $90,000 to resolve the incident.  The agreement was reached voluntarily, and no admission of liability has been accepted by either party. EMC was contracted by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The aim of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to conduct an analysis of patient data, and EMC was provided with the Protected Health Information of patients for this purpose. However, on June 25, 2012 an unencrypted laptop computer containing patient data was stolen from the home of an EMC employee. The data does not appear to have been used inappropriately according to Hartford Hospital. After...

Read More
OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning
Nov06

OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning

Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights. OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies. HIPAA Requirements for Coping in Emergencies   The administrative safeguards of the HIPAA Security Rule (45 CFR, Part 164 § 308(7)(i)) require all covered entities to be able to continue to function during emergency situations. Access to Protected Health Information (PHI) must be maintained at all times. Should access be lost, it must be restored as a priority.  In order for covered entities to be able to do this, proactive steps must be taken. It is essential that policies and procedures are developed that can be implemented in case of disaster. Rapid action is required, and every individual must be aware of his or her responsibilities in case of emergency. This applies to emergency situations such as natural disasters, as well as at times when EHR...

Read More
Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million
Nov05

Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million

A unit of pharmaceutical company Warner Chilcott has agreed to plead guilty to healthcare fraud, and will be required to pay $125 million to resolve civil and criminal liability, according to the Boston US Attorney’s Office. The case against the pharmaceutical company is concerned with the illegal promotion of seven drugs. Payments were made to physicians to prescribe pharmaceuticals to patients over other drugs. This is of course not the first time such allegations have been made against drug firms, and nor is it the first time that pharmaceutical companies have been found to be liable. What makes this case different is the fact that charges have been filed against employees of Warner Chilcott and Warner Chilcott U.S. Sales LLC under HIPAA Rules. The case was possible under the False Claims Act, which permits private individuals to sue companies on behalf of the government under the Act’s whistleblower provisions. Two whistleblowers brought the case against the company and are being represented by law firms MoloLamken, Seeger Weiss, and the Simmer Law Group. The criminal charges...

Read More
Privacy and Security of Personal Wellness Data: CEA Releases New Private Sector Guidelines
Nov03

Privacy and Security of Personal Wellness Data: CEA Releases New Private Sector Guidelines

Wearable technology has proved popular with consumers, yet numerous questions have been raised about the privacy and security of personal wellness data collected, stored and transmitted by the devices. The Consumer Electronics Association (CEA) is well aware of the potential benefits of the devices, and also the risks of the privacy of users of the devices being violated. Currently the metrics recorded by the devices are limited, although there is considerable potential for devices to be developed that record a huge volume of data collected from consumers: Data that is actively recorded by the devices or entered in by users. Currently there are few privacy and security controls covering data privacy and security, and consequently, considerable variation in those implemented by device manufacturers. As the volume of data recorded grows, so too will the privacy risk. Now is therefore the time to start building security and privacy controls into the devices, yet many manufacturers of wearable technology are unsure about how best to secure data and protect the privacy of users....

Read More
Unencrypted Device Theft Continues to Plague HIPAA CEs
Oct21

Unencrypted Device Theft Continues to Plague HIPAA CEs

Device theft continues to expose the PHI of healthcare patients, and the past three months have seen a high volume of security incidents reported to the Office for Civil Rights which have involved the loss and theft of portable devices used to store the confidential Protected Health Information (PHI) of patients. The latest case involves Johns Hopkins Medicine, where the theft of an unencrypted laptop computer has exposed the PHI of 571 patients and 267 research subjects. Johns Hopkins Hospital Data Breach   A physician from Johns Hopkins Medicine is reported to have had a suitcase stolen at an airport on August 10, 2015. In that suitcase was the physician’s laptop computer, which contained a limited amount of data relating to patients and research subjects. The laptop was unencrypted, therefore the theft potentially exposed the PHI of a number of individuals, although it is probable that the theft was an opportunistic crime, rather than the physician being targeted by a thief seeking medical data and Social Security numbers. In this case, the laptop did not contain highly...

