Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing
Dec12

Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing

A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk. HIPAA and Data Sharing Under the HIPAA Privacy Rule, covered entities are not permitted to share the Protected Health Information unless prior authorization has been obtained from the patient, unless those data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b). When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third party for research studies, policy assessment, etc. Unfortunately, removing this...

Read More
Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016
Dec10

Record Breaking Healthcare Data Breaches in 2015 May be Eclipsed in 2016

2014 was widely considered to be “The Year of the Data Breach.” Then came 2015. The year of the mega healthcare data breach. Now the year is coming to an end, it is time to look to the next 12 months and what could possibly be in store. If the upward trend continues, 2016 could really be an annus horribilis. According to a recent white paper issued by Experian, the next twelve months are likely to see more of the same. We can expect the large-scale healthcare data breaches to continue as the industry is targeted by cybercriminals seeking the highly valuable data stored by HIPAA-covered entities. The high value of healthcare data combined with relatively weak defenses and the continued digitization of medical records will see even more attacks launched by cybercriminals on healthcare organizations, according to the Experian Data Breach Resolution White Paper. Large Healthcare Data Breaches Will Occur, But Small Breaches Are Likely to Cause the Most Damage This year has seen some mega data breaches suffered by health insurers, and those organizations will continue to be targeted in...

Read More
NY Attorney General HIPAA Fine for URMC
Dec08

NY Attorney General HIPAA Fine for URMC

An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015. An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules It is not only Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA. The first attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals....

Read More
Another HIPAA Breach Courtesy of a Printing Error
Dec08

Another HIPAA Breach Courtesy of a Printing Error

Over the course of the last three months, HIPAA covered entities have reported 54 data breaches to the Office for Civil Rights. The majority of those data breaches can be attributed to human error. 15% of the breaches have resulted from errors made when printing and mailing letters to patients and health plan members. While these privacy breaches do not affect anywhere near as many patients/plan members as hacking incidents (which have resulted in 10,134,208 records being stolen since September 9, 2015), they still require a breach response and result in considerable costs to the covered entity. The breach victims can be adversely affected, and the incidents tarnish the organizations’ reputations. They are also some of the easiest data breaches to prevent. On Friday last week, another covered entity, BlueCross Blue Shield of Nebraska, reported a printing error had been made during a patient mailing, and each month in its report to congress, the Department of Veteran Affairs lists numerous examples of errors made when sending letters/prescription information to veterans. Efforts...

Read More
Cyberattack Simulation Exercise Tests Incident Response Readiness
Dec07

Cyberattack Simulation Exercise Tests Incident Response Readiness

It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved. Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved. Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted,...

Read More
Guidance on Patient Rights Under HIPAA Due this Month
Dec04

Guidance on Patient Rights Under HIPAA Due this Month

This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative. Clarification Due on Patient Rights Under HIPAA to Access their Own PHI The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data. While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA. Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under...

Read More
HIPAA Violation Fine of $3.5 Million for Triple-S
Dec02

HIPAA Violation Fine of $3.5 Million for Triple-S

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. This is the second HIPAA violation fine to be announced in the space of a week, with the latest financial penalty closely following the $850,000 settlement between OCR and Lahey Hospital and Medical Center. The latest fine highlights just how costly non-compliance can be. This does not need to be explained to Triple S Management Corporation. The company was already hit with a HIPAA violation fine of $6.8 million by the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. The PRHIA fine was issued following the mailing of a pamphlet that displayed the Medicare Health Insurance Claim Numbers of subscribers. The HIPAA violation fine corresponded to $500 for each of the 13,336 members of the insurer’s Medicare...

Read More
Major Mobile Health Application Growth Predicted
Nov29

Major Mobile Health Application Growth Predicted

Mobile technology has potential to revolutionize the provision of healthcare. Mobile technology is already having a major impact on the industry. According to PwC, one of the few limiting factors is how the technology can be implemented to allow healthcare providers to obtain the full benefits of the technology. This does not appear to have hindered growth in the sector. PwC has predicted growth to increase six-fold over the course of the next two years. Growth in the sector will mostly come from the development of new mHealth applications and from monitoring services. A new report published by healthcare market research firm Kalorama Information suggests that the growth of mobile health applications will outstrip all other mobile application areas over the next four years. The Kalorama report highlights the substantial growth already seen in the mHealth market so far in 2015. Manufacturers of devices, software developers, and providers of wireless services are capitalizing on growing demand. By the end of the year, the industry is expected to have generated close to $34 billion....

Read More
OCR Settlement Reached with Lahey Hospital
Nov25

OCR Settlement Reached with Lahey Hospital

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights (OCR) over alleged HIPAA violations following a data breach that occurred back in October, 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. The settlement covers six ‘potential’ violations of HIPAA Rules, specifically the failure to implement appropriate administrative and physical controls to prevent the accidental disclosure of ePHI. Failure to Safeguard ePHI Results in $850,000 Settlement The incident which led to the OCR investigation involved the theft of an unencrypted laptop computer that had been left in an unlocked treatment room at the hospital. The laptop contained data recorded from one of the medical center’s CT scanners.  The laptop contained electronic Protected Health Information of 599 patients. A financial penalty was...

Read More
PHI Data Breaches Occur in Most Industry Sectors
Nov23

PHI Data Breaches Occur in Most Industry Sectors

Healthcare organizations and other HIPAA-covered entities are required to report PHI data breaches to the Department of Health and Human Services’ Office for Civil Rights, so it is easy to track the security breaches suffered over the past few years. However, PHI breaches are not specific to the healthcare industry. Protected Health Information is stored by all manner of organizations, and all are at risk of suffering PHI data breaches. According to a recent study conducted by Verizon Enterprise Solutions, PHI data breaches have been suffered by 90% of companies, including non-healthcare organizations. PHI is not just stored by healthcare providers and insurers. PHI is contained in HR files, in addition to employee program data and workers’ compensation schemes. Verizon completed an analysis of PHI data breaches that have occurred over the course of the past 20 years. 1,931 individual PHI data breaches were analyzed as part of the study. Those data security incidents exposed the PHI of 392 million patients and employees. The HHS’ Office for Civil Rights and the Department of...

Read More
FTC Data Breach Case Against LabMD Dismissed
Nov22

FTC Data Breach Case Against LabMD Dismissed

The Federal Trade Commission’s case against healthcare service provider LabMD has been dismissed by a Chief Administrative Judge due to a lack of evidence that patients were exposed to a significant risk of suffering a substantial injury as a result of their personal information being exposed. This is the first time a decision has gone against the FTC after a data breach case has been challenged. The initial decision on November, 13, went against the FTC, although the FTC can lodge an appeal in the next 30 days. At the present time, the FTC is currently considering the matter and deciding whether to appeal and send the case against LabMD to federal court to be decided. Judge Michael Chappell ruled that the FTC “failed to prove its case” that affected individuals were placed at a considerable risk of suffering harm or losses as a result of the incidents. Consequently, they were unlikely to constitute unfair trade practices. The case was originally filed against LabMD in August 2013. The security breaches cited in the case occurred in 2008 and 2012. In 2008, a document containing...

Read More
Even HHS Involvement Did Not Stop Months of Patient Privacy Breaches
Nov18

Even HHS Involvement Did Not Stop Months of Patient Privacy Breaches

A simple mistake can lead to the exposure of hundreds of private and confidential medical records, as discovered by Brooklyn marketing firm, APS Marketing Group. The company started receiving faxes containing the medical information of patients of an unnamed medical clinic in April, 2015. Despite efforts to contact the sender, the intended recipient, and the Department of Health and Human Services, the faxes kept on arriving. APS ended up receiving faxed medical documents for months on end and hundreds of patients had their medical records exposed. The information contained in the documents included patient names, contact information, the medical test that had been requested, and in some cases, also Social Security numbers. The error was caused as a result of a member of staff entering a fax number incorrectly. That simple mistake resulted in documents being sent to the wrong company, exposing the data of hundreds of patients. However, it is not the error that is worrying in this case, but how long it took for the HIPAA breaches to stop, even after the HHS got involved. The faxes...

