$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
Aetna Settles HIPAA Violation Case with State AGs
Oct15

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses. A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches. The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing. In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt
Sep19

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers. CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR). The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold. The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law...

Read More
Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information
Sep13

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state. The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina. The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs. During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule. In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section...

Read More
HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules
Jul30

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations. The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology. These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce...

Read More
Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center
Jul19

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Certain employees of a Canandaigua, NY nursing home have been using their smartphones to take photographs and videos of at least one resident and have shared those images and videos with others on Snapchat – a violation of HIPAA and serious violation of patient privacy. The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations. The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.” Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
Overdose Prevention and Patient Safety Act Passed by House
Jun22

Overdose Prevention and Patient Safety Act Passed by House

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA. Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order. Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record. Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients. The Overdose Prevention and Patient Safety...

Read More
OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center
Jun19

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013. MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules. The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals....

Read More
OCR Encourages Healthcare Organizations to Conduct a Gap Analysis
May01

OCR Encourages Healthcare Organizations to Conduct a Gap Analysis

In its April 2018 cybersecurity newsletter, OCR draws attention to the benefits of performing a gap analysis in addition to a risk analysis. The latter is required to identify risks and vulnerabilities that could potentially be exploited to gain access to ePHI, while a gap analysis helps healthcare organizations and their business associates determine the extent to which they are compliant with specific elements of the HIPAA Security Rule. The Risk Analysis HIPAA requires covered entities and their business associates to perform a comprehensive, organization-wide risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI – 45 CFR § 164.308(a)(1)(ii)(A). If a risk analysis is not performed, healthcare organizations cannot be certain that all potential vulnerabilities have been identified. Vulnerabilities would likely remain that could be exploited by threat actors to gain access to ePHI. While HIPAA does not specify the methodology that should be used when conducting risk analyses, OCR explained in its newsletter that risk...

Read More
Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft
Apr17

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution. Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014. Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information. Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents. On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016. She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were...

Read More
Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law
Apr05

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication. The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes. Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport. The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient...

Read More
Patient Guidebook on Health Record Access Published by ONC
Apr05

Patient Guidebook on Health Record Access Published by ONC

A new patient guidebook on health record access has been published by the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC). The guidebook explains how patients can access their health data, offers tips for checking health records and correcting mistakes, and explains how patients can use their health records and share their health data. The HIPAA Privacy Rule gave patients the right to obtain copies of health information held by their providers, yet even though the Privacy Rule became effective on April 14, 2001, many Americans are still not aware of their right to access their health data or how they can do so. Improving patient access to health data is a top priority for the HHS and ONC. In 2016, ONC released a series of videos for patients in which their right to access their own health data was explained. The latest guidebook takes that guidance a step further and serves as a practical guide to obtaining copies of electronic heath data to make the process as easy as possible. The ONC Guide to Getting and Using your Health Data is...

Read More
Legislation Changes and New HIPAA Regulations in 2018
Mar29

Legislation Changes and New HIPAA Regulations in 2018

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration. OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders. As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made. The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia. Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR. Since...

Read More
HIPAA Rules on Contingency Planning
Mar27

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame. A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order. Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters. Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
2018 HIPAA Changes and Enforcement Outlook
Mar13

2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown. Are Major 2018 HIPAA Changes Likely? The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.” While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced. Therefore, there are...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
Alabama Data Breach Notification Act Passed by State Senate
Mar08

Alabama Data Breach Notification Act Passed by State Senate

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week. Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents. The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm. Entities that would be required to comply with the Alabama Data Breach Notification Act are persons, sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days
Feb22

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data. Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration. The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
Trump Administration Budget Proposal Slashes HHS, ONC, and OCR Funding
Feb13

Trump Administration Budget Proposal Slashes HHS, ONC, and OCR Funding

On Monday, the Trump Administration released its 2019 fiscal budget which includes major cuts to funding for the Department of Health and Human Services (HHS), Office of the National Coordinator for Health IT (ONC), and the Office for Civil Rights (OCR). The HHS has had a 21% cut to its budget from 2017 levels which means the Medicare and Medicaid programs will lose billions of dollars in funding. The ONC will lose a third of its funding and will be forced to cut its staff by 22. OCR will have 20% less to fund its extensive activities and will be forced to lose 5 members of staff. While HHS funding is being cut, additional funding has made available for the HHS to tackle the opioid crisis and improve services for individuals suffering from severe mental illness. $10 billion has been made available in discretionary funding for tackling the opioid crisis and to help individuals with serious mental illness. The HHS is required to expand existing activities to combat the opioid crisis and new initiatives should be launched to help individuals addicted to opioids have better access to...

Read More
Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters
Feb12

Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters

After just 4 months in the position of deputy director for health information privacy at the Department of Health and Human Services’ Office for Civil Rights, Iliana Peters has departed for the private sector. Peters took over as deputy director following the departure of acting deputy director Deven McGraw in November, only to leave the post on February 2 to join the healthcare team at law firm Polsinelli. This is the third major change of staff at the Department of Health and Human Services in a little over four months. First, there was the departure of HHS Secretary Tom Price in late September, McGraw left in October to join health tech startup Citizen, and now Iliana Peters has similarly quit for the private sector. Peters has been working at the Office for Civil Rights for the past 12 years, including 5 years as a senior advisor. During her time at OCR Peters has worked closely with regional offices helping them enforce HIPAA Rules and has been instrumental in building up OCR’s HIPAA enforcement program. Peters has trained regional OCR staff on HIPAA enforcement and the...

Read More
How Many HIPAA Violations in 2017 Resulted in Financial Penalties?
Feb11

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017. How Many HIPAA Violations Occurred in 2017? The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”. To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to...

Read More
Nebraska Personal Information Bill Advances After 34-0 First Round Vote
Feb05

Nebraska Personal Information Bill Advances After 34-0 First Round Vote

On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers. The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack. The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced. According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority. It...

Read More
$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches
Feb01

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012. The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were: Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval) Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove) Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin) Fresenius Vascular Care Augusta, LLC (FVC Augusta) WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island) Breaches Experienced by FMCNA HIPAA Covered Entities The five security breaches were experienced by the FMCNA covered entities over a period of four months...

Read More
Alex Azar Confirmed as New HHS Secretary
Jan25

Alex Azar Confirmed as New HHS Secretary

The Department of Health and Human Services has a new permanent leader. The Senate has confirmed Alex M. Azar II as the replacement for Tom Price, who resigned from the position in September over his use of private jets paid for out of government funds. Azar has experience working in the HHS, having previously served as deputy secretary for two years during the George W. Bush administration. Azar was also president of Eli Lilly and Co., for 5 years and served as a senior executive for a further five. Azar is the first HHS Secretary to be appointed that has a background in the pharmaceutical industry, something many Democrats had a problem with, hence the close vote of 55-43 in favor of his appointment. One of the main tasks Azar has been charged with, and what he says is his main priority, is to reduce the prices drug companies are charging for medications. President Trump has previously stated drug firms are “getting away with murder” by charging exorbitant prices and Azar is expected to oversee changes that will make prescription medications more affordable. Azar has recently...

Read More
Analysis of Healthcare Data Breaches in 2017
Jan24

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been? There Were at Least 477 Healthcare Data Breaches in 2017 In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day. There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches. There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was...

Read More
Deadline for Reporting 2017 HIPAA Data Breaches Approaches
Jan17

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching. HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year. The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018. A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,”...