Read More
CMS Finalizes Meaningful Use Rules
Oct08

CMS Finalizes Meaningful Use Rules

The Centers for Medicare & Medicaid Services (CMS) has released the final rule modifying Meaningful Use Program requirements (2015-2017) in addition to postponing mandatory adoption of Meaningful Use Stage 3 requirements.   The changes simplify the Meaningful Use requirements for eligible hospitals and healthcare professionals. The changes have taken some time to be finalized. Following on from the interim rule, comments were requested from the general public. Over 2,500 comments were received and reviewed, many of which highlighted the considerable reporting burden placed on healthcare professionals and hospitals participating in the Meaningful Use program. After considering the comments, modifications were made to simplify Stage 3 requirements and add more flexibility to the program, which should ease the reporting burden. Changes were also made to support interoperability and improves outcomes. Dr. Patrick Conway, M.D., M.Sc., CMS deputy administrator for innovation and quality and chief medical officer, said ““We have a shared goal of electronic health records helping...

Read More
OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016
Oct02

OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016

The Director of the Department of Health and Human Services’ Office for Civil Rights, Jocelyn Samuels, has confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016. No more delays are expected. HIPAA-covered entities will soon have their compliance efforts put to the test and Business Associates will also not escape. They too will be assessed on compliance with the HIPAA Privacy, Security and Breach Notification Rules. Samuels recently wrote to the HHS Inspector General following strong criticism received about the OCR’s enforcement activities in addition to inconsistencies enforcing HIPAA Rules. At present, the OCR relies heavily on reports of privacy violations from the general public and self-reporting of data breaches to identify HIPAA violations and to choose which entities to investigate. The agency has yet to develop a permanent HIPAA-compliance audit program, even though such a program was much talked about early in Leon Rodriguez’s tenure as head of the OCR. According to a recent OIG report, released on Tuesday, “Without fully implementing...

Read More
OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities
Oct02

OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities

Take a look at the Department of Health and Human Services’ Office for Civil Rights website and you will discover relatively few financial penalties have been issued for HIPAA Privacy violations. Even apparently serious violations of HIPAA Rules have not always resulted in financial penalties being issued. Out of the thousands of data breaches listed on the website, only a tiny percentage have resulted in a financial penalties being issued, with the OCR often favoring other enforcement actions. This has not gone unnoticed by the Office of the Inspector General (OIG). The OIG has just published the findings from two studies conducted on the OCR to assess how well the agency is enforcing HIPAA Rules. Poor Oversight of HIPAA Covered Entities   The first study was conducted to assess the OCR’s oversight of covered entities’ compliance with the Privacy Rule. OIG investigators took a sample of Medicare Part B providers that had reported data breaches to the OCR between September 2009 and March 2011. The OIG then assessed the extent to which those organizations had addressed five privacy...

Read More
New Rules for Electronic HIPAA Transactions Approved by CAQH CORE
Sep28

New Rules for Electronic HIPAA Transactions Approved by CAQH CORE

Last week, the CAQH® Committee on Operating Rules for Information Exchange (CORE®) approved a new set of national rules for electronic HIPAA transactions, as part of Phase IV of the CAQH® CORE® Operating Rules. The new rules for electronic HIPAA transactions cover four groups of healthcare business transactions – prior authorizations, employee premium payment, enrollment/disenrollment in health plans, and healthcare claims. The aim of the new rules is to facilitate the exchange of healthcare information, as mandated by the Affordable Care Act (ACA). The new rules will augment existing HIPAA administrative standards to ensure uniform transmission of electronic healthcare data. Phase IV of the CAQH® CORE® Operating Rules address infrastructure requirements such as connectivity, system availability and response times. Rules covering data content of transactions are due to be added to the Operating Rules at a later date. The approval process involves a vote on the new rules by the subgroups and work groups responsible for preparing the draft version of the Operating Rules. If the new...

Read More
Flowers Hospital Urges Federal Judge to Dismiss Class Action Data Breach Lawsuit
Sep19

Flowers Hospital Urges Federal Judge to Dismiss Class Action Data Breach Lawsuit

Lawyers representing Flowers Hospital in Dothan, AL, have urged a federal judge to dismiss a proposed class action data breach lawsuit filed against the hospital, against the recommendation of a magistrate judge. The lawsuit was first filed in May 2014, after a former employee of the hospital – Kamarian Millender, 29, of Headland, AL – was discovered to have stolen the Protected Health Information (PHI) of patients, with the intent of using the data to file false tax returns. Patient names, dates of birth, Social Security numbers and health plan information were stolen from the hospital between June 2013 and February 2014. The hospital discovered the theft on February 26, and Millender’s employment contract was terminated. Millender was subsequently charged with trafficking in stolen identities, and admitted to filing at least 73 fraudulent tax returns in the names of the victims. Flowers hospital issued breach notification letters to the victims shortly after the discovery of the privacy violation, and offered the affected patients a year of credit monitoring services...