Read More
Senators Demand Answers from CMS and OCR About Medical Identity Theft and Fraud
Nov13

Senators Demand Answers from CMS and OCR About Medical Identity Theft and Fraud

Four senators have put their names to a letter sent to Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), and Centers for Medicare and Medicaid Services (CMS) Acting Administrator Andy Slavitt, requesting answers about the growing issue of medical identity theft. Sen. Lamar Alexander, R-Tenn., Sen. Patty Murray, D-Wash.; Sen. Orrin Hatch, R-Utah, and Sen. Ron Wyden, D-Ore have signed the letter, which demands answers to nine questions relating to the role the HHS, OCR and CMS play in monitoring and addressing medical fraud and identity theft stemming from healthcare data breaches. Healthcare data breaches have exposed the Protected Health Information of over 105,000,000 individuals so far this year, and there are still over six weeks of 2015 to go. That figure is certain to rise. The problem is a growing concern. The total number of breach victims created over the past 6 years stands at 154 million, which equates to close to half the population of the United States. The senators point out that the situation is only likely to get...

Read More
Healthcare Provider Not Liable for Social Media HIPAA Violation
Nov12

Healthcare Provider Not Liable for Social Media HIPAA Violation

On Monday this week, a case against University of Cincinnati Medical Center (UCMC) was heard by Judge Jody Luebbers in the Hamilton County Common Pleas Court regarding the posting of Protected Health Information of a patient on social media. The incident that triggered the lawsuit concerned the posting of a patient’s medical records by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of her medical records and uploaded the image to her Facebook account. The image was then shared with members of a Facebook group. The same image was also emailed to the same individuals. The group in question had been named “Team No Hoes.” The patient in question had contracted syphilis and was pregnant at the time. The naming and shaming of the patient on social media was investigated by the hospital as soon as the privacy violation was discovered, and the employee lost her job as a result. Cases involving vicarious liability are often filed by co-workers who have suffered sexual harassment in the...

Read More
Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft
Nov10

Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft

Hartford Hospital and one of its Business Associates, EMC Corporation (EMC), have agreed to a settlement with the Connecticut Office of the Inspector General over the 2012 theft of a laptop computer containing the unencrypted data of 8,883 Connecticut residents. Hartford Hospital and EMC have agreed to a settlement of $90,000 to resolve the incident.  The agreement was reached voluntarily, and no admission of liability has been accepted by either party. EMC was contracted by Hartford Hospital to assist with the completion of a quality improvement project in late December, 2011. The aim of the project was to ultimately reduce avoidable hospital admissions with patients suffering from congestive heart failure. The project required EMC to conduct an analysis of patient data, and EMC was provided with the Protected Health Information of patients for this purpose. However, on June 25, 2012 an unencrypted laptop computer containing patient data was stolen from the home of an EMC employee. The data does not appear to have been used inappropriately according to Hartford Hospital. After...

Read More
OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning
Nov06

OIG Releases 2016 Work Plan: Expect Greater Oversight of OCR, Medical Devices and Emergency Planning

Over the course of the next year, OIG is expecting to increase oversight of the Department of Health and Human Services’ Office for Civil Rights. OIG will also be looking closely at a specific area of HIPAA compliance: How hospitals are complying with the HIPAA Security Rule requirement for contingency planning for emergencies. HIPAA Requirements for Coping in Emergencies   The administrative safeguards of the HIPAA Security Rule (45 CFR, Part 164 § 308(7)(i)) require all covered entities to be able to continue to function during emergency situations. Access to Protected Health Information (PHI) must be maintained at all times. Should access be lost, it must be restored as a priority.  In order for covered entities to be able to do this, proactive steps must be taken. It is essential that policies and procedures are developed that can be implemented in case of disaster. Rapid action is required, and every individual must be aware of his or her responsibilities in case of emergency. This applies to emergency situations such as natural disasters, as well as at times when EHR systems...

Read More
Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million
Nov05

Healthcare Fraud and HIPAA Violations: Warner Chilcott to Pay $125 Million

A unit of pharmaceutical company Warner Chilcott has agreed to plead guilty to healthcare fraud, and will be required to pay $125 million to resolve civil and criminal liability, according to the Boston US Attorney’s Office. The case against the pharmaceutical company is concerned with the illegal promotion of seven drugs. Payments were made to physicians to prescribe pharmaceuticals to patients over other drugs. This is of course not the first time such allegations have been made against drug firms, and nor is it the first time that pharmaceutical companies have been found to be liable. What makes this case different is the fact that charges have been filed against employees of Warner Chilcott and Warner Chilcott U.S. Sales LLC under HIPAA Rules. The case was possible under the False Claims Act, which permits private individuals to sue companies on behalf of the government under the Act’s whistleblower provisions. Two whistleblowers brought the case against the company and are being represented by law firms MoloLamken, Seeger Weiss, and the Simmer Law Group. The criminal charges...

Read More
Privacy and Security of Personal Wellness Data: CEA Releases New Private Sector Guidelines
Nov03

Privacy and Security of Personal Wellness Data: CEA Releases New Private Sector Guidelines

Wearable technology has proved popular with consumers, yet numerous questions have been raised about the privacy and security of personal wellness data collected, stored and transmitted by the devices. The Consumer Electronics Association (CEA) is well aware of the potential benefits of the devices, and also the risks of the privacy of users of the devices being violated. Currently the metrics recorded by the devices are limited, although there is considerable potential for devices to be developed that record a huge volume of data collected from consumers: Data that is actively recorded by the devices or entered in by users. Currently there are few privacy and security controls covering data privacy and security, and consequently, considerable variation in those implemented by device manufacturers. As the volume of data recorded grows, so too will the privacy risk. Now is therefore the time to start building security and privacy controls into the devices, yet many manufacturers of wearable technology are unsure about how best to secure data and protect the privacy of users....

Read More
Unencrypted Device Theft Continues to Plague HIPAA CEs
Oct21

Unencrypted Device Theft Continues to Plague HIPAA CEs

Device theft continues to expose the PHI of healthcare patients, and the past three months have seen a high volume of security incidents reported to the Office for Civil Rights which have involved the loss and theft of portable devices used to store the confidential Protected Health Information (PHI) of patients. The latest case involves Johns Hopkins Medicine, where the theft of an unencrypted laptop computer has exposed the PHI of 571 patients and 267 research subjects. Johns Hopkins Hospital Data Breach   A physician from Johns Hopkins Medicine is reported to have had a suitcase stolen at an airport on August 10, 2015. In that suitcase was the physician’s laptop computer, which contained a limited amount of data relating to patients and research subjects. The laptop was unencrypted, therefore the theft potentially exposed the PHI of a number of individuals, although it is probable that the theft was an opportunistic crime, rather than the physician being targeted by a thief seeking medical data and Social Security numbers. In this case, the laptop did not contain highly...

Read More
CMS Finalizes Meaningful Use Rules
Oct08

CMS Finalizes Meaningful Use Rules

The Centers for Medicare & Medicaid Services (CMS) has released the final rule modifying Meaningful Use Program requirements (2015-2017) in addition to postponing mandatory adoption of Meaningful Use Stage 3 requirements.   The changes simplify the Meaningful Use requirements for eligible hospitals and healthcare professionals. The changes have taken some time to be finalized. Following on from the interim rule, comments were requested from the general public. Over 2,500 comments were received and reviewed, many of which highlighted the considerable reporting burden placed on healthcare professionals and hospitals participating in the Meaningful Use program. After considering the comments, modifications were made to simplify Stage 3 requirements and add more flexibility to the program, which should ease the reporting burden. Changes were also made to support interoperability and improves outcomes. Dr. Patrick Conway, M.D., M.Sc., CMS deputy administrator for innovation and quality and chief medical officer, said ““We have a shared goal of electronic health records helping...

Read More
OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016
Oct02

OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016

The Director of the Department of Health and Human Services’ Office for Civil Rights, Jocelyn Samuels, has confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016. No more delays are expected. HIPAA-covered entities will soon have their compliance efforts put to the test and Business Associates will also not escape. They too will be assessed on compliance with the HIPAA Privacy, Security and Breach Notification Rules. Samuels recently wrote to the HHS Inspector General following strong criticism received about the OCR’s enforcement activities in addition to inconsistencies enforcing HIPAA Rules. At present, the OCR relies heavily on reports of privacy violations from the general public and self-reporting of data breaches to identify HIPAA violations and to choose which entities to investigate. The agency has yet to develop a permanent HIPAA-compliance audit program, even though such a program was much talked about early in Leon Rodriguez’s tenure as head of the OCR. According to a recent OIG report, released on Tuesday, “Without fully implementing...