Read More
Amazon Seeks HIPAA Expert for New Healthcare Venture
Jan17

Amazon Seeks HIPAA Expert for New Healthcare Venture

Amazon has posted a new job vacancy for a HIPAA Compliance Lead, confirming the retail giant is making a move into the healthcare sector. The HIPAA Compliance Lead will be responsible for creating a HIPAA compliance program to ensure its technology and business processes meet the terms of its BAA and the management of all aspects of that compliance program. The new recruit should have at least 5 years of HIPAA experience in an enterprise, experience with the FDA and 510(k) process, 7+ years’ experience in an information technology setting including exposure to software development/auditing, a thorough understanding of HIPAA/HITECH and OIG compliance standards, and experience with business intelligence and analytics tools. Applicants must also have an understanding of HIPAA privacy and security requirements, and how those standards map to ISO 27001, SOC 1/2/3, NIST 800-53. Amazon already offers its cloud platform – Amazon Web Services (AWS) – to healthcare organizations, with AWS supporting HIPAA compliance and Amazon prepared to sign a business associate agreement with...

Read More
Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations
Jan16

Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations

There is no private cause of action in the Health Insurance Portability and Accountability Act, so patients are not permitted to sue healthcare providers for privacy violations. However, there have been rulings in several states, including New York, Missouri, and Massachusetts, allowing patients to file lawsuits against healthcare providers over unauthorized and negligent disclosures of medical records. Following a ruling by the Connecticut Supreme Court last week, Connecticut residents will be permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm. The legal precedent was set by the Supreme Court in the case Byrne v. Avery Center for Obstetrics & Gynecology. Emily Byrne filed a lawsuit against Avery Center for Obstetrics and Gynecology (ACOG) after her medical records were disclosed to a man seeking custody of her child in a paternity suit. ACOG was issued with a subpoena to appear before an attorney and supply Byrne’s medical records. ACOG did not challenge the subpoena, made no attempt to limit disclosure, and...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records
Jan03

HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records

The Department of Health and Human Services has published its final rule on the Confidentiality of Substance Use Disorder Patient Records, altering Substance Abuse and Mental Health Services Administration (SAMHSA) regulations. The aim of the update is to better align regulations with advances in healthcare delivery in the United States, while ensuring patient’s privacy is protected when treatment for substance abuse disorders is sought. The final rule addresses the permitted uses and disclosures of patient identifying information for healthcare operations, payment, audits and evaluations. The last substantial changes to the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2) regulations were in 1987. In 2016, SAMHSA submitted a Notice of Proposed Rulemaking in the Federal Register proposing updates to 42 CFR part 2. The proposed updates reflected the development of integrated health care models and the use of electronic exchange of patient information, while still ensuring patient privacy was protected to prevent improper disclosures. After considering public...

Read More
2017 HIPAA Enforcement Summary
Dec28

2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. 2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017. In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints. Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases. Summary of 2017 HIPAA Enforcement by OCR Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates....

Read More
New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses
Dec27

New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses

A new bill (H.R. 4613) has been introduced to the U.S House of Representatives by Congresswoman Cathy McMorris Rodgers (R-Washington) that proposes changes to the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA Rules for healthcare clearinghouses. The Ensuring Patient Access to Healthcare Records Act of 2017 is intended to modernize the role of healthcare clearinghouses in healthcare, promote access to and the leveraging of health information, and enhance treatment, quality improvement, research, public health and other functions. Healthcare clearinghouses are entities that transform data from one format to another, converting non-standard data to standard data elements or vice versa. Healthcare clearinghouses are considered HIPAA-covered entities, although in some cases they can be business associates. The bill – Ensuring Patient Access to Healthcare Records Act of 2017 – would see all healthcare clearinghouses treated as covered entities. Healthcare clearinghouses gather health data from a wide range of sources, therefore they...

Read More
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR
Dec15

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases. 21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals. As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That...

Read More
Email Top Attack Vector in Healthcare Cyberattacks
Dec12

Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months. Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year. While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector. When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations. 59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations. Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe...

Read More
Cottage Health Fined $2 Million By California Attorney General’s Office
Nov28

Cottage Health Fined $2 Million By California Attorney General’s Office

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws. Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google. The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy
Oct31

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017. McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year. In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new. OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found....

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS
Oct10

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification: Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn. Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs. Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them...

Read More
HHS Secretary Tom Price Resigns
Sep30

HHS Secretary Tom Price Resigns

It has been a short stint as Secretary of the U.S. Department of Health and Human Services for Tom Price, who resigned from the post on September 29, 2017, two days shy of 8 months in the position. Spending only 231 days as Secretary, Price is the shortest serving HHS Secretary in U.S. history. Price was nominated for the position of HHS Secretary by President Trump on November 29, 2016. The nomination was approved by the Senate Health, Education, Labor, and Pensions Committee on February 1, 2017. However, Price resigned under pressure following revelations about his extensive use of charter jets and military aircraft to travel across the United States for government work. Rather than use commercial airlines for travel, Price had spent more than $400,000 on private jets, even though commercial airline flights were available. Price had vowed not refrain from using private charter flights for travel in the future and offered to pay back part of the costs incurred, reportedly $51,887, to cover the cost of seats. President Trump said that would be “unacceptable,” leaving him little...

Read More
The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit
Sep20

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018. Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules. In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website. The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived: 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 CFR 164.510(a) – Honor requests to opt out of the facility directory. 45 CFR 164.520 – Distribute a notice of...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)). In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed. However, disasters often call for a...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months. Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use. The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed...

Read More
How Often Should Healthcare Employees Receive Security Awareness Training?
Aug01

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training? Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails. In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%. In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised....

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
Only One Third of Patients Use Patient Portals to View Health Data
Jul27

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information. GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource. Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
Model HIPAA-Compliant PHI Access Request Form Released by AHIMA
Jul21

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

The American Healthcare Information Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data. The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization. AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing. AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data....

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought. One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
AMIA Urges HHS to Provide More Information on Common Rule Updates
Jul07

AMIA Urges HHS to Provide More Information on Common Rule Updates

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated. The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use. The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified. Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented. The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details. The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual. However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements
Jun01

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and healthcare IT security incidents last month have prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached. HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time. Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to...

Read More
OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements
Apr21

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois. On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI. The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules. CCDH had provided paper records relating...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
Roger Severino Named New Director of HHS’ Office for Civil Rights
Mar27

Roger Severino Named New Director of HHS’ Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights. Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015. A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief. Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI. AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data. AHIMA has explained to whom...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR. Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, and August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently,...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals. Multiple Areas of Noncompliance with HIPAA Rules Discovered During the course of the investigation,...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members. Late last week, OCR released its January Cyber Awareness Newsletter which explained the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users. Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on,...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate. OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules. The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily. Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to...

Read More
New York Rule Change Allows Clinicians to Access Minors’ PHI via State HIE
Jan06

New York Rule Change Allows Clinicians to Access Minors’ PHI via State HIE

Healthcare providers that participate in the Western New York health information exchange – HEALTHeLINK – are now able to access the health information of minors aged between 10 and 17 after the passing of a new rule covering patient data access through qualified information exchanges. The new rule allows the information of minors to be accessed if prior consent has been obtained by from parents or legal guardians via signed consent forms. To date, more than 870,000 adults in Western New York have already signed consent forms allowing their children’s information to be shared. The rule change will ensure that treating pediatricians have access to the most up to date information, thus allowing them to make informed decisions about the best treatments to provide. The move will help to ensure that full access to the full range of health information can always be obtained, which has previously been an issue when minors have received medical services from multiple healthcare providers. The rule change will help to ensure safer and more efficient provision of clinical care....