Read More
OCR HIPAA Compliance Audits to Commence in 2016
Sep09

OCR HIPAA Compliance Audits to Commence in 2016

The new Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights has been adjusting to life at the OCR since her appointment earlier this year, but until now she has not given an interview to the news media. However, she recently gave an exclusive interview to the Security Media Group, in which she cast some light on planned OCR activities, including the upcoming HIPAA compliance audits. Deven McGraw Gives First News Media Interview   McGraw spoke with HealthcareInfoSecurity.com’s Executive Editor, Marianne Kolbasuk McGee, and was quizzed on OCR enforcement activities, current and future OCR initiatives, and was asked the question that is on everyone’s lips at the moment: When will the HIPAA compliance audits take place? A Shortage of Resources has been McGraw’s Biggest Challenge   The program of random HIPAA audits was penciled in for 2014; however the sheer scale of the job has caused problems. Audits take a considerable amount of time and resources, something which the OCR lacks. McGraw confirmed that the current...

Read More
Jocelyn Samuels Gives Update on OCR Compliance Audits
Sep04

Jocelyn Samuels Gives Update on OCR Compliance Audits

Since the announcement that the second phase of compliance audits would be delayed, the Department of Health and Human Services’ Office for Civil Rights has remained tight-lipped over timescales. Now, a year on from the original proposed start date, many expected OCR Director, Jocelyn Samuels, to give a timescale for the HIPAA audit program at the Safeguarding Health Information: Building Assurance through HIPAA Security HIPAA Security Conference in Washington this month. Samuels gave a keynote address at the National Institute of Standards and Technology (NIST) and Office for Civil Rights (OCR) hosted conference, and while she did not provide a date or a timeline for the compliance audits, she did indicate the audits are now very close to becoming a reality. She explained that the OCR has many roles, with compliance audits a part of its enforcement activities. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our...

Read More
New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000
Sep02

New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000

A new OCR HIPAA penalty has been issued for a breach of HIPAA regulations. Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Back in August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. The stolen device contained highly sensitive data, which included the Social Security numbers of patients: Exactly the data need by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives was not encrypted. HIPAA Does Not Demand Data Encryption   Under the HIPAA Security Rule, data encryption is only an addressable issue. This means that a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered entity can make an...

Read More
4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG
Aug30

4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG

The healthcare industry is under attack. Hackers are targeting healthcare providers, insurers and other HIPAA-covered entities for the precious data they hold, yet health firms are still unprepared to deal with the threat. The seriousness of the situation has been illustrated in a recent cybersecurity report from KPMG. The company commissioned a survey (conducted by Forbes Insights) which shows that 81% of health firms has suffered a cyberattack in the past two years, but only 53% of providers and 66% of payers consider themselves ready to defend against a cyberattack. The survey was conducted on CIOs, CTOs and Chief Compliance Officers in healthcare organizations with revenues in excess of $500 million per annum. Healthcare providers and insurers’ cybersecurity measures assessed via the questionnaire. The report shows that in spite of the increased threat to data security, healthcare organizations are ill prepared for an attack. A quarter of respondents said their organizations were not able to detect cyberattacks in real time, as they lack the necessary software systems to do so....

Read More
VisionWorks Agrees to $100K Data Breach Settlement with Maryland AG
Aug21

VisionWorks Agrees to $100K Data Breach Settlement with Maryland AG

Visionworks LLC has agreed to settle with the Maryland Associate General for exposing the Protected Health Information (PHI) of approximately 72,000 Marylanders. The company will pay a fine of $100,000 to the state for data security failures that lead to the breach. Two Data Breaches Reported in Quick Succession   The company discovered two separate data breaches – reported in November and December of last year – that exposed the PHI of 122,627 individuals. The first incident was classified as a lost server, which contained 74,944 records, with the second reported as a network server theft, exposing 47,683 records. The servers are most likely now in landfill; however the incident did potentially expose names, addresses, dates of birth and purchasing histories. The company was reportedly in the process of upgrading to encrypted servers; however old servers were unsecured in the company’s stores; a breach of the HIPAA Security Rule, which requires physical safeguards to be put in place to keep PHI secured. It is believed that the servers were mistakenly disposed of, and...