Read More
OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities
Oct02

OIG Criticizes OCR for Lax Enforcement Standards and Poor Oversight of Covered Entities

Take a look at the Department of Health and Human Services’ Office for Civil Rights website and you will discover relatively few financial penalties have been issued for HIPAA Privacy violations. Even apparently serious violations of HIPAA Rules have not always resulted in financial penalties being issued. Out of the thousands of data breaches listed on the website, only a tiny percentage have resulted in a financial penalties being issued, with the OCR often favoring other enforcement actions. This has not gone unnoticed by the Office of the Inspector General (OIG). The OIG has just published the findings from two studies conducted on the OCR to assess how well the agency is enforcing HIPAA Rules. Poor Oversight of HIPAA Covered Entities   The first study was conducted to assess the OCR’s oversight of covered entities’ compliance with the Privacy Rule. OIG investigators took a sample of Medicare Part B providers that had reported data breaches to the OCR between September 2009 and March 2011. The OIG then assessed the extent to which those organizations had addressed five privacy...

Read More
New Rules for Electronic HIPAA Transactions Approved by CAQH CORE
Sep28

New Rules for Electronic HIPAA Transactions Approved by CAQH CORE

Last week, the CAQH® Committee on Operating Rules for Information Exchange (CORE®) approved a new set of national rules for electronic HIPAA transactions, as part of Phase IV of the CAQH® CORE® Operating Rules. The new rules for electronic HIPAA transactions cover four groups of healthcare business transactions – prior authorizations, employee premium payment, enrollment/disenrollment in health plans, and healthcare claims. The aim of the new rules is to facilitate the exchange of healthcare information, as mandated by the Affordable Care Act (ACA). The new rules will augment existing HIPAA administrative standards to ensure uniform transmission of electronic healthcare data. Phase IV of the CAQH® CORE® Operating Rules address infrastructure requirements such as connectivity, system availability and response times. Rules covering data content of transactions are due to be added to the Operating Rules at a later date. The approval process involves a vote on the new rules by the subgroups and work groups responsible for preparing the draft version of the Operating Rules. If the new...

Read More
Flowers Hospital Urges Federal Judge to Dismiss Class Action Data Breach Lawsuit
Sep19

Flowers Hospital Urges Federal Judge to Dismiss Class Action Data Breach Lawsuit

Lawyers representing Flowers Hospital in Dothan, AL, have urged a federal judge to dismiss a proposed class action data breach lawsuit filed against the hospital, against the recommendation of a magistrate judge. The lawsuit was first filed in May 2014, after a former employee of the hospital – Kamarian Millender, 29, of Headland, AL – was discovered to have stolen the Protected Health Information (PHI) of patients, with the intent of using the data to file false tax returns. Patient names, dates of birth, Social Security numbers and health plan information were stolen from the hospital between June 2013 and February 2014. The hospital discovered the theft on February 26, and Millender’s employment contract was terminated. Millender was subsequently charged with trafficking in stolen identities, and admitted to filing at least 73 fraudulent tax returns in the names of the victims. Flowers hospital issued breach notification letters to the victims shortly after the discovery of the privacy violation, and offered the affected patients a year of credit monitoring services...

Read More
OCR HIPAA Compliance Audits to Commence in 2016
Sep09

OCR HIPAA Compliance Audits to Commence in 2016

The new Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights has been adjusting to life at the OCR since her appointment earlier this year, but until now she has not given an interview to the news media. However, she recently gave an exclusive interview to the Security Media Group, in which she cast some light on planned OCR activities, including the upcoming HIPAA compliance audits. Deven McGraw Gives First News Media Interview   McGraw spoke with HealthcareInfoSecurity.com’s Executive Editor, Marianne Kolbasuk McGee, and was quizzed on OCR enforcement activities, current and future OCR initiatives, and was asked the question that is on everyone’s lips at the moment: When will the HIPAA compliance audits take place? A Shortage of Resources has been McGraw’s Biggest Challenge   The program of random HIPAA audits was penciled in for 2014; however the sheer scale of the job has caused problems. Audits take a considerable amount of time and resources, something which the OCR lacks. McGraw confirmed that the current problem...

Read More
Jocelyn Samuels Gives Update on OCR Compliance Audits
Sep04

Jocelyn Samuels Gives Update on OCR Compliance Audits

Since the announcement that the second phase of compliance audits would be delayed, the Department of Health and Human Services’ Office for Civil Rights has remained tight-lipped over timescales. Now, a year on from the original proposed start date, many expected OCR Director, Jocelyn Samuels, to give a timescale for the HIPAA audit program at the Safeguarding Health Information: Building Assurance through HIPAA Security HIPAA Security Conference in Washington this month. Samuels gave a keynote address at the National Institute of Standards and Technology (NIST) and Office for Civil Rights (OCR) hosted conference, and while she did not provide a date or a timeline for the compliance audits, she did indicate the audits are now very close to becoming a reality. She explained that the OCR has many roles, with compliance audits a part of its enforcement activities. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our...

Read More
New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000
Sep02

New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000

A new OCR HIPAA penalty has been issued for a breach of HIPAA regulations. Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Back in August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. The stolen device contained highly sensitive data, which included the Social Security numbers of patients: Exactly the data need by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives was not encrypted. HIPAA Does Not Demand Data Encryption   Under the HIPAA Security Rule, data encryption is only an addressable issue. This means that a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered entity can make an informed...

Read More
4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG
Aug30

4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG

The healthcare industry is under attack. Hackers are targeting healthcare providers, insurers and other HIPAA-covered entities for the precious data they hold, yet health firms are still unprepared to deal with the threat. The seriousness of the situation has been illustrated in a recent cybersecurity report from KPMG. The company commissioned a survey (conducted by Forbes Insights) which shows that 81% of health firms has suffered a cyberattack in the past two years, but only 53% of providers and 66% of payers consider themselves ready to defend against a cyberattack. The survey was conducted on CIOs, CTOs and Chief Compliance Officers in healthcare organizations with revenues in excess of $500 million per annum. Healthcare providers and insurers’ cybersecurity measures assessed via the questionnaire. The report shows that in spite of the increased threat to data security, healthcare organizations are ill prepared for an attack. A quarter of respondents said their organizations were not able to detect cyberattacks in real time, as they lack the necessary software systems to do so....

Read More
VisionWorks Agrees to $100K Data Breach Settlement with Maryland AG
Aug21

VisionWorks Agrees to $100K Data Breach Settlement with Maryland AG

Visionworks LLC has agreed to settle with the Maryland Associate General for exposing the Protected Health Information (PHI) of approximately 72,000 Marylanders. The company will pay a fine of $100,000 to the state for data security failures that lead to the breach. Two Data Breaches Reported in Quick Succession   The company discovered two separate data breaches – reported in November and December of last year – that exposed the PHI of 122,627 individuals. The first incident was classified as a lost server, which contained 74,944 records, with the second reported as a network server theft, exposing 47,683 records. The servers are most likely now in landfill; however the incident did potentially expose names, addresses, dates of birth and purchasing histories. The company was reportedly in the process of upgrading to encrypted servers; however old servers were unsecured in the company’s stores; a breach of the HIPAA Security Rule, which requires physical safeguards to be put in place to keep PHI secured. It is believed that the servers were mistakenly disposed of, and that...

Read More
Class-Action for Advanced Data Processing Breach Denied
Aug17

Class-Action for Advanced Data Processing Breach Denied

An Advanced Data Processing breach lawsuit was recently filed in a Florida court, with the case taking just 24 hours to be tossed by the judge. In this case, the judge ruled that the move to certify the class was premature, and the case was denied, even though the plaintiff alleges to have suffered identity theft as a direct result of the data breach. In the lawsuit, the plaintiffs allege that in 2012, the healthcare clearinghouse suffered a data breach that exposed the Protected Health Information (PHI) for several months. The data stolen is alleged to have been used to steal identities and fraudulently obtain funds from the IRS. The suit also claims there was a delay in issuing breach notification letters to victims, some of whom were not notified of the theft of their data for three years. The data breach affected 27 agencies in 17 states, and in total 10,000 individuals had their data stolen and potentially sold to an identity theft ring. One plaintiff, Yehonatan Weinberg, claimed to have visited a Californian hospital in 2012, yet received a breach notification letter in April...

Read More
HIPAA Data Breach Report July 2015
Aug14

HIPAA Data Breach Report July 2015

HIPAA Data Breach Report July 2015   The HIPAA Journal Healthcare Data Breach Report July 2015 has been compiled from breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. The breach reports give an indication of the current state of healthcare data security, and how well HIPAA-covered entities are applying HIPAA rules to keep patient data secured. Scroll down for our July 2015 healthcare data breach infographic summary. A Bad Month for Patient Privacy   Hackers struck again in July, causing two large scale data breaches that exposed the records of millions of patients; two of the most serious healthcare data breaches ever reported. Hackers were discovered to have compromised the systems of four more healthcare providers, and stole highly confidential medical data and millions of Social Security numbers.   Risk of Hacking Greater than Ever   Hackers may have only accounted for four of the 21 data breaches reported in July, but those attacks proved highly damaging. 8,464,637 new breach victims were confirmed by the July breach reports,...