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk. The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted. Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs. The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used. The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected. The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product. While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated. ONC notes that...

Read More
National Governors Association Releases Roadmap for States to Improve Heath Data Sharing
Dec14

National Governors Association Releases Roadmap for States to Improve Heath Data Sharing

To support effective decision making, improve the care provided to patients, and cut the costs of healthcare provision, healthcare data must be readily available to all healthcare providers. While other industry sectors have taken great strides toward improving the flow of information to increase efficiency, the healthcare industry still lags behind other industries. There are still many barriers in place which are preventing the meaningful exchange of health information. There is currently considerable confusion about the restrictions imposed by the Health Insurance Portability and Accountability Act (HIPAA) and state laws on health information privacy. State governments in particular require assistance navigating these rules and regulations so they can play their part in improving the flow of healthcare data and can more effectively drive forward policies that support a fully interoperable nationwide healthcare system. The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) previously awarded a cooperative funding...

Read More
ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities
Dec09

ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules. The HIPAA Privacy Rule came into effect in April 2003 and set new standards to protect individuals’ personal health information. The HIPAA Privacy Rule sets limits and conditions on when personal health information can be used or disclosed without prior consent being obtained from patients. For example, the HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities) to share the personal health information of patients for treatment purposes and healthcare operations. Health information many need to be shared between two healthcare providers involved in the treatment of a patient and...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to hasten the development of new cures and medical devices to treat cancer and other diseases. The bill makes more funds available for mental health treatment as well as for programs to tackle the growing problem of opioid abuse in the United States. $500 million per year will be made available for the latter to prevent new cases of opioid abuse and to fund treatment programs for addicts. The bill had originally called for changes to be made to the Health Insurance Portability and Accountability Act to improve data sharing for research purposes. By classifying research under healthcare operations, it would have been possible for the identifiable protected...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st Century Cures Act is expected to be passed by the Senate. However, not unanimously. Some senators are certain to vote against the legislation, including Senators Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.). Both strongly oppose the changes that have been made to the legislation to appease the pharmaceutical industry. The main purpose of the $6.3 billion bill is to advance medical innovation. A sizable chunk of cash will be given to a number of programs introduced by the Obama administration. NIH will receive $4.8 billion in funding over the next 10 years which will go towards programs such as the cancer moonshot research project, the...

Read More
Warner Chilcott District Managers Sentenced for HIPAA Violations and Healthcare Fraud
Oct31

Warner Chilcott District Managers Sentenced for HIPAA Violations and Healthcare Fraud

The United States Attorney’s Office for the District of Massachusetts has announced three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act and committing healthcare fraud. The offenses date back to 2011, when Warner Chilcott launched the osteoporosis drug Atelvia®. The drug was not covered by many insurance companies due to a generic alternative being available. Coverage would only be provided if prior authorizations were filled out by physicians. In an effort to drive sales, Landon Eckles, a mid-Atlantic district manager in the osteoporosis division of Warner Chilcott, directed certain sales representatives to fill out prior authorizations for the drug, even if physicians refused to do so. Completing those prior authorizations required the representatives to access the protected health information of patients; a violation of HIPAA Rules. Patients diagnosed with osteoporosis also had Atelvia® brochures added to their medical charts to remind physicians to prescribe the drug....

Read More
Vindell Washington: HIPAA Not a Barrier to the Sharing of ePHI
Sep23

Vindell Washington: HIPAA Not a Barrier to the Sharing of ePHI

This Week, Vindell Washington – the recently appointed National Coordinator for Health Information Technology at the ONC – confirmed that one of his main priorities is to continue the work of Karen DeSalvo and implement the ONC’s Interoperability Roadmap. Washington believes the ONC’s Interoperability Framework is foundational for a number of the administration’s priorities, in particular the Precision Medicine Initiative and the Cancer Moonshot. In order for those initiatives to be successful, patients must be able to obtain copies of their health data and barriers that are currently preventing information exchange must be removed. Washington explained to reporters on Monday that the ONC is committed to laying the foundations that will enable patients to contribute their data to these initiatives. “The work that we have to do in the short term is increasing the flow of information and empowering patients in this space to have their information and be able to use it and send it forward for the purposes that they choose.” He also explained that many healthcare providers see...

Read More
OCR to Increase Investigations of Small PHI Breaches
Aug18

OCR to Increase Investigations of Small PHI Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it will be stepping up investigations of small PHI breaches with immediate effect. Breaches impacting fewer than 500 individuals will now be subjected to closer scrutiny, with the responsibility for investigating those breaches falling to the OCR’s Regional Offices. OCR currently investigates all PHI breaches that impact more than 500 individuals, although investigations of small PHI breaches – those that affect fewer than 500 individuals – have only been performed as resources permit. The responsibility for investigating small breaches has fallen to the OCRs Regional Offices, but due to limited resources, investigations of small breaches have been limited up until now. However, a new initiative has now been launched that will see Regional Offices investigate small PHI breaches much more widely, although OCR will continue to prioritize investigations of large-scale breaches of protected health information. According to a recent news release, each of the OCRs Regional Offices has been instructed...

Read More
Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans
Jul26

Third of Hospitals Lack HIPAA-Compliant EHR Contingency Plans

According to a recent report issued by the Department of Health and Human Services’ Office of Inspector General, a third of hospitals do not have HIPAA-compliant EHR contingency plans in place, although most are “largely addressing” HIPAA requirements for EHRs. In September 2014, OIG sent a survey to 400 hospitals that had applied for Medicare EHR incentive payments and asked questions to determine whether HIPAA-compliant EHR contingency plans had been developed and implemented. Respondents were also asked about the extent to which EHR systems had been disrupted in the past. In addition to the survey, six hospitals were also selected for in-depth investigations involving site visits, interviews with hospital staff, documentation checks, and reviews of EHR contingency plans. The purpose of the study was to assess the state of hospitals’ EHR contingency planning and to determine whether patient health information could still be accessed during natural disasters and other situations where EHR system downtime occurs. In light of the recent ransomware attacks on hospitals in recent...

Read More
Hospitals Saying No to Pokemon Go
Jul25

Hospitals Saying No to Pokemon Go

The Pokemon Go craze sweeping the globe is causing a number of problems for U.S. hospitals leading many to issue bans on playing the game anywhere on hospital premises. The location-based augmented reality mobile game requires players to get out and about and use their smartphone cameras and GPS to find and catch Pokemon – virtual reality critters that can be found in real world locations. The scavenger hunt requires players to go to “Pokestops” to pick up free items. The Pokestops are located in popular locations such as memorials, museums, public buildings, and in some cases, hospitals. Game players are visiting these locations to collect items and this can cause problems. Recently, the U.S. Holocaust Memorial Museum banned visitors from playing the game as it was deemed to be inappropriate on the premises. A number of hospitals have also implemented bans on visitors, staff, and patients from playing the game on the premises for a variety of reasons. Some hospitals have cited security concerns as players are entering hospital buildings searching for Pokemon to catch. Utah Valley...

Read More
2.75 Million Dollar HIPAA Settlement Reached with UMMC
Jul22

2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university. The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. UMMC Investigated After Theft of Unencrypted Laptop Computer The settlement stems from a breach of patients’ protected health information (PHI) in 2013. A laptop computer issued to UMMC’s Medical Intensive Care Unit (MICU) was discovered to be missing. The laptop computer contained the PHI of 500 patients. The data were not encrypted, although the laptop computer was password protected. The laptop is believed to have been stolen by a visitor who had asked about borrowing one of MICU’s laptops. OCR conducted an investigation into the...