Read More
Class-Action for Advanced Data Processing Breach Denied
Aug17

Class-Action for Advanced Data Processing Breach Denied

An Advanced Data Processing breach lawsuit was recently filed in a Florida court, with the case taking just 24 hours to be tossed by the judge. In this case, the judge ruled that the move to certify the class was premature, and the case was denied, even though the plaintiff alleges to have suffered identity theft as a direct result of the data breach. In the lawsuit, the plaintiffs allege that in 2012, the healthcare clearinghouse suffered a data breach that exposed the Protected Health Information (PHI) for several months. The data stolen is alleged to have been used to steal identities and fraudulently obtain funds from the IRS. The suit also claims there was a delay in issuing breach notification letters to victims, some of whom were not notified of the theft of their data for three years. The data breach affected 27 agencies in 17 states, and in total 10,000 individuals had their data stolen and potentially sold to an identity theft ring. One plaintiff, Yehonatan Weinberg, claimed to have visited a Californian hospital in 2012, yet received a breach notification letter in April...

Read More
HIPAA Data Breach Report July 2015
Aug14

HIPAA Data Breach Report July 2015

HIPAA Data Breach Report July 2015   The HIPAA Journal Healthcare Data Breach Report July 2015 has been compiled from breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. The breach reports give an indication of the current state of healthcare data security, and how well HIPAA-covered entities are applying HIPAA rules to keep patient data secured. Scroll down for our July 2015 healthcare data breach infographic summary. A Bad Month for Patient Privacy   Hackers struck again in July, causing two large scale data breaches that exposed the records of millions of patients; two of the most serious healthcare data breaches ever reported. Hackers were discovered to have compromised the systems of four more healthcare providers, and stole highly confidential medical data and millions of Social Security numbers.   Risk of Hacking Greater than Ever   Hackers may have only accounted for four of the 21 data breaches reported in July, but those attacks proved highly damaging. 8,464,637 new breach victims were confirmed by the July...

Read More
New Basic Guide to HIPAA Compliance Released By HHS
Aug05

New Basic Guide to HIPAA Compliance Released By HHS

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities. A Basic Guide to HIPAA Compliance   The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI). HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures. The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to...

Read More
North East Medical Services HIPAA Breach Reported: 69,246 Affected
Aug03

North East Medical Services HIPAA Breach Reported: 69,246 Affected

A HIPAA breach has been reported by North East Medical Services. The Protected Health Information of almost 70,000 patients has potentially been exposed after an unencrypted laptop was stolen from the car of a NEMS employee’s car. According to a breach notice sent to the California Department of Public Health, the incident occurred on July 11, 2015. The laptop was left in the locked trunk of a vehicle from where it was subsequently stolen. The healthcare provider was alerted to the equipment theft on July 13. North East Medical Services HIPAA Breach Exposed “Limited Personal Information”   The investigation launched following the crime revealed that the laptop contained data relating to 69,246 patients, which according to the breach notice, consisted of one or more of the following data elements: Patient name, gender, date of birth, address, phone numbers, and pay/insurer information. No medical records were stored on the laptop, although some patients’ diagnoses, test results, medications, treatments and appointment times were listed in spreadsheets stored on the computer. No...

Read More
Indiana Attorney General Advises Hoosiers to Exercise Extreme Caution after MIE Data Breach
Jul31

Indiana Attorney General Advises Hoosiers to Exercise Extreme Caution after MIE Data Breach

As further details of the MIE data breach emerge, the Indiana State Attorney General, Greg Zoeller, has urged all state residents to exercise extreme caution and put credit freezes on their accounts to protect against identity theft and fraud. The MIE data breach exposed a significant amount of personal and highly sensitive data, and is understood to have affected more than 1.5 million individuals in the state of Indiana. In total approximately 4 million records were exposed. High Risk of Fraud and Identity Theft from MIE Data Breach The data breach at Anthem may have exposed about 20 times as many records as the MIE data breach; but what is particularly worrying in this instance is Social Security numbers and health data have been exposed, placing breach victims at a much higher risk of suffering financial losses. Zoeller said, “These are very significant medical records, lab reports, people’s charts essentially online.” Zoeller pointed out that the incident has not j1ust increased the risk of fraud; the information has already been used to for fraudulent purposes. He said, “We’re...