Read More
New Basic Guide to HIPAA Compliance Released By HHS
Aug05

New Basic Guide to HIPAA Compliance Released By HHS

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities. A Basic Guide to HIPAA Compliance   The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI). HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures. The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to help...

Read More
North East Medical Services HIPAA Breach Reported: 69,246 Affected
Aug03

North East Medical Services HIPAA Breach Reported: 69,246 Affected

A HIPAA breach has been reported by North East Medical Services. The Protected Health Information of almost 70,000 patients has potentially been exposed after an unencrypted laptop was stolen from the car of a NEMS employee’s car. According to a breach notice sent to the California Department of Public Health, the incident occurred on July 11, 2015. The laptop was left in the locked trunk of a vehicle from where it was subsequently stolen. The healthcare provider was alerted to the equipment theft on July 13. North East Medical Services HIPAA Breach Exposed “Limited Personal Information”   The investigation launched following the crime revealed that the laptop contained data relating to 69,246 patients, which according to the breach notice, consisted of one or more of the following data elements: Patient name, gender, date of birth, address, phone numbers, and pay/insurer information. No medical records were stored on the laptop, although some patients’ diagnoses, test results, medications, treatments and appointment times were listed in spreadsheets stored on the computer. No...

Read More
Indiana Attorney General Advises Hoosiers to Exercise Extreme Caution after MIE Data Breach
Jul31

Indiana Attorney General Advises Hoosiers to Exercise Extreme Caution after MIE Data Breach

As further details of the MIE data breach emerge, the Indiana State Attorney General, Greg Zoeller, has urged all state residents to exercise extreme caution and put credit freezes on their accounts to protect against identity theft and fraud. The MIE data breach exposed a significant amount of personal and highly sensitive data, and is understood to have affected more than 1.5 million individuals in the state of Indiana. In total approximately 4 million records were exposed. High Risk of Fraud and Identity Theft from MIE Data Breach The data breach at Anthem may have exposed about 20 times as many records as the MIE data breach; but what is particularly worrying in this instance is Social Security numbers and health data have been exposed, placing breach victims at a much higher risk of suffering financial losses. Zoeller said, “These are very significant medical records, lab reports, people’s charts essentially online.” Zoeller pointed out that the incident has not j1ust increased the risk of fraud; the information has already been used to for fraudulent purposes. He said, “We’re...

Read More
American Hospital Association Opposes HIPAA HPID Use
Jul24

American Hospital Association Opposes HIPAA HPID Use

Earlier this week, the Vice President and Deputy Director of the American Hospital Association (AHA) sent a letter to the Centers for Medicare & Medicaid Services (CMMS) expressing concern over the implementation of Health Plan Identification numbers (HPIDs) and Other Entity Identifiers (OEIDs). HPID Use and HIPAA When HIPAA was introduced, it required national identification numbers to be used by healthcare providers, health plans and individuals. A national ID number was introduced in 2004, although the IDs were only for providers, not individuals. In September 2012, the HPID proposed rule was published, although it took until November 2014 before the rule was finalized. HPIDs and OEIDs will now be required to be used for HIPAA transactions from Nov 7, 2016. It is not a requirement for health plans to be identified in HIPAA transactions, but if they are, from Nov 7, next year a HPID must be used. AHA States Opposition to HPID Use in HIPAA Transactions   The letter, sent from Ashley Thompson to Andy Slavitt, the acting administrator for CMMS, stated the AHAs opposition to...

Read More
Class Action Filed Against UCLA for 4.5 Million-Record Data Breach
Jul23

Class Action Filed Against UCLA for 4.5 Million-Record Data Breach

It has been less than a week since the announcement that the patient database at UCLA Health Systems was hacked, and already a class action lawsuit has been filed by one patient, Michael Allen of Casper, Wyoming, on behalf of “several million individuals”. Allen, represented by Kevin Mahoney of Long Beach, claims UCLA Health Systems’ failure to encrypt data constitutes unlawful business practices, breach of contract, unjust enrichment and negligence. He is seeking class certification and as of yet unspecified damages for fraud, violation of medical confidentiality, an invasion of privacy and the costs of filing the lawsuit. UCLA hospitals and the University of California Board of Regents were named in the lawsuit which was filed on Monday of this week. The breach was announced on July 17, barely one business day before the lawsuit was filed. In the lawsuit, Allen claims the lack of data protection, specifically the lack of data encryption, amounted to negligence. “Due to defendants’ failure to take the basic steps of encrypting patients’ data, it was much easier...

Read More
Class Action Filed Against Charleston Area Medical Center for 2013 Data Breach
Jul21

Class Action Filed Against Charleston Area Medical Center for 2013 Data Breach

A class action lawsuit has been filed in the Kanawha Circuit Court against Charleston Area Medical Center, for a data breach that occurred between August 2013 and February 2014. The lawsuit has been filed by two plaintiffs who were patients of the medical center at the time of the data breach and had their data exposed. Tiffany Mallion and Nickole Pullen claim they entered into an agreement with the hospital to receive treatment, and that agreement also included securing their health information. They claim their Protected Health Information (PHI) was exposed as a result of a number of security failures at the medical center. It is alleged that the protections put in place to secure data were insufficient, and left highly sensitive information “unprotected, unguarded and unsecured.” A catalog of security failings have been cited, such as the failure to train staff on privacy and data security matters, a failure to protect data, as well as a there being a lack of physical protections to secure the equipment on which the data was stored. As a result, the plaintiffs claim “their...

Read More
Plea Deal Taken by Hospital ID Thief after Filing $489,000 in False Tax Claims
Jul19

Plea Deal Taken by Hospital ID Thief after Filing $489,000 in False Tax Claims

Two former healthcare workers who took part in a hospital identity theft scheme are currently negotiating plea deals to avoid trial. They stand accused of accessing and stealing hospital medical records, and using the information to file fraudulent tax returns. Six charges have been filed against Martez Lear, 29 of Farmington Hills, while his partner in crime, Markitta Washington, a former Farmington Hills resident, has also been charged. The crimes were committed between 2011 and 2014. Washington is accused of using here privileges while employed at Detroit’s Henry Ford West Bloomfield and DMC Harper Hospitals to access and steal patient medical records. Patient names, dates of birth, Social Security numbers, financial information and credit card details were viewed and copied and passed to Lear, who used the information to file fraudulent tax returns. The matter was brought to the attention of law enforcement officers and an investigation was conducted by the Southeast Michigan Financial and Cyber Crimes Task Force, the IRS, local law enforcement agencies and the West Bloomfield...

Read More
UCLA Health System Hacked: 4.5 Million Patient Records Exposed
Jul18

UCLA Health System Hacked: 4.5 Million Patient Records Exposed

The University of California, Los Angeles Health System (UCLA) has reported it has been targeted by hackers who potentially accessed and copied a database containing the Protected Health Information (PHI) of up to 4.5 million patients and hospital staff members. The UCLA Health network consists of four hospitals: The Ronald Reagan UCLA Medical Center, UCLA Medical Center, Santa Monica, Mattel Children’s Hospital & Resnick Neuropsychiatric Hospital. It also has approximately 150 offices in Southern California. Any person who has previously received medical services from UCLA Health in the past 25 years could potentially be affected. Some of the exposed records dated back to 1990. UCLA employees are also believed to have had their data exposed. The data compromised in the incident included patient names, dates of birth and home addresses along with Social Security numbers, Medicare numbers, health plan/health insurance identification numbers and health information. No financial data appears to have been exposed to the hackers. If the data has been copied, it would allow the...

Read More
URMC Takes Action to Prevent Future Patient Privacy Violations
Jul17

URMC Takes Action to Prevent Future Patient Privacy Violations

In May, The University of Rochester Medical Center suffered a data breach after an employee took the Protected Health Information (PHI) of patients to a new employer, all in the name of continuity of patient care. The employee in question, a nurse practitioner in the Department of Neurology, was concerned about patient continuity of care after she left her employment. She was provided with a printed list of patient’s information by the medical center for the purposes of adding notes and information that would ensure that patients did not suffer any fall in care standards as a result of her departure. The list was not collected prior to the employee leaving her employment, and the information was subsequently disclosed to her new employer (full story here). With the benefit of hindsight, it was perhaps ill advisable to have provided printed PHI to a member of staff about to take employment with another local healthcare provider. However, all that can be done now is notify the patients concerned and make changes to policies and procedures to ensure a similar incident cannot happen...