Read More
How Does OCR Deal with HIPAA Complaints?
Jul21

How Does OCR Deal with HIPAA Complaints?

The Department of Health and Human Services’ Office for Civil Rights (OCR) encourages individuals to file complaints about HIPAA-covered entities, or their business associates, if they feel that their privacy has been violated. Individuals are also able to file complaints if they believe the privacy of other individuals have been violated. Complaints about potential HIPAA violations are investigated by OCR, and while many prove to be unsubstantiated, oftentimes a HIPAA covered entity or an employee of that organization, is discovered to have violated patient privacy or breached HIPAA Rules. OCR receives many complaints and the breach portal contains many hundreds of breach reports from covered entities that have experienced major breaches of PHI, yet only a tiny percentage result in civil monetary penalties being issued or financial settlements being agreed. What happens to all the other complaints that involve violations of HIPAA Rules? What action does OCR take against covered entities that violate the privacy of patients or failed to adhere to HIPAA Rules? In the vast majority...

Read More
House Passes Mental Health Reform Bill (Without the HIPAA Changes)
Jul14

House Passes Mental Health Reform Bill (Without the HIPAA Changes)

A mental health bill that aims to improve mental healthcare in the United States has been passed by the House. The bill – H.R. 2646 – which was first introduced three years ago, was intended to usher in sweeping changes to improve the treatment of mental illness in the United States. While the bill was passed with an overwhelming majority of 422-2 last Wednesday, a number of the more contentious issues needed to be removed from the bill. One of the sticking points that was dropped from the bill were the changes to the Health Insurance Portability and Accountability Act (HIPAA). The bill introduces a number of important changes that will improve mental health care; however, the proposed changes to HIPAA were opposed by a number of Democrats and Republicans. In order for the bill to be passed, the HIPAA changes had to be dropped. In its original form, the bill would have changed HIPAA Rules to permit healthcare providers to share mental health data about patients with their caregivers. Instead, the Department of Health and Human Services is now required to clarify the law...

Read More
OCR Phase 2 HIPAA Audits: Documentation Requests Issued
Jul13

OCR Phase 2 HIPAA Audits: Documentation Requests Issued

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. Covered entities selected for a compliance audit have now been notified by email. Those organizations now have just 10 days to respond to the emails and submit the requested documentation to the OCR. The audits – which are desk based – have been split between healthcare providers, health plans, and healthcare clearinghouses. The audits are being conducted on a geographically representative sample that includes healthcare organizations of all sizes. Desk audits of HIPAA business associates will follow in the fall. The desk audits comprise of a documentation check to ensure compliance with the Health Insurance Portability and Accountability Act’s Privacy, Security, and Breach Notification Rules. Earlier this year the OCR published details of the new audit protocol. The protocol contains a long list of different aspects of HIPAA Rules that could potentially be assessed by OCR...

Read More
OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches
Jul12

OCR Ransomware Guidance: Ransomware Attacks Are Reportable Breaches

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance on ransomware. A fact sheet on healthcare ransomware attacks has been published along with a 12-page document providing technical guidance for CIOs and CISOs on best practices to adopt to prevent ransomware infections, mitigation strategies to adopt when ransomware is installed on computers or healthcare networks, and detailed information on the correct ransomware response. The new guidance is essential reading for CISOs, CIOs, and all members of the senior leadership team. Ransomware and HIPAA The OCR has confirmed the proactive measures that covered entities should take to prevent ransomware infections: Perform a comprehensive, organization-wide risk analysis Establish a plan to remediate any identified risks to the confidentiality, integrity, or availability of ePHI Implement policies and procedures to safeguard ePHI against malicious software – including malware and ransomware Provide staff members with training on cybersecurity best practices Train authorized users to detect malicious...

Read More
CMS Finalizes New Rules for QEs on Sale and Sharing of Medicare Claims Data
Jul05

CMS Finalizes New Rules for QEs on Sale and Sharing of Medicare Claims Data

The Centers for Medicare and Medicaid Services (CMS) has finalized a new set of Rules for qualified entities that will allow the sharing or sale of Medicare claims data to healthcare providers, employers, and other entities. The rule changes will help to ensure that healthcare organizations, employers, and other organizations have access to the data they need to make informed decisions about the provision of care to patients. With access to all Medicare and private sector claims data, it is hoped that the quality of care provided to patients will be improved. The rule changes, which were required under the Medicare Access and CHIP Reauthorization Act (MACRA), will permit organizations classed as qualified entities to confidentially share analyses of Medicare and private sector claims with healthcare providers, employers, and other groups that are able to use the data to improve patient care. The sale of data is also permitted. Qualified entities will be permitted to sell data to healthcare providers such as doctors, nurses, and skilled nursing facilities. While data can be sold or...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules. In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach. A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45...

Read More
Call Issued for Further Guidance on HIPAA Minimum Necessary Standard
Jun23

Call Issued for Further Guidance on HIPAA Minimum Necessary Standard

Melissa Martin, Board President for the American Health Information Management Association (AHIMA) gave a testimony at a National Committee on Vital and Health Statistics (NCVHS) hearing last week on the minimum necessary standard of the HIPAA Privacy Rule. The aim of the hearing was to determine whether the Department of Health and Human Services should issue an update to the standard to ensure it can continue to be met by healthcare organizations, and to assess whether there is a need for further guidance in light of the technology changes in the healthcare industry since its introduction. According to Martin’s testimony, there is still considerable confusion over the standard and what constitutes the “minimum necessary information”. Under the minimum necessary standard, HIPAA -covered entities are required to make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of the use, disclosure or request. Organizations must identify individuals or groups of persons within the organization who are required...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
OCR Rules Townsend Violated the HIPAA Privacy Rule
Jun02

OCR Rules Townsend Violated the HIPAA Privacy Rule

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently ruled that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year when he posting an “information packet” online containing the protected health information of individuals who had used the town’s ambulance service. The information was intended to be viewed by Selectmen in order that a vote could be taken about whether or not to write off the unpaid bills. Rather than sharing the document securely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only accessible for 18 hours before it was removed, but during that time it had been downloaded and shared on social media. The privacy breach was also reported to the OCR. The information packet contained the names of patients who had not yet paid their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now living in a hospice. Prior to the uploading of the files, all...

Read More
Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews
Jun01

Healthcare Providers Violate HIPAA Responding to Negative Yelp Reviews

Some healthcare providers have violated patient privacy and HIPAA Rules when responding to negative comments on Yelp and similar review sites according to a recent ProPublica report. For the report, ProPublica was provided with access to around 1.7 million Yelp reviews of healthcare providers. The researchers used a tool to sift through the reviews and isolated approximately 3,500 one-star ratings of healthcare providers – the lowest possible rating on the review site – that mentioned “Privacy” or “HIPAA”. ProPublica researchers discovered “dozens” of instances where healthcare providers had breached HIPAA Rules when responding to comments. In some cases, the responses to the negative comments involved the disclosure of patients’ protected health Information. ProPublica cited one example of a Californian chiropractor that replied to a negative comment from a patient and included details of the procedures he had performed and information about her medical condition. Another example involved a dentist who responded to a comment about an alleged unnecessary tooth...