Read More
American Hospital Association Opposes HIPAA HPID Use
Jul24

American Hospital Association Opposes HIPAA HPID Use

Earlier this week, the Vice President and Deputy Director of the American Hospital Association (AHA) sent a letter to the Centers for Medicare & Medicaid Services (CMMS) expressing concern over the implementation of Health Plan Identification numbers (HPIDs) and Other Entity Identifiers (OEIDs). HPID Use and HIPAA When HIPAA was introduced, it required national identification numbers to be used by healthcare providers, health plans and individuals. A national ID number was introduced in 2004, although the IDs were only for providers, not individuals. In September 2012, the HPID proposed rule was published, although it took until November 2014 before the rule was finalized. HPIDs and OEIDs will now be required to be used for HIPAA transactions from Nov 7, 2016. It is not a requirement for health plans to be identified in HIPAA transactions, but if they are, from Nov 7, next year a HPID must be used. AHA States Opposition to HPID Use in HIPAA Transactions   The letter, sent from Ashley Thompson to Andy Slavitt, the acting administrator for CMMS, stated the AHAs opposition to...

Read More
Class Action Filed Against UCLA for 4.5 Million-Record Data Breach
Jul23

Class Action Filed Against UCLA for 4.5 Million-Record Data Breach

It has been less than a week since the announcement that the patient database at UCLA Health Systems was hacked, and already a class action lawsuit has been filed by one patient, Michael Allen of Casper, Wyoming, on behalf of “several million individuals”. Allen, represented by Kevin Mahoney of Long Beach, claims UCLA Health Systems’ failure to encrypt data constitutes unlawful business practices, breach of contract, unjust enrichment and negligence. He is seeking class certification and as of yet unspecified damages for fraud, violation of medical confidentiality, an invasion of privacy and the costs of filing the lawsuit. UCLA hospitals and the University of California Board of Regents were named in the lawsuit which was filed on Monday of this week. The breach was announced on July 17, barely one business day before the lawsuit was filed. In the lawsuit, Allen claims the lack of data protection, specifically the lack of data encryption, amounted to negligence. “Due to defendants’ failure to take the basic steps of encrypting patients’ data, it was much easier...

Read More
Class Action Filed Against Charleston Area Medical Center for 2013 Data Breach
Jul21

Class Action Filed Against Charleston Area Medical Center for 2013 Data Breach

A class action lawsuit has been filed in the Kanawha Circuit Court against Charleston Area Medical Center, for a data breach that occurred between August 2013 and February 2014. The lawsuit has been filed by two plaintiffs who were patients of the medical center at the time of the data breach and had their data exposed. Tiffany Mallion and Nickole Pullen claim they entered into an agreement with the hospital to receive treatment, and that agreement also included securing their health information. They claim their Protected Health Information (PHI) was exposed as a result of a number of security failures at the medical center. It is alleged that the protections put in place to secure data were insufficient, and left highly sensitive information “unprotected, unguarded and unsecured.” A catalog of security failings have been cited, such as the failure to train staff on privacy and data security matters, a failure to protect data, as well as a there being a lack of physical protections to secure the equipment on which the data was stored. As a result, the plaintiffs claim “their...

Read More
Plea Deal Taken by Hospital ID Thief after Filing $489,000 in False Tax Claims
Jul19

Plea Deal Taken by Hospital ID Thief after Filing $489,000 in False Tax Claims

Two former healthcare workers who took part in a hospital identity theft scheme are currently negotiating plea deals to avoid trial. They stand accused of accessing and stealing hospital medical records, and using the information to file fraudulent tax returns. Six charges have been filed against Martez Lear, 29 of Farmington Hills, while his partner in crime, Markitta Washington, a former Farmington Hills resident, has also been charged. The crimes were committed between 2011 and 2014. Washington is accused of using here privileges while employed at Detroit’s Henry Ford West Bloomfield and DMC Harper Hospitals to access and steal patient medical records. Patient names, dates of birth, Social Security numbers, financial information and credit card details were viewed and copied and passed to Lear, who used the information to file fraudulent tax returns. The matter was brought to the attention of law enforcement officers and an investigation was conducted by the Southeast Michigan Financial and Cyber Crimes Task Force, the IRS, local law enforcement agencies and the West Bloomfield...