Read More
2015 Biannual Healthcare Data Breach Report Released
Jul15

2015 Biannual Healthcare Data Breach Report Released

The healthcare industry had a particularly torrid time last month with 18 data breaches reported to the OCR, exposing 1,455,863 records, the bulk of which came from the CareFirst data breach. This month the number of data breaches reported has increased to 21, although the number of new victims created was much lower, with 159,231 individuals affected. An analysis of the data breach reports for the past three years shows that little has changed since 2014, “the year of the data breach,” at least not for the better. Fewer data breaches have been reported in 2015 than in 2014, 122 compared to 131, up until the end of June. However, measure the year in the number of victims created and 2015 is on an entirely different scale. 89,439,761 new data breach victims have been created so far this year, compared to 12,503,190 last year and 851,433 in 2013. Many of this year’s victims are now data breach veterans having had their data exposed by their insurer and their healthcare provider. Biannual Data Breach Report 2014 saw a big rise in the number of reported data breaches, and this year...

Read More
BCBSA Offers Identity Theft Protection Services to All 106 Million Members
Jul15

BCBSA Offers Identity Theft Protection Services to All 106 Million Members

Yesterday, the Blue Cross Blue Shield Association (BCBSA) made a surprising announcement. It will be offering identity theft protection services to all 106 million of its members, in an effort to address the rapidly increasing risk of data theft and fraud. The Blue Cross and Blue Shield Association consists of 36 independent, community-based and locally-operated companies, which service the entire United States. One in three Americans has a health insurance policy run by BCBSA. The unprecedented move comes after BCBSA health plan members have suffered numerous data breaches, including the massive data breaches at Anthem, CareFirst and Premera Blue Cross. Identity theft protection services do not come cheap, especially when the unit cost must be multiplied by 106 million. This move carries a significant cost, even with a bulk discount, and shows a strong commitment to its plan members. This was a very positive, proactive step to take, and is one likely to win back the faith of many members. The new service will provide ”heightened safeguards for plan members.” BCBSA may not be able...

Read More
UPMC Health Plan Data Breach Affects 722 Subscribers
Jul15

UPMC Health Plan Data Breach Affects 722 Subscribers

UPMC health plan has reported a data breach affected 722 insurance subscribers. This is the second data breach to affect the health plan this year. In May UPMC reported  2,000 patient records had been compromised. The latest data breach appears to have resulted from an internal error. Yesterday, UPMC spokeswoman, Gina Pferdehirt, said patient information was compromised when an email containing PHI was sent to an unauthorized person. The statement released by UPMC says the email was sent by accident, suggesting there was no malicious intent behind the data breach. According to UPMC, “The email meant for a physician’s office in Lawrence County was sent instead to an incorrect address, revealing patient names, insurance membership numbers, birth dates and phone numbers.” According to a response provided to the Pittsburgh Post Gazette, Pferdehirt said, “while we take this seriously, in context the breach is very minor.” The email did not contain financial information, health data or Social Security numbers, although member names, dates of birth, ID numbers and phone...

Read More
Healthcare Data Breach Report: June 2015
Jul14

Healthcare Data Breach Report: June 2015

This month’s healthcare data breach report looks a lot healthier than May; a particularly bad month for data breaches, with over 1.1 million records exposed in 18 security incidents. June could be considered a relatively good month for the healthcare industry in terms of records exposed, although more security incidents were reported in June than May, and numbers have not changed much year on year. 21 breaches were reported in June compared to 23 last year. In total, 159,231 records were reported as being exposed during the month. In June 2014 the figure stood at 252,873, and in June 2013, only 46,713 records were compromised.   Quarterly Figures Show Little Has Changed Since 2014   Data breach figures for the second quarter of 2015 differ only by one incident from this time last year. Data breaches continue to be experienced at the same rate, in spite of improved protections being put in place by healthcare providers. It would appear it is only possible to maintain pace with malicious insiders and outsiders. Figures for the quarter indicate 750,000 more data breach victims have...

Read More
HIPAA-Altering Cures Bill Passed by House of Representatives
Jul11

HIPAA-Altering Cures Bill Passed by House of Representatives

The controversial 21st Century Cures Bill was unanimously passed by the House Energy and Commerce Committee in May, and on Friday July 10, 2015, the U.S House of Representatives passed the Bill with a count of 344 to 77. 21st Century Cures Bill to Remove Obstacles in the Way of Medical Research Medical research and innovation is being hampered by HIPAA, according to proponents of the 21st Century Cures Bill. The new Act aims to remove these and other barriers, to help advance America’s search for new ways to tackle the advance of superbugs, antibiotic-resistant bacteria and the deadly viruses now threatening the health of U.S citizens. The Cures Bill has received some criticism in its short history. Privacy advocates object to the wide range of data that can potentially be shared; information currently under the protection of HIPAA. It is feared that the bill could weaken HIPAA protections if it becomes law. If that happens, HIPAA Rules would certainly need to be changed. HIPAA Changes Necessary as a Result of the Cures Bill At present, the HIPAA Privacy Rule restricts the use and...

Read More
New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations
Jul11

New OCR HIPAA Settlement: St. Elizabeth Medical Center to Pay $218,400 for Violations

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a HIPAA settlement has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that lead to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. The number of records exposed was relatively low compared to some of the recent “mega data breaches”, but the OCR deemed the offenses leading to the security incidents to be serious enough to warrant a financial penalty. This OCR HIPAA settlement shows how important it is to make HIPAA compliance a priority. Data breaches may not always be preventable; but HIPAA violation penalties are. Privacy, Security and Breach Notification Rule Violations Uncovered   The initial HIPAA violation was uncovered in November, 2012, when a complaint was received by the OCR alerting it to potential non-compliance...

Read More
Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years
Jul10

Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years

The Los Angeles County government has failed to safeguard the Protected Health Information (PHI) of state residents for up to seven years, according to a recent audit. Three departmental audits have been conducted since December 2014 and a catalog of data security failures have been uncovered that potentially put PHI in the hands of thieves. Data including Social Security numbers and health information could be accessed by former workers, and the information could already be in the hands of criminals. It is simply not known. Computer equipment has vanished – having been misplaced or stolen – devices were not encrypted, and equipment was simply not tracked. Serious Administrative Failures Lasting up to 7 Years   Serious administrative failures in several L.A County government departments were discovered by auditors, the most serious being a failure to terminate access to computer systems when employees changed employment. An audit conducted by the Probation Department revealed 695 former employees still had access to computer systems containing the protected health data of...

Read More
Jason Pierre-Paul Finger Amputation Disclosure Violates HIPAA Rules
Jul09

Jason Pierre-Paul Finger Amputation Disclosure Violates HIPAA Rules

to a news report on ESPN. Surgeons treated the football player after the accident, but were unable to save his right index finger. A tragedy such as this would naturally make then news; however, it is making headlines for another reason. Information about Pierre-Paul’s medical condition appears to have been leaked to the media from a source within the hospital; breaching the Health Insurance Portability and Accountability Act (HIPAA) and violating Pierre-Paul’s right to privacy. The circumstances surrounding the disclosure strongly suggest there was no prior consent obtained from Pierre-Paul before the information was disclosed; even the New York Giants were unaware their defensive end had a digit removed until they heard the report on ESPN. ESPN Reports on Pierre-Paul’s Medical Status   The news broke on Sunday after a healthcare worker at the hospital disclosed the news about the celebrity patient to a friend; violating Pierre-Paul’s privacy and breaching HIPAA Rules. That friend then posted the information online via his Twitter account, and from there rumors started spreading....

Read More
State Data Breach Laws Should Preempt Federal Laws, Says NAAG
Jul08

State Data Breach Laws Should Preempt Federal Laws, Says NAAG

Yesterday, the National Association of Attorneys General (NAAG) sent a letter addressed to congressional leaders urging them to consider the state laws that have been put in place to protect consumers, and not to diminish the role that state Attorneys General play in enforcing data security and protection laws. The letter urges congress not to make changes to federal data breach notification and data security laws that would lessen the protections that have been put in place by the states. The letter calls for congress to refrain from introducing data security and data breach notification laws that pre-empt those introduced in each state. There are a number of bills pending which include data security and breach notification requirements that would pre-empt state laws.   A Similar Request Was made A Decade Ago   This is not the first time the NAAG has written to congress on state security breach notification laws; a similar request was made in 2005. In that letter it was argued that “Pre-emption interferes with state legislatures’ democratic role as laboratories of innovation.”...