Read More
Apple to Recruit HIPAA Expert as Privacy Counsel
May25

Apple to Recruit HIPAA Expert as Privacy Counsel

Apple is seeking a Privacy Counsel with extensive experience in healthcare privacy and a thorough understanding of HIPAA regulations. The new position confirms that Apple is planning on developing its products to be more valuable to healthcare professionals and patients, and that the company is intent on making more of a mark in the healthcare sector. The new recruit will be required to work on cutting edge projects, providing essential input on privacy and security, working on privacy by design reviews, supporting compliance and auditing frameworks, drafting policies and procedures to ensure compliance with privacy laws, and assisting with privacy complaints and breaches. The individual will also play a major part in designing privacy solutions for Apple products. The new position could indicate Apple is intent on developing HIPAA-compliant apps or may be working on a HIPAA-compliant backend for its frameworks to enable patient data to be stored and transmitted securely, in accordance with HIPAA Rules. Apple has already developed products and frameworks for monitoring patient...

Read More
OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI
May24

OCR Clears Up Confusion About the Charging of Flat Fees for Copies of PHI

Earlier this year the Office for Civil Rights issued guidance for healthcare providers and health plans on the general right of patients to obtain copies of their protected health information on request. The HIPAA Privacy Rule allows patients to obtain one or more designated record sets which a covered entity holds and maintains. By obtaining copies of their PHI, patients can take control of their own healthcare and wellbeing. Providing copies of PHI to patients involves a cost to the covered entity, such as the time taken to obtain and copy records and prepare summaries, the cost of paper and printing if record sets are supplied in physical form, the cost of media devices for electronic copies of PHI, and the cost of mailing records to patients if they are not collected in person. Covered entities are permitted to charge patients for providing copies of their PHI, which was explained in the OCR guidance; however, based on the questions submitted by covered entities there appeared to be some confusion over allowable charges, in particular regarding the charging of flat rate fees to...

Read More
Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits
May20

Deven McGraw Offers Advice on the Upcoming HIPAA Compliance Audits

Deven McGraw – deputy director of health information privacy at the Office for Civil Rights (OCR) – has offered some advice to covered entities ahead of the HIPAA-compliance audits which are scheduled to take place later this year. The second round of HIPAA-compliance audits will be conducted on covered entities first, followed by business associates. OCR contacted covered entities earlier this year to verify contact information. That process is almost complete and a pool of healthcare providers, health plans, and healthcare clearinghouses will soon be finalized. OCR will select approximately 200 organizations from that pool for a desk audit. Covered entities selected for audit will be notified and given 10 days to submit the requested documentation to the OCR. This does not give covered entities much time so it is important that preparations are made early. In an interview with the Information Security Media Group, McGraw suggested that covered entities should start preparing now in case they are selected for a desk audit. Last month, OCR released the updated audit protocol which...

Read More
Illinois Data Breach Notification Law Updated
May20

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches. A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements: Driver’s license number Social Security number Credit or debit card number Biometric data Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained) Medical information Health insurance information Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available. The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition. The exposure of information relating...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Compliance Assistance Provided to Mobile Health App Developers by FTC
Apr07

Compliance Assistance Provided to Mobile Health App Developers by FTC

A new interactive tool has been released by the Federal Trade Commission (FTC) to help mobile health app developers determine whether their apps need to comply with federal regulations. The new web-based tool was developed with assistance from the U.S Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). By answering a series of 10 questions, mobile app developers can determine whether their health care products are covered under the Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug, and Cosmetic Act (FD&C Act), Federal Trade Commission Act (FTC Act) or need to comply with the FTC’s Health Breach Notification Rule. In many cases, app developers will be required to comply with more than one set of federal laws. According to Jessica Rich, FTC Bureau of Consumer Protection director, “Mobile app developers need clear information about the laws that apply to their health-related products.” The tool aims to...

Read More
OCR Publishes New HIPAA Audit Protocol
Apr05

OCR Publishes New HIPAA Audit Protocol

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...

Read More
Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH
Mar31

Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH

On Wednesday this week, the 2015 CAQH Index was released. The data show that many healthcare organizations are continuing to rely on manual administrative processes for basic transactions such as verifying patient coverage, submitting claims, prior authorization, and referral certification, even though these tasks can easily be performed electronically. The CAQH Index is released once a year and is a measure of the adoption of electronic transactions for routine business processes in the healthcare industry. The aim of the report is to raise awareness of the potential cost savings that can be made by switching to electronic HIPAA transactions. The data used for the CAQH Index in 2015 represents some 440 million transactions relating to 92 million patients. The reliance on manual processes rather than HIPAA electronic administrative transactions is costing the healthcare industry dearly. CAQH believes the continued reliance on resource-intensive manual processes is costing the healthcare industry $8 billion each year. Each time health plans and healthcare providers perform a manual...

Read More
Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws
Mar29

Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws

A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification or loss.” Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub. GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures. The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in...

Read More
Phase 2 HIPAA Compliance Audits Commence
Mar21

Phase 2 HIPAA Compliance Audits Commence

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started. According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.” Start Date for the Second Phase of HIPAA Compliance Audits While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin. The OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016. The date when the first desk audits will actually be conducted was not detailed in the...

Read More
OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research
Mar17

OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care. Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY. The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach...

Read More
$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures
Mar17

$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Following a PHI breach reported on September 27, 2011, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation revealed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels. The data breach involved the theft of a laptop computer from a business associate of North Memorial. The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted. The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to be...

Read More
Deven McGraw Gives Update on OCR HIPAA Compliance Audits
Mar03

Deven McGraw Gives Update on OCR HIPAA Compliance Audits

Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month. Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol. According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule...

Read More
OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges
Mar02

OCR Clarifies Patients’ Access Rights to PHI and Allowable Charges

The Health Insurance Portability and Accountability Act’s Privacy Rule gives healthcare patients the right to obtain a copy of their personal health information from their healthcare providers. (45 CFR § 164.524) While HIPAA-covered entities should be aware of this aspect of the Privacy Rule, many patients have experienced difficulty obtaining a copy of their records. In some cases, patients have obtained a copy of their records but felt that they have not been provided with all information contained in their records. Some feel they have been unfairly charged for exercising their access rights. To address these and other issues, the Department of Health and Human Services’ Office for Civil Rights produced a fact sheet in January to clarify the responsibilities of HIPAA covered entities to comply with this aspect of the Privacy Rule. The new guidance explained the general right of patients to obtain a copy of their health records, to inspect their records, or have a copy of those records sent to a nominated individual of their choosing. Provided that the healthcare provider...

Read More
Permitted Uses and Disclosures of PHI Clarified by OCR
Feb27

Permitted Uses and Disclosures of PHI Clarified by OCR

The Office for Civil Rights welcomes feedback from HIPAA-covered entities about aspects of HIPAA that are unclear or need further clarification. Some of the questions asked via the OCR website indicate some covered entities are struggling to understand the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI). HIPAA permits the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be used to help patients receive medical care, as well as for the evaluation of care provided to patients. It is necessary to use PHI to co-ordinate care between different healthcare providers, and PHI is needed for billing purposes. Patients must also be allowed access to their health information so they can take a more active role in their own healthcare. HIPAA allows patient health information to be shared for all of these reasons provided PHI is secured at all times. However, a number of restrictions to apply. Even though the HIPAA Privacy and Security Rules have been in effect for many years, and...

Read More
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
Feb26

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...