Read More
UCLA Health System Hacked: 4.5 Million Patient Records Exposed
Jul18

UCLA Health System Hacked: 4.5 Million Patient Records Exposed

The University of California, Los Angeles Health System (UCLA) has reported it has been targeted by hackers who potentially accessed and copied a database containing the Protected Health Information (PHI) of up to 4.5 million patients and hospital staff members. The UCLA Health network consists of four hospitals: The Ronald Reagan UCLA Medical Center, UCLA Medical Center, Santa Monica, Mattel Children’s Hospital & Resnick Neuropsychiatric Hospital. It also has approximately 150 offices in Southern California. Any person who has previously received medical services from UCLA Health in the past 25 years could potentially be affected. Some of the exposed records dated back to 1990. UCLA employees are also believed to have had their data exposed. The data compromised in the incident included patient names, dates of birth and home addresses along with Social Security numbers, Medicare numbers, health plan/health insurance identification numbers and health information. No financial data appears to have been exposed to the hackers. If the data has been copied, it would allow the...

Read More
URMC Takes Action to Prevent Future Patient Privacy Violations
Jul17

URMC Takes Action to Prevent Future Patient Privacy Violations

In May, The University of Rochester Medical Center suffered a data breach after an employee took the Protected Health Information (PHI) of patients to a new employer, all in the name of continuity of patient care. The employee in question, a nurse practitioner in the Department of Neurology, was concerned about patient continuity of care after she left her employment. She was provided with a printed list of patient’s information by the medical center for the purposes of adding notes and information that would ensure that patients did not suffer any fall in care standards as a result of her departure. The list was not collected prior to the employee leaving her employment, and the information was subsequently disclosed to her new employer (full story here). With the benefit of hindsight, it was perhaps ill advisable to have provided printed PHI to a member of staff about to take employment with another local healthcare provider. However, all that can be done now is notify the patients concerned and make changes to policies and procedures to ensure a similar incident cannot happen...

Read More
2015 Biannual Healthcare Data Breach Report Released
Jul15

2015 Biannual Healthcare Data Breach Report Released

The healthcare industry had a particularly torrid time last month with 18 data breaches reported to the OCR, exposing 1,455,863 records, the bulk of which came from the CareFirst data breach. This month the number of data breaches reported has increased to 21, although the number of new victims created was much lower, with 159,231 individuals affected. An analysis of the data breach reports for the past three years shows that little has changed since 2014, “the year of the data breach,” at least not for the better. Fewer data breaches have been reported in 2015 than in 2014, 122 compared to 131, up until the end of June. However, measure the year in the number of victims created and 2015 is on an entirely different scale. 89,439,761 new data breach victims have been created so far this year, compared to 12,503,190 last year and 851,433 in 2013. Many of this year’s victims are now data breach veterans having had their data exposed by their insurer and their healthcare provider. Biannual Data Breach Report 2014 saw a big rise in the number of reported data breaches, and this year...

Read More
BCBSA Offers Identity Theft Protection Services to All 106 Million Members
Jul15

BCBSA Offers Identity Theft Protection Services to All 106 Million Members

Yesterday, the Blue Cross Blue Shield Association (BCBSA) made a surprising announcement. It will be offering identity theft protection services to all 106 million of its members, in an effort to address the rapidly increasing risk of data theft and fraud. The Blue Cross and Blue Shield Association consists of 36 independent, community-based and locally-operated companies, which service the entire United States. One in three Americans has a health insurance policy run by BCBSA. The unprecedented move comes after BCBSA health plan members have suffered numerous data breaches, including the massive data breaches at Anthem, CareFirst and Premera Blue Cross. Identity theft protection services do not come cheap, especially when the unit cost must be multiplied by 106 million. This move carries a significant cost, even with a bulk discount, and shows a strong commitment to its plan members. This was a very positive, proactive step to take, and is one likely to win back the faith of many members. The new service will provide ”heightened safeguards for plan members.” BCBSA may not be able...

Read More
UPMC Health Plan Data Breach Affects 722 Subscribers
Jul15

UPMC Health Plan Data Breach Affects 722 Subscribers

UPMC health plan has reported a data breach affected 722 insurance subscribers. This is the second data breach to affect the health plan this year. In May UPMC reported  2,000 patient records had been compromised. The latest data breach appears to have resulted from an internal error. Yesterday, UPMC spokeswoman, Gina Pferdehirt, said patient information was compromised when an email containing PHI was sent to an unauthorized person. The statement released by UPMC says the email was sent by accident, suggesting there was no malicious intent behind the data breach. According to UPMC, “The email meant for a physician’s office in Lawrence County was sent instead to an incorrect address, revealing patient names, insurance membership numbers, birth dates and phone numbers.” According to a response provided to the Pittsburgh Post Gazette, Pferdehirt said, “while we take this seriously, in context the breach is very minor.” The email did not contain financial information, health data or Social Security numbers, although member names, dates of birth, ID numbers and phone...