Read More
FBI Alert Suggests OPM/Anthem Malware Link
Jul05

FBI Alert Suggests OPM/Anthem Malware Link

The recently discovered data breach at the Office of Personnel Management (OPM) appears to have sparked an FBI alert (FBI memo: A-000061, issued June 5, 2015, according to CSO) over a particularly nasty strain of malware called Sakula. Healthcare Organizations under Threat from Sakula Malware   The Sakula malware strain is a RAT, or Remote Access Trojan, which once installed on a host’s computer, will allow hackers to make changes to the system, download other files or do what they want. The malware is often unwittingly downloaded via infected websites and popups or installed via infected email attachments. The FBI Memo warns that: “Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions.”   Sakula Linked to Anthem and OPM Data Breaches   The timing of the FBI high confidence alert may be a coincidence, although given recent events this appears unlikely. The FBI memo details...

Read More
Trust can be Regained with Prompt Data Breach Notices
Jul01

Trust can be Regained with Prompt Data Breach Notices

Disgruntled patients will be lost to other healthcare providers/insurers after a data breach; however there will not necessarily be a mass exodus provided the breach is managed properly. Get the breach response right and it can go a long way towards rebuilding patients’ trust in an organization. Survey Indicates Americans Want the Truth about Data Breaches   A new survey conducted by Qualtrics, a company specializing in email data protection, indicates the general public is aware that data breaches are now a part of life; however trust in a retailer or healthcare provider is being lost after personal data is exposed. Trust in a HIPAA-covered entity may be lost, but it can be regained. The survey results suggest the best way to do this is with openness, honesty and the issuing of prompt data breach notices. The study was conducted on a sample of 500 Americans aged between 18 and 75, with respondents asked their thoughts about data breaches and how their behavior has changed since the threat of a data breach has risen. The data shows Americans want to be told the truth about data...

Read More
Healthcare Thieves and Fraudsters Brought to Justice
Jun28

Healthcare Thieves and Fraudsters Brought to Justice

The past two weeks have seen hundreds of criminals arrested for healthcare fraud and a number of indictments filed against the perpetrators of Medicare and tax fraud rings. The FBI was responsible for bringing in most of the criminals following a major Medicare fraud takedown. The perpetrators and players in the Medicare Fraud ring were able to obtain hundreds of millions of dollars in Medicare payments before being caught. FBI Makes 243 Arrests for Healthcare Fraud   On June 18, the FBI announced it has arrested 243 individuals in a nationwide operation targeting individuals responsible for obtaining over $712 million from fraudulent Medicare claims. The operation was the largest ever conducted, resulted in more arrests than any other operation and involved the highest fraud value of any past Medicare Fraud takedown. A number of doctors, nurses and medical professionals were also arrested for supplying data to the fraudsters. According to FBI Director James B. Comey, “There is a lot of money there, so there are a lot of criminals,” he went on to say “In these cases, we followed...

Read More
FBI Malware Warning Issued over CryptoWall Ransomware
Jun26

FBI Malware Warning Issued over CryptoWall Ransomware

The FBI has issued a warning to all U.S Companies – and individuals – over the growing threat of ransomware, with a version called CryptoWall singled out as representing the biggest threat. The malware is not just a problem in the United States: The infection has spread globally. Once infected, victims are often left with little choice but to pay up or lose everything. The warning has come via the Internet Crime Complaint Center (IC3). IC3 is a joint initiative operated by the FBI and the National White Collar Crime Center, and since April of last year it has received 992 complaints about CryptoWall infections. The total cost from the malware infections is estimated to have exceeded $18 million. The malware may be complex, but its mode of operation is simple. When a PC becomes infected with the malware the device is locked and the data encrypted. No data can be obtained from the device, it cannot be used, and everything on it will be permanently erased – or remain permanently locked – unless a ransom is paid. Since the data is encrypted, there is no way to retrieve any...

Read More
What are the Penalties for HIPAA Violations?
Jun24

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
July 28 Deadline for HIPAA HPID Comments
Jun24

July 28 Deadline for HIPAA HPID Comments

The request has been submitted to the federal register by the Department of Health and Human Services (HHS) inviting comments from the public on the HPID Final Rule, to determine whether changes are required to make the ID scheme more workable. The deadline for those comments has been set for July 28. Any covered entity – or individual – must submit comments before this date in order for them to be considered. It is the last opportunity to have a say in how the scheme will operate. Background to The HIPAA HPIDs   The Health Insurance Portability and Accountability Act (HIPAA) – Section 262, Public Law 104–191 – amended the Social Security Act requiring the HHS to introduce a new national identification scheme for health plans, with each needing to be issued with a unique Health Plain ID number (HPID). Under the Patient Protection and Affordable Care Act, the HHS was required to release a final rule on the use of HPIDs by health plans, which was initially scheduled for October 1, 2012. However, in September, 2012 an Administrative Simplification was released along with a...

Read More
27 Year Sentence Issued for PHI Theft and Fraud
Jun23

27 Year Sentence Issued for PHI Theft and Fraud

Violations of HIPAA Privacy Rule carry stiff sentences, with up to 10 years in jail possible for theft of PHI for personal gain; however using stolen data to commit fraud can carry a far stiffer penalty as James Lee Cobb, III, recently discovered. Florida Middle District Judge, Charlene Honeywell, recently passed a sentence of 27 years for the use of stolen healthcare data. Cobb, along with his co-conspirators, obtained protected Health Information stolen from healthcare providers and used the data to obtain pre-paid debit cards and file false tax returns in the names of the victims. Medical data carries a high value on the black market as the information can be used to steal identities, with criminals able to them run up thousands, if not millions in debts. Often the victims are unaware of the theft and do not discover their data has been used inappropriately until many months after the information was stolen. It is not clear how Cobb actually obtained patient data, but information stolen from hospital and healthcare providers can be purchased online through hidden dark net sites....

Read More
MDL Established for Anthem Data Breach Class Action Lawsuits
Jun18

MDL Established for Anthem Data Breach Class Action Lawsuits

In February of this year, the largest ever healthcare data breach was reported. Anthem Inc., one of the nation’s largest healthcare insurers, was targeted by hackers using a phishing campaign and were able to break through security defenses and steal approximately 78.8 million member records. The data breach launched a myriad of class-action lawsuits with breach victims seeking punitive damages for the exposure of their private and confidential information. The sheer number of cases threatens to swamp District Courts over the coming months. There are more than 100 class-actions pending in the state of California alone. Single MDL for 17 Anthem Class-Action Lawsuits This week the U.S. Judicial Panel on Multidistrict Litigation arrived at a decision to consolidate many of these class actions into one, and now 17 separate actions will be grouped together into a single Multi-District Litigation. It is probable that this number will grow substantially with such a high volume of suits still pending. After each case was assessed individually the panel of seven decided to transfer the...

Read More
Virginia Senator Calls for Easing of HIPAA Privacy Rules
Jun17

Virginia Senator Calls for Easing of HIPAA Privacy Rules

On Tuesday, a House panel heard Virginia state senator, Creigh Deeds, testify ahead of a meeting to discuss the re-introduced Helping Families in Mental Health Crisis Act. Rep. Tim Murphy & Rep. Eddie Bernice Johnson have re-introduced the bill which, in part, calls for the easing of HIPAA privacy protections under certain circumstances. The representatives’ cause has received backing from Deeds, who is also calling for exceptions to be made to HIPAA Privacy Rules. The Health Insurance Portability and Accountability Act (HIPAA) severely restricts the disclosure of Protected Health Information (PHI). The Privacy Rules act in the interests of the patient, but it is argued that for mental health issues there must be more exceptions. Current restrictions on the disclosure of information can prevent patients from receiving the care they need. Proponents of the new bill argue that mental health issues such as bipolar disorder and schizophrenia do not fit the norm, and privacy rules must be applied differently. In some cases, withholding important medical information – such as...

Read More
HIPAA and the New Helping Families in Mental Health Crisis Act
Jun10

HIPAA and the New Helping Families in Mental Health Crisis Act

The Helping Families in Mental Health Crisis Act (H.R. 2646) of December, 2013, has been reintroduced by Tim Murphy (R-PA) – Subcommittee Chairman for the House Energy & Commerce Oversight and Investigations – and Rep. Eddie Bernice Johnson (D-TX) with a double purpose. First, it is hoped that the new bill will help to improve the standard of mental health care provided to patients, and secondly a number of new provisions will be introduced to ensure patient privacy is protected. According to Tim Murphy, the new bill “marks a new dawn for mental health care in America,” he went on to say that the new bill “breaks down federal barriers to care, clarifies privacy standards for families and caregivers; reforms outdated programs, expands parity accountability, and invests in services for the most difficult to treat cases while driving evidence-based care.” The bill has been praised by many, but the legislation change has not been universally welcomed. The bill has received criticism from some quarters; in particular for the potential for HIPAA violations to occur. One area...