Read More
480,000 Patients Notified of Radiology Regional Center PHI Exposure
Feb19

480,000 Patients Notified of Radiology Regional Center PHI Exposure

In December, Radiology Regional Center, PA., was alerted to a privacy breach by Lee County Solid Waste Division following the accidental release of medical documents in the street. The privacy breach occurred on December 19, 2015. Medical documents were being transported by Lee County Solid Waste Division for secure disposal. The paper files were due to be incinerated in accordance with Health Insurance Portability and Accountability Act Rules, but were accidentally released during transportation. The failure to secure the records resulted in them falling off the vehicle used to transport them. The documents containing highly sensitive medical data were strewn across the street and found their way into doorways, driveways, canals, and were blown all over the sidewalk. Patients Have Now Been Notified of the Privacy Breach   Patients were notified of the breach of their private and confidential medical data on February 12, 2016, the same date that Office for Civil Rights received a HIPAA data breach report. Initially it was unclear exactly how many patients had been affected....

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
OCR Issues Further Guidance on Health App Use
Feb12

OCR Issues Further Guidance on Health App Use

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate. Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers. The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked. There...

Read More
OCR to Receive $4 Million Budget Increase to Support Audit Program
Feb10

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost   The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016. The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the...

Read More
Apple Health HIPAA Breach Affects 91K Medicaid Recipients
Feb10

Apple Health HIPAA Breach Affects 91K Medicaid Recipients

The protected health information of 91,000 Apple Health Medicaid program clients has been compromised by a Washington State Health Care Authority (HCA) employee over a period of almost 3 years, according to a statement issued by HCA risk manager, Steve Dotson. All affected individuals are in the process of being notified that their name, date of birth, Apple Health ID number, Social Security number, and private health information were improperly disclosed between early 2013 and late 2015. The repeated privacy breaches involved two state department employees who exchanged emails containing the highly sensitive data. A woman working as a medical assistance specialist for the HCA regularly sent spreadsheets containing patient health information and Social Security numbers to her brother, who worked as an Internet technician for the Department of Social and Health Services (DSHS). The unauthorized sharing of patient data is a breach of Health Insurance Portability and Accountability Act rules and warrants the sending of breach notification letters. Those letters were dispatched on...

Read More
Two Employees Fired for Jason Pierre-Paul HIPAA Breach
Feb09

Two Employees Fired for Jason Pierre-Paul HIPAA Breach

Back in July 2015, New York Giants football player Jason Pierre-Paul visited Miami’s Jackson Memorial Hospital for treatment after a fireworks accident. News reports emerged soon after confirming Pierre-Paul had suffered a major hand injury. At the time of the accident, the football player was negotiating a new $60 million contract with the Giants. ESPN’s Adam Schefter managed to get hold of Pierre-Paul’s medical records and posted details of the injury on Twitter, confirming Pierre-Paul had had the middle finger of his right hand amputated. There was much debate at the time about the legality of Schefter’s disclosure, with many claiming HIPAA had been violated. Of course, journalists and news reporters are not HIPAA-covered entities, and as such are not obliged to abide by HIPAA rules. While Schefter could not have violated HIPAA, the medical information could only have come from the hospital where Pierre-Paul was being treated. HIPAA Rules did appear to have been violated, just not by Schefter. Jackson Memorial Hospital conducted an internal investigation into the potential...

Read More
OIG Publishes Findings of Utah Department of Health Security Audit
Feb08

OIG Publishes Findings of Utah Department of Health Security Audit

The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.” The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers. The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals. The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was...

Read More
Deadline for Reporting 2015 Data Breaches
Feb04

Deadline for Reporting 2015 Data Breaches

The deadline for reporting 2015 data breaches is fast approaching. Covered entities must submit all 2015 data breach reports to OCR before the end of the month. The final date for submitting reports of security incidents that affected fewer than 500 individuals is February 29, 2016. Deadline for Reporting 2015 Data Breaches – Monday February 29, 2016   The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows covered entities up to 60 days after the discovery of a large-scale data breach to report the incident to the Department of Health and Human Services’ Office for Civil Rights. A large data breach is defined as one which affects more than 500 individuals. HIPAA also requires all covered organizations to report smaller data breaches, although they are considered lower priority. Small data breaches can be reported at any time during the calendar year in which they are discovered, although the maximum time limit for submission is 60 days from the end of the Calendar year in which they were first identified. Since 2016 is a leap year, the deadline...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
98 Percent of Compromised Healthcare Records Due to Hacking
Jan29

98 Percent of Compromised Healthcare Records Due to Hacking

2015 was the worst ever year for healthcare data breaches. The top three largest data healthcare data breaches were all discovered in 2015, including the massive cyberattack on Anthem Inc., that exposed a staggering 78.8 million healthcare records. The mega data breach at Anthem made the breaches at Premera Blue Cross and Excellus look small by comparison, yet they too were larger than any healthcare data breach previously reported to Office for Civil Rights. Just those three data breaches alone exposed almost 100 million healthcare records. Add in the 4.5 million-record data breach at UCLA Health, the 3.9 million-record breach at Medical Informatics Engineering and the one suffered by CareFirst BlueCross BlueShield and the total number of breached records rises to 110 million. Something all the major healthcare data breaches of 2015 had in common was they were the result of the actions of hackers. Human error may have played a part in the exposure of data, and the majority of breaches reported to OCR last year involved errors of judgement or negligence (loss of devices, theft of...

Read More
CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem
Jan22

CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem

Matching patient records to the correct patient is a complicated business. In theory at least, with patient information recorded digitally, it should be possible to match records with the correct patient no matter where the patient information is accessed or where the data is located. In an ideal world this would happen 100% of the time. Unfortunately, this is not an ideal world and patients and records are frequently mismatched. This can naturally have serious consequences for patients. Records and Patients only Correctly Matched 90% of the Time Studies suggest that the probability of records and patients being paired correctly is around 90% on average. Provided of course, that the records are located within a single health system. Should some records be located in a different health system, the chance of those records being correctly matched is much lower. In fact, when records are shared across different health systems the figure falls to around 80%. If a patient is to receive the best possible level of care, this is a problem that must be resolved. Solving the Problem of...

Read More
EHR Incentive Program to Come to an End in 2016
Jan19

EHR Incentive Program to Come to an End in 2016

Andy Slavitt, acting administrator for the Centers for Medicare & Medicaid Services, has announced the HITECH Act’s Meaningful Use incentive program is soon to be retired. 2016 will see the program finally come to an end now that the vast majority of healthcare providers have made the transition to electronic health records, although an end date for the incentive program has not yet been announced. The program has by and large been successful in encouraging healthcare providers to make the transition to EHRs, but it is now time to move to a new regime according to Slavitt. He recently announced at the J.P. Morgan Annual Health Care Conference that “The Meaningful Use program as it has existed, will now be effectively over and replaced with something better.” That ‘something better’ will be a new regime that rewards healthcare providers for the value they offer and the outcomes they manage to achieve with patients, marking a substantial shift of emphasis from Meaningful Use that provided incentives based on the use of technology. Slavitt pointed out the Meaningful Use has...

Read More
Upgrade Internet Explorer to Remain HIPAA Compliant
Jan11

Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches. 18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete. Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage. Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.” Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between...

Read More
A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015
Jan10

A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015

In its capacity as enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Rules, the Department of Health and Human Services’ Office for Civil Rights (OCR) can issue fines to HIPAA-covered entities that fail to implement sufficient safeguards to keep the Protected Health Information (PHI) of patients and health plan members secure. OCR has been criticized in recent years for an apparent lack of enforcement, specifically for failing to issue financial penalties for clear violations of the HIPAA Privacy, Security, and Breach Notification Rules by HIPAA-covered entities. Covered entities are required to self-report data breaches to OCR under the Breach Notification Rule of 2009, and all data breaches that expose the PHI of more than 500 patients are investigated. Sometimes, those data breaches occur even when covered entities have implemented all of the administrative, technical, and physical controls that are required by the HIPAA Security Rule. However, in many cases, data breaches are suffered as a result of HIPAA failures. In such cases, action is taken by OCR...