Read More
Healthcare Data Breach Report: June 2015
Jul14

Healthcare Data Breach Report: June 2015

This month’s healthcare data breach report looks a lot healthier than May; a particularly bad month for data breaches, with over 1.1 million records exposed in 18 security incidents. June could be considered a relatively good month for the healthcare industry in terms of records exposed, although more security incidents were reported in June than May, and numbers have not changed much year on year. 21 breaches were reported in June compared to 23 last year. In total, 159,231 records were reported as being exposed during the month. In June 2014 the figure stood at 252,873, and in June 2013, only 46,713 records were compromised.   Quarterly Figures Show Little Has Changed Since 2014   Data breach figures for the second quarter of 2015 differ only by one incident from this time last year. Data breaches continue to be experienced at the same rate, in spite of improved protections being put in place by healthcare providers. It would appear it is only possible to maintain pace with malicious insiders and outsiders. Figures for the quarter indicate 750,000 more data breach...

Read More
HIPAA-Altering Cures Bill Passed by House of Representatives
Jul11

HIPAA-Altering Cures Bill Passed by House of Representatives

The controversial 21st Century Cures Bill was unanimously passed by the House Energy and Commerce Committee in May, and on Friday July 10, 2015, the U.S House of Representatives passed the Bill with a count of 344 to 77. 21st Century Cures Bill to Remove Obstacles in the Way of Medical Research Medical research and innovation is being hampered by HIPAA, according to proponents of the 21st Century Cures Bill. The new Act aims to remove these and other barriers, to help advance America’s search for new ways to tackle the advance of superbugs, antibiotic-resistant bacteria and the deadly viruses now threatening the health of U.S citizens. The Cures Bill has received some criticism in its short history. Privacy advocates object to the wide range of data that can potentially be shared; information currently under the protection of HIPAA. It is feared that the bill could weaken HIPAA protections if it becomes law. If that happens, HIPAA Rules would certainly need to be changed. HIPAA Changes Necessary as a Result of the Cures Bill At present, the HIPAA Privacy Rule restricts the use and...

Read More
New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations
Jul11

New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a HIPAA settlement has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that lead to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. The number of records exposed was relatively low compared to some of the recent “mega data breaches”, but the OCR deemed the offenses leading to the security incidents to be serious enough to warrant a financial penalty. This OCR HIPAA settlement shows how important it is to make HIPAA compliance a priority. Data breaches may not always be preventable; but HIPAA violation penalties are. Privacy, Security and Breach Notification Rule Violations Uncovered   The initial HIPAA violation was uncovered in November, 2012, when a complaint was received by the OCR alerting it to potential...

Read More
Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years
Jul10

Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years

The Los Angeles County government has failed to safeguard the Protected Health Information (PHI) of state residents for up to seven years, according to a recent audit. Three departmental audits have been conducted since December 2014 and a catalog of data security failures have been uncovered that potentially put PHI in the hands of thieves. Data including Social Security numbers and health information could be accessed by former workers, and the information could already be in the hands of criminals. It is simply not known. Computer equipment has vanished – having been misplaced or stolen – devices were not encrypted, and equipment was simply not tracked. Serious Administrative Failures Lasting up to 7 Years   Serious administrative failures in several L.A County government departments were discovered by auditors, the most serious being a failure to terminate access to computer systems when employees changed employment. An audit conducted by the Probation Department revealed 695 former employees still had access to computer systems containing the protected health data...