Read More
Stolen Data Found on Dark Web by New Security Startup
Jun07

Stolen Data Found on Dark Web by New Security Startup

You have been attacked by hackers and they have stolen your data, but how can you tell? According to a new security start-up, discovering a breach of healthcare data can be a very quick process: Terbium Labs has developed a method of identifying stolen data within minutes of it being posted online. CEO of Terbium, Danny Rogers, along with CTO, Michael Moore, believe they have developed a system that takes “a large scale, computational approach to finding pilfered data,” and allows stolen data to be identified faster and more securely than was previously possible. Reducing the Risk of a HIPAA Data Breach   In order for a company to identify stolen data, it must first be provided with the confidential records that it needs to search for. This naturally involves some risk. As the past few weeks have shown, passing data to Business Associates increases the risk of a data breach. Medical Management LLC being a good example. Terbium’s new product, called Matchlight, uses an innovative method of identifying data, while ensuring the data the company stores on a HIPAA-covered entity is...

Read More
UPMC Data Breach Not Grounds for Class Action Says Judge
Jun06

UPMC Data Breach Not Grounds for Class Action Says Judge

A data breach suffered by the University of Pittsburgh Medical Center in 2014 does not give the victims grounds for a class action claim, even though there have been 817 reported cases of tax fraud as a direct result of the data breach. Civil lawsuits filed against healthcare providers often fail because of a lack of evidence that the stolen data has been used inappropriately. Without any actual harm suffered, a claim is very unlikely to succeed. In this case, there was provable losses suffered by some of the victims, but it was not deemed to warrant a class action claim, at least not under the circumstances. The data breach did not involve any patient data, although all 62,000 employees were affected. The initial data breach report stated only 27,000 individuals had been affected; however, that figure has since been expanded and the data breach is now believed to affect all 62,000 employees. The breach affected the company’s payroll database and exposed highly sensitive information about the employees, including names, addresses, Social Security numbers, salary details and in some...

Read More
Jocelyn Samuels Questioned on OCR HIPAA Audits
Jun05

Jocelyn Samuels Questioned on OCR HIPAA Audits

The Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing HIPAA Rules on data privacy, security and breach notifications. As part of this duty it is required to conduct compliance audits on HIPAA-Covered Entities (CEs) to ensure the legislation is being followed and the Privacy and Security Rules are put into practice. The task is a difficult one. It is hugely labor intensive, involves the collection and collation of mountains of paperwork and an army of staff to assess compliance. The job requires highly trained personnel, which the OCR has; unfortunately it just does not have enough of them. The role of the OCR is considerable, with the department required to ensure compliance with a number of legislative acts, in addition to HIPAA. The huge workload, which also includes the issuing of guidance as well as taking enforcement actions and conducting audits, places a considerable strain on the agency’s 650-strong workforce of attorneys, auditors and staff. Budgetary constraints are a long running problem with the department, and while an increase...

Read More
Ohio Woman Sentenced for Medical Center Fraud
Jun05

Ohio Woman Sentenced for Medical Center Fraud

The state of Ohio is relatively quiet when it comes to HIPAA violations, but the past few days have seen the Buckeye State make the headlines twice, after two employees from separate institutions have been disciplined for improperly accessing protected records. Dr. Aimee Hawley was disciplined by the State Medical Board last week, and this week, Teresa Lewis from South Point, Ohio was sentenced to a year and a day behind bars for two counts of access device fraud against the Huntington Retina Center in West Virginia, although no patient records are understood to have been viewed. Huntington Retina Center provides primary care for eye injuries and treats disorders of vision and eye diseases. The healthcare provider employed Lewis, 60, as a billing assistant. During this time – between 2012 and 2014 – Lewis used her position and access privileges to improperly view records to obtain credit card numbers of the center and one of its doctors. With the financial information she obtained, she managed to run up debts of $52,317 over the course of the two years, obtaining goods in the name...

Read More
OPM 4M-Record Data Theft Linked to Recent HIPAA Data Breaches
Jun05

OPM 4M-Record Data Theft Linked to Recent HIPAA Data Breaches

Yesterday, the Office of Personnel Management announced it suffered a data breach in which hackers were able to gain the confidential records of some 4,000,000 employees. Worse still, the ONC provides security clearances and the data stored on individuals is extensive, including personal information and highly sensitive information provided by friends and family. Such detailed data can be used to commit fraud in the hands of criminals, but in if the hack originated from government-backed individuals, the threat is more serious and may not be financial in nature. The major worry is that such highly detailed information could be used to blackmail and bribe government workers. The perpetrators potentially have 4 million individuals to choose from. Furthermore, the records stolen do not appear to be limited to ONC workers: Other government workers have also potentially being affected. According to the Associated Press, “A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, said it could potentially affect every federal agency.” In...

Read More
2015 Healthcare Data Breaches Pass 100-Incident Milestone
Jun04

2015 Healthcare Data Breaches Pass 100-Incident Milestone

HIPAA data breach reports passed the 100 incident milestone in May, with the current total of healthcare data breaches for the year standing at 110. Under HIPAA Rules, all Covered Entities (CEs) are required to report data breaches involving more than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights (OCR), issue a media notice and send breach notification letters to all affected individuals. The Breach Notification Rule places a time limit of 60 days to do this, although the reporting should not be unnecessarily delayed. The OCR lists data breach summaries on its website which gives an indication of the state of play of healthcare cybersecurity, compliance and how well CEs risk mitigation strategies have performed. The month’s breach reports have been summarized in the infographic below. Data is also shown for the year to date, and the corresponding period in 2014.     Over 100 Healthcare Data Breaches Recorded in the First 5 Months of 2015   The healthcare industry is under attack from hackers; healthcare workers are taking data and giving it...

Read More
Who do Boards Blame for HIPAA Breaches and Cybersecurity Incidents?
Jun03

Who do Boards Blame for HIPAA Breaches and Cybersecurity Incidents?

When a HIPAA data breach occurs questions are asked about the technical, physical and administrative controls that were put in place to secure the data. Companies are put in the spotlight and everyone feels the heat, but new data indicates that the finger of blame is now pointing in a different direction, certainly as far as directors are concerned. According to a new report by NYSE Governance Services, entitled Cybersecurity in the Boardroom, there has been a shift of blame for data breaches in recent years. It is no longer just the Chief Information Security Officer (CISO) that boards hold responsible for a data breach. The report shows that the entire C-suite is in for a torrid time. Some directors still pick out one individual in the cross-hairs, while others appear to fire indiscriminately. Blame for Data Breaches Spread more Widely According to the report, the Chief Executive Officer (CEO) is most often blamed with the Chief Information Officer (CIO) also taking a considerable amount of heat. Both are clearly in the firing line. However, everyone in the executive team came in...

Read More
Department of Veteran Affairs Reports 158% Hike in Data Breaches
Jun02

Department of Veteran Affairs Reports 158% Hike in Data Breaches

The Department of Veteran Affairs has issued its monthly data breach report to congress. Over the past few months the number of breach victims has been falling; however the latest figures show a marked increase in the number of data breach victims.  There was also a noticeable decrease in the number of security incidents the DVA was able to prevent. In March, 383 veterans were reported to have been affected by data breaches. The number of breach victims reported for April was 987; a percentage increase of almost 158%. 738 of those incidents involved the exposure of Protected Health Information (PHI); almost 75%. What Caused the Increase in PHI Breaches in April? There was a slight increase in the number of mishandling incidents in April, but the biggest cause of the increase, by far, were mis-mailing incidents, which rose by 19 percent. Errors made by pharmacies increased substantially, although there was a slight drop in lost/stolen devices and PIV cards. Information Security – Monthly Activity Report – April 2015   Lost and stolen device incidents:  47 Lost PIV...

Read More
65 Boxes of Improperly Dumped Medical Records Discovered
Jun02

65 Boxes of Improperly Dumped Medical Records Discovered

A resident of Madison County, Richmond, Ky. recently discovered a dumpster full of medical records, with the boxes of paper files understood to contain highly sensitive Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA). According to a news report on WTVQ, Carl Swanger discovered the files on Saturday, May 31. After a quick inspection he “immediately he knew something wasn’t right,” and took the boxes to Baptist Health as he thought there must have been an error made. However the records did not belong to the healthcare provider, instead they were from a company called Richmond Radiology which closed for business many years previously. The dumpster was located in AAA Rent-A-Space in Richmond, and contained 65 boxes of medical records. The files had been cleared out of the storage facility by the manager as he needed the space for a new customer. The manager was unaware of the contents of the boxes as an employee was told to clear out the storage unit. According to the manager of the facility, that employee can’t have...