Read More
OCR Issues New Guidance on Patient Data Access
Jan10

OCR Issues New Guidance on Patient Data Access

Healthcare providers should be aware that patients are permitted access to their medical records under HIPAA rules; however, not all patients are aware of their legal rights. Not only are patient data access rights under HIPAA not well understood, many patients who have attempted to access their medical records have faced problems. There is also a misconception that HIPAA – specifically the HIPAA Privacy Rule – prevents healthcare providers from disclosing medical records. While it is true when it comes to disclosing Protected Health Information (PHI) of patients to individuals unauthorized to view that information, HIPAA does allow patients to access their own records. In fact, any healthcare provider who fails to allow patients to access their medical records could be fined. OCR Issues Guidance on Patient Data Access Rights Under HIPAA   The Department of Health and Human Services’ Office for Civil Rights has started the year with the launch of a brand new website interface, and has now followed up on previous promises by issuing new guidance on HIPAA. This is the first in...

Read More
OCR Website Receives Long Awaited Upgrade
Jan07

OCR Website Receives Long Awaited Upgrade

The Department of Health and Human Services’ Office for Civil Rights website has been redesigned and upgraded, and features a responsive design and a more user-friendly interface. The redesign was part of the Reimagined HHS.gov initiative. The aim was to create a website that is faster, easier to use, and makes content sharing and syndication much more straightforward. The HHS site-wide overhaul has taken well over a year so far, with the OCR the first HHS department to receive its site upgrade. The upgrade and redesign was conducted in phases, with phase 1 of the project completed in May, 2015. OCRs overhaul was finished on schedule and was made live this week in time for the January 6 launch. The new crisp, clean, and simplistic design presents information clearly, while a fast and powerful search function has been incorporated to ensure visitors can quickly and easily gain access to the information they need. Typing in a search term will offer numerous suggestions based on the most common searches of the site, ensuring the most relevant information can be quickly retrieved. In...

Read More
HIPAA Privacy Rule Updated to Permit NICS Reports
Jan05

HIPAA Privacy Rule Updated to Permit NICS Reports

The Department of Health and Human Services has issued a final rule permitting certain covered entities to disclose specific elements of Protected Health Information (PHI) to the National Instant Criminal Background Check System (NICS), changing the HIPAA Privacy Rule. At the time of writing, HIPAA prevents healthcare providers from disclosing PHI, except in a very limited number of circumstances, without first having obtained permission from a patient. The rule change, which will become effective 30 days after publication in the federal register, will allow certain information about individuals to be divulged and entered into NICS by some HIPAA-covered entities. NICS is maintained by the FBI and is used by Federal Firearms Licensees (FFLs) to determine whether an individual is permitted to purchase a firearm. When an FFL starts a NICS background check on an individual, the system will search three separate databases: The Interstate Identification Index (III), The National Crime Information Center (NCIC), and the NICS Index. NCIC and III contain information on individuals who have...

Read More
No Action Over Patient Privacy Violation Due to HIPAA Loophole
Jan03

No Action Over Patient Privacy Violation Due to HIPAA Loophole

Recently, a New Jersey lawyer discovered that confidential information classed as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) is not necessarily kept private by providers of healthcare services. Under certain circumstances, the holder of those data may disclose the information publicly without penalty, as recently happened in his case. The lawyer had received treatment for mental health issues at Short Hills Associates in Clinical Psychology between 2012 and 2014. Some of the meetings had not been paid for, and Short Hills Associates filed a lawsuit for non-payment of $4,400 last year. Short Hills Associates is within its rights to take legal action against individuals who do not pay for chargeable medical services; however, in the lawsuit the organization listed the lawyer’s diagnosis and services he had received. That information was detailed in publicly filed court documents. HIPAA does permit the disclosure of PHI under certain circumstances, but this should be limited to the minimum necessary information for a...

Read More
Online Medical Record Access Not Possible for the Majority of Patients
Dec31

Online Medical Record Access Not Possible for the Majority of Patients

A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access patient medical data. The recent survey was conducted on 502 consumers that intended to enroll in a 2016 health plan. The survey took place between October and November, 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and medical...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More
HealthSouth Rehabilitation Hospital Announces 1,359-Record Data Breach
Dec23

HealthSouth Rehabilitation Hospital Announces 1,359-Record Data Breach

Only a few hours after the announcement of the theft of an unencrypted laptop computer from the vehicle of an employee of the New Mexico Department of Health comes news of another. The latest laptop theft affects 1,359 patients of the HealthSouth Rehabilitation Hospital in Round Rock, TX. An employee of the hospital left an unencrypted laptop computer in the trunk of a vehicle from where it was stolen. As with the NM Department of Health laptop theft, the incident occurred in October. Covered entities have up to two months to issue breach notification letters to patients and the Department of Health and Human Services’ Office for Civil Rights. The notification letters were sent on Tuesday 22, December and OCR has now been notified. The theft was discovered by HealthSouth on October 26, 2015, five days after the theft actually took place. Once the theft was discovered, the incident was reported to Austin law enforcement. It is not clear why it took five days for hospital staff and law enforcement officers to be notified. The laptop computer has not subsequently been recovered. The...

Read More
Nursing Home Snapchat Photo Sharing Scandal Uncovered
Dec22

Nursing Home Snapchat Photo Sharing Scandal Uncovered

An investigation by ProPublica has revealed widespread abuse of patient privacy, and dignity, by workers from nursing homes and assisted living facilities across the country. Nursing facility workers have taken embarrassing photographs of patients and have shared them on social media websites such as Snapchat. Some of the photographs and videos that have been shared by nursing facility workers show physical and mental abuse of patients suffering dementia. The ProPublica review uncovered 22 cases of HIPAA-violating photo and video sharing that had been reported since 2012, with 35 instances of inappropriate image and video sharing found in total. Some cases involved workers taking photos of naked or semi-naked patients and posting them on Snapchat, others involved humiliating and degrading videos of patients. Once case involved residents being coached to sing “I’m in love with the coco,” while one held a banner saying “Got these hoes trained.” Inhuman treatment and violations of patient privacy and dignity The cases show widespread abuses of patient privacy, with the victims...

Read More
Healthcare Cybersecurity Addressed in Omnibus Bill
Dec20

Healthcare Cybersecurity Addressed in Omnibus Bill

New cybersecurity provisions specifically for the healthcare industry have been added to the Omnibus bill passed by congress late last week. The aim of their inclusion is to assist healthcare organizations tackle the growing risk of cyberattacks, and provide them with the information and guidance necessary to let them to shore up their defenses, plug security gaps and make them less pregnable to cyberattacks. The new legislation is part of the Cybersecurity Information Sharing Act, passed by Congress on Friday. One of the ways that the new legislation will help healthcare organizations is with the formation of a new Cybersecurity Task Force. This is scheduled to take place during the first 90 days following the introduction of the new legislation. The purpose of the task force is to assess the current cyber threats faced by the healthcare industry. The methods used by cybercriminals to break through security defenses will be analyzed and vulnerabilities assessed. The task force will also study how other industries are managing to repel attacks. Healthcare organizations will then be...