Read More
Jason Pierre-Paul Finger Amputation Disclosure Violates HIPAA Rules
Jul09

Jason Pierre-Paul Finger Amputation Disclosure Violates HIPAA Rules

to a news report on ESPN. Surgeons treated the football player after the accident, but were unable to save his right index finger. A tragedy such as this would naturally make then news; however, it is making headlines for another reason. Information about Pierre-Paul’s medical condition appears to have been leaked to the media from a source within the hospital; breaching the Health Insurance Portability and Accountability Act (HIPAA) and violating Pierre-Paul’s right to privacy. The circumstances surrounding the disclosure strongly suggest there was no prior consent obtained from Pierre-Paul before the information was disclosed; even the New York Giants were unaware their defensive end had a digit removed until they heard the report on ESPN. ESPN Reports on Pierre-Paul’s Medical Status   The news broke on Sunday after a healthcare worker at the hospital disclosed the news about the celebrity patient to a friend; violating Pierre-Paul’s privacy and breaching HIPAA Rules. That friend then posted the information online via his Twitter account, and from there rumors started...

Read More
State Data Breach Laws Should Preempt Federal Laws, Says NAAG
Jul08

State Data Breach Laws Should Preempt Federal Laws, Says NAAG

Yesterday, the National Association of Attorneys General (NAAG) sent a letter addressed to congressional leaders urging them to consider the state laws that have been put in place to protect consumers, and not to diminish the role that state Attorneys General play in enforcing data security and protection laws. The letter urges congress not to make changes to federal data breach notification and data security laws that would lessen the protections that have been put in place by the states. The letter calls for congress to refrain from introducing data security and data breach notification laws that pre-empt those introduced in each state. There are a number of bills pending which include data security and breach notification requirements that would pre-empt state laws.   A Similar Request Was made A Decade Ago   This is not the first time the NAAG has written to congress on state security breach notification laws; a similar request was made in 2005. In that letter it was argued that “Pre-emption interferes with state legislatures’ democratic role as laboratories of...

Read More
FBI Alert Suggests OPM/Anthem Malware Link
Jul05

FBI Alert Suggests OPM/Anthem Malware Link

The recently discovered data breach at the Office of Personnel Management (OPM) appears to have sparked an FBI alert (FBI memo: A-000061, issued June 5, 2015, according to CSO) over a particularly nasty strain of malware called Sakula. Healthcare Organizations under Threat from Sakula Malware   The Sakula malware strain is a RAT, or Remote Access Trojan, which once installed on a host’s computer, will allow hackers to make changes to the system, download other files or do what they want. The malware is often unwittingly downloaded via infected websites and popups or installed via infected email attachments. The FBI Memo warns that: “Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions.”   Sakula Linked to Anthem and OPM Data Breaches   The timing of the FBI high confidence alert may be a coincidence, although given recent events this appears unlikely. The...

Read More
Trust can be Regained with Prompt Data Breach Notices
Jul01

Trust can be Regained with Prompt Data Breach Notices

Disgruntled patients will be lost to other healthcare providers/insurers after a data breach; however there will not necessarily be a mass exodus provided the breach is managed properly. Get the breach response right and it can go a long way towards rebuilding patients’ trust in an organization. Survey Indicates Americans Want the Truth about Data Breaches   A new survey conducted by Qualtrics, a company specializing in email data protection, indicates the general public is aware that data breaches are now a part of life; however trust in a retailer or healthcare provider is being lost after personal data is exposed. Trust in a HIPAA-covered entity may be lost, but it can be regained. The survey results suggest the best way to do this is with openness, honesty and the issuing of prompt data breach notices. The study was conducted on a sample of 500 Americans aged between 18 and 75, with respondents asked their thoughts about data breaches and how their behavior has changed since the threat of a data breach has risen. The data shows Americans want to be told the truth about...

Read More
Healthcare Thieves and Fraudsters Brought to Justice
Jun28

Healthcare Thieves and Fraudsters Brought to Justice

The past two weeks have seen hundreds of criminals arrested for healthcare fraud and a number of indictments filed against the perpetrators of Medicare and tax fraud rings. The FBI was responsible for bringing in most of the criminals following a major Medicare fraud takedown. The perpetrators and players in the Medicare Fraud ring were able to obtain hundreds of millions of dollars in Medicare payments before being caught. FBI Makes 243 Arrests for Healthcare Fraud   On June 18, the FBI announced it has arrested 243 individuals in a nationwide operation targeting individuals responsible for obtaining over $712 million from fraudulent Medicare claims. The operation was the largest ever conducted, resulted in more arrests than any other operation and involved the highest fraud value of any past Medicare Fraud takedown. A number of doctors, nurses and medical professionals were also arrested for supplying data to the fraudsters. According to FBI Director James B. Comey, “There is a lot of money there, so there are a lot of criminals,” he went on to say “In these cases, we...

Read More