Read More
OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs
Dec15

OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs). OIG Audits Reveal 74 High Risk Security Vulnerabilities at 3 Medi-Cal MCOs The OIG audits revealed numerous, significant security vulnerabilities at the three Medi-Cal MCOs being assessed. In total, 74 high-risk security vulnerabilities were discovered across 14 separate security control areas. Many of the vulnerabilities existed at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the vulnerabilities had potential to place patient data at risk of exposure. In some cases, the security vulnerabilities were extremely serious. The vulnerabilities were categorized into three broad areas: Access controls, security management and configuration management. Access Management Controls Access controls included password and login controls, database security controls, the use of backup storage media, and portable device...

Read More
$750,000 HIPAA Fine for University of Washington Medicine
Dec14

$750,000 HIPAA Fine for University of Washington Medicine

University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights, and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013 Flurry of HIPAA Enforcement Activity as 2015 Draws to a Close   There has been a flurry of HIPAA enforcement activity over the past few weeks. First came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, then news of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. That was closely followed by the announcement of a $3.5 million settlement between OCR and Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA violations with OCR. Spam Email Behind 90,000-Record Data Breach   On November 27, 2013, University of Washington Medicine alerted OCR to a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients. The data breach occurred as a result of an employee falling for an...

Read More
Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security
Dec13

Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security

Under HIPAA Rules, access to Protected Health Information must be strictly controlled. HIPAA-covered entities must therefore implement technical safeguards to ensure that only authorized individuals are able to gain access to data. EHRs and other software systems that are used to store or send ePHI must be protected by a minimum of a username and password, and any attempt to gain access to ePHI must be logged and periodically audited. Improving ePHI Security with Two-Factor Authentication Data security can be greatly enhanced by the use of two-factor authentication. Two factor authentication requires an additional identification factor (other than a username/password combo) to be entered prior to access to ePHI being granted. Under the HIPAA Security Rule – 45 CFR § 164 – this control is strongly advisable but not mandatory; however, under the DEA’s Electronic Prescription for Controlled Substances rules, it is mandatory for 2-factor authentication to be used by all entities that e-prescribe controlled substances. Typically, the additional factor is a security question,...

Read More
Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing
Dec12

Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing

A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk. HIPAA and Data Sharing Under the HIPAA Privacy Rule, covered entities are not permitted to share the Protected Health Information unless prior authorization has been obtained from the patient, unless those data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b). When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third party for research studies, policy assessment, etc. Unfortunately, removing this...

Read More
Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016
Dec10

Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016

2014 was widely considered to be “The Year of the Data Breach.” Then came 2015. The year of the mega healthcare data breach. Now the year is coming to an end, it is time to look to the next 12 months and what could possibly be in store. If the upward trend continues, 2016 could really be an annus horribilis. According to a recent white paper issued by Experian, the next twelve months are likely to see more of the same. We can expect the large-scale healthcare data breaches to continue as the industry is targeted by cybercriminals seeking the highly valuable data stored by HIPAA-covered entities. The high value of healthcare data combined with relatively weak defenses and the continued digitization of medical records will see even more attacks launched by cybercriminals on healthcare organizations, according to the Experian Data Breach Resolution White Paper. Large Healthcare Data Breaches Will Occur, But Small Breaches Are Likely to Cause the Most Damage This year has seen some mega data breaches suffered by health insurers, and those organizations will continue to be targeted in...

Read More
NY Attorney General HIPAA Fine for URMC
Dec08

NY Attorney General HIPAA Fine for URMC

An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015. An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules It is not only Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA. The first attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals....

Read More
Another HIPAA Breach Courtesy of a Printing Error
Dec08

Another HIPAA Breach Courtesy of a Printing Error

Over the course of the last three months, HIPAA covered entities have reported 54 data breaches to the Office for Civil Rights. The majority of those data breaches can be attributed to human error. 15% of the breaches have resulted from errors made when printing and mailing letters to patients and health plan members. While these privacy breaches do not affect anywhere near as many patients/plan members as hacking incidents (which have resulted in 10,134,208 records being stolen since September 9, 2015), they still require a breach response and result in considerable costs to the covered entity. The breach victims can be adversely affected, and the incidents tarnish the organizations’ reputations. They are also some of the easiest data breaches to prevent. On Friday last week, another covered entity, BlueCross Blue Shield of Nebraska, reported a printing error had been made during a patient mailing, and each month in its report to congress, the Department of Veteran Affairs lists numerous examples of errors made when sending letters/prescription information to veterans. Efforts...

Read More
Cyberattack Simulation Exercise Tests Incident Response Readiness
Dec07

Cyberattack Simulation Exercise Tests Incident Response Readiness

It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved. Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved. Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted,...

Read More
Guidance on Patient Rights Under HIPAA Due this Month
Dec04

Guidance on Patient Rights Under HIPAA Due this Month

This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative. Clarification Due on Patient Rights Under HIPAA to Access their Own PHI The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data. While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA. Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under...

Read More
HIPAA Violation Fine of $3.5 Million for Triple-S
Dec02

HIPAA Violation Fine of $3.5 Million for Triple-S

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. This is the second HIPAA violation fine to be announced in the space of a week, with the latest financial penalty closely following the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine highlights just how costly non-compliance can be. This does not need to be explained to Triple S Management Corporation. The company was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. The PRHIA fine was issued following the mailing of a pamphlet that displayed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 members of the insurer’s Medicare...

Read More
Major Mobile Health Application Growth Predicted
Nov29

Major Mobile Health Application Growth Predicted

Mobile technology has potential to revolutionize the provision of healthcare. Mobile technology is already having a major impact on the industry. According to PwC, one of the few limiting factors is how the technology can be implemented to allow healthcare providers to obtain the full benefits of the technology. This does not appear to have hindered growth in the sector. PwC has predicted growth to increase six-fold over the course of the next two years. Growth in the sector will mostly come from the development of new mHealth applications and from monitoring services. A new report published by healthcare market research firm Kalorama Information suggests that the growth of mobile health applications will outstrip all other mobile application areas over the next four years. The Kalorama report highlights the substantial growth already seen in the mHealth market so far in 2015. Manufacturers of devices, software developers, and providers of wireless services are capitalizing on growing demand. By the end of the year, the industry is expected to have generated close to $34 billion....

Read More
OCR Settlement Reached with Lahey Hospital
Nov25

OCR Settlement Reached with Lahey Hospital

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI. Failure to Safeguard ePHI Results in $850,000 Settlement The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners.  The laptop contained electronic Protected Health Information of 599 patients. A financial penalty was...

Read More
PHI Data Breaches Occur in Most Industry Sectors
Nov23

PHI Data Breaches Occur in Most Industry Sectors

Healthcare organizations and other HIPAA-covered entities are required to report PHI data breaches to the Department of Health and Human Services’ Office for Civil Rights, so it is easy to track the security breaches suffered over the past few years. However, PHI breaches are not specific to the healthcare industry. Protected Health Information is stored by all manner of organizations, and all are at risk of suffering PHI data breaches. According to a recent study conducted by Verizon Enterprise Solutions, PHI data breaches have been suffered by 90% of companies, including non-healthcare organizations. PHI is not just stored by healthcare providers and insurers. PHI is contained in HR files, in addition to employee program data and workers’ compensation schemes. Verizon completed an analysis of PHI data breaches that have occurred over the course of the past 20 years. 1,931 individual PHI data breaches were analyzed as part of the study. Those data security incidents exposed the PHI of 392 million patients and employees. The HHS’ Office for Civil Rights and the Department of...

Read More