Read More
Alaskan Drug Kingpin and Aide Jailed for HIPAA Violations
Jun02

Alaskan Drug Kingpin and Aide Jailed for HIPAA Violations

The land of the midnight sun may not be a hot spot of HIPAA violations, although one incident has recently made the news. The story involves an Anchorage drug kingpin, two hospitalized victims, a financial counselor and the first felony convictions for HIPAA violations in Alaska. HIPAA Rules Regarding Accessing PHI The Health Insurance Portability and Accountability Act introduced a number of changes to protect the privacy of patients, and the legislation has gone a long way towards ensuring that Protected Health Information (PHI) remains private and confidential. Access to patient health information is restricted to a need to know basis. Information can only be accessed for the treatment and care of the patient, or for billing and other essential administrative purposes. Medical professionals cannot simply look at the medical records of any patient. There must be a justifiable reason for doing so. Friend of Anchorage Drug Kingpin Violates HIPAA Rules Anchorage resident, Stacy Laulu, 33, was arrested, charged and convicted of two violations of the Health Insurance Portability and...

Read More
Phishing, Spear Phishing and Malware: How Hackers Gain Access to PHI
May31

Phishing, Spear Phishing and Malware: How Hackers Gain Access to PHI

Criminals looking to break through the cybersecurity defenses put in place by health insurers and healthcare providers – to safeguard Protected Health Information (PHI) – can choose an easy or hard way to gain access to the data. Unsurprisingly, many choose the easy route in and exploit one of the largest security vulnerabilities; one that many healthcare providers have failed to address. The end users sitting at a terminal, PC or laptop with access to the network, emails and EHRs. IT staff can build multi-layered defenses and lock servers in impenetrable vaults, yet the army of healthcare workers who have full access to EHRs are an easy way for hackers to sneak through sophisticated defenses, undetected. If end users can be convinced to divulge their login credentials, or even easier, click on a malicious link or download and double click a malware affected attachment, the thieves can be in and out of a system almost as quickly as it takes to copy a database full of patient health records. Fortunately, many tech-savvy healthcare workers will be able to spot a phishing...

Read More
Patients’ Patience Pays Off: Class Action Payout for InSync HIPAA Breach
May30

Patients’ Patience Pays Off: Class Action Payout for InSync HIPAA Breach

Two years ago a class-action lawsuit was filed against Cottage Health System after the healthcare provider – via its Business Associate (BA) InSync – suffered a serious data breach. It has been a victory for the victims – and the legal team – as Cottage Health agreed to settle the case. Rather than fight the case in court, Cottage Health System agreed to settle and pay damages to the individuals affected by the data breach, without any finding of legal liability. 50,918 Individuals Affected by CHS/InSync Data Breach The HIPAA security breach was discovered in December 2013, with the data of up to 32,500 individuals believed to have been exposed. The patients were those that had visited Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital or the Santa Ynez Valley Hospital between September 29, 2009 and December 2, 2013. However the number of affected individuals was later found to be higher, and 50,918 are understood to have been affected. The data breach was discovered when the company received a voicemail message alerting it to a file containing the PHI of patients...

Read More
Spate of Data Breaches Highlights Need for HIPAA Privacy Training
May29

Spate of Data Breaches Highlights Need for HIPAA Privacy Training

The past few weeks have highlighted the dangers of HIPAA violations from within, with employees and healthcare professionals responsible for causing a number of HIPAA data breaches. Since April 27, the records of 132,432 individuals have been exposed due to breaches caused by human error, and potentially many more: HIPAA covered entities are not obliged to report breaches until 60 days after the incident is discovered. A Spate of Employee HIPAA Breaches Reported in the past 5 weeks. The last week in April saw a number of data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal. Consolidated Tribal Health Project reported that an employee had inappropriately accessed the PHI of 4,885 patients, while an email sent by a New York City Health and Hospitals Corporation (HHC) worker resulted in 3,334 patients’ records being compromised. In the latter incident, the Bellevue hospital employee sent a spreadsheet containing PHI outside the hospital network to receive some technical help manipulating the spreadsheet. Clinical Reference...

Read More
Class Action Lawsuit Prepared for 20K-Record MML Data Breach
May29

Class Action Lawsuit Prepared for 20K-Record MML Data Breach

The dust has barely settled after the 20,000-record HIPAA data breach at Medical Management LLC (MML), but at least one attorney is poised for action and intends to sign up data breach victims to a new class action lawsuit even though it is too early to tell whether any of the victims have suffered identity fraud or any other damage or harm as a result of the breach. Claims for data breaches tend to only succeed when the plaintiffs can demonstrate that they have suffered harm, damage or loss as a direct result of a breach. The courts are quick to throw out any speculative claims for unsubstantiated damages. At this stage, no hospital – nor MML – has reported that the stolen information has been used inappropriately. Joseph Santoli, a class-action lawyer from Ridgewood, announced this week that he will be filing a suit naming six residents of Bergen County whose personally identifiable information and Social Security numbers were stolen and disclosed to a third party. This information was obtained without patient consent or the employer’s authorization: A clear breach of...

Read More
Judge Approves HIPAA Protective Order for Auto Accident
May28

Judge Approves HIPAA Protective Order for Auto Accident

St. Clair County Associate Judge, Heinz Rudolf, has approved a HIPAA Protective Order to allow the defendants in a wrongful death lawsuit to have access to the two victims’ medical information. A lawsuit was filed against Access Courier, Inc., Contractor Solutions, LLC – Senad Hodzic and Alfredo McGee – by the plaintiff, Debra Dyer-Webster, for an accident which occurred on Oct. 25, 2013 and resulted in fatal injuries being suffered by two minors. Damages of 1.5 million are being sought. In the compliant, it is alleged that the two victims of the fatal automobile accident – Alicea McGee and Anastashia McGee – were killed as a result of Senad Hodzic failing to keep his vehicle under control, not paying sufficient attention, failing to keep a sufficient lookout and failing to “pull a vehicle off the traveled portion of the highway.” At the time of the accident, Hodzic was employed by Access Courier and Contractor Solutions. Alicea and Anastashia McGee were traveling in a 2000 Chevrolet Impala in the northbound lane of Interstate 55 in Macoupin County when the vehicle...

Read More
Ponemon: Data Breach Cost Increases to $154 per Record
May27

Ponemon: Data Breach Cost Increases to $154 per Record

The Ponemon Institute has released a new IBM-sponsored report on the financial implications for organizations suffering data breaches. The Cost of Data Breach Study: Global Analysis study involved 350 companies from 12 countries: Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, United Arab Emirates, United Kingdom and the United States, although Saudi Arabia and the United Arab Emirates were grouped together under “Arabian Region.” One of the main findings is a 23% increase in the average cost of a data breach since 2013. The Average cost is now $3.8 million per data breach with an average cost per record of $154. Stark Contrast with Verizon Data Breach Cost Estimates Estimating the cost of a data breach is a highly complicated business. Last month Verizon released a study that included a data breach calculation which estimated the cost per record to be 58 cents, although Verizon researchers were quick to admit that their methodology had flaws. Since the cost was estimated to be lower than that of printing and mailing a breach notification letter,...

Read More
OCR Confirms HIPAA Compliance Audit Surveys Sent
May23

OCR Confirms HIPAA Compliance Audit Surveys Sent

There has been much speculation over the past week since the sending of the letters was first reported, about whether the OCR pre-screening surveys have actually been dispatched. Now the Department of Health and Human Services’ Office for Civil Rights has confirmed – to Fierce Health IT – that its preliminary HIPAA surveys have now been dispatched, marking the start of the 2015 HIPAA compliance audits. In an article in the National Law Review on Monday, McDermott Will & Emery announced that phase 2 of the HIPAA compliance audits was no longer being delayed, after the firm had been notified by some of its clients that an OCR HIPAA audit screening survey had been received. The purpose of the screening surveys is to ensure that all contact and organization information is correct. The OCR auditors can then select the organizations most appropriate for audit. From the responses, the OCR is expected to select 350 covered entities and 50 Business Associates for an audit on the Security Rule, Privacy Rule, Breach Notification Rule or a combination audit comprising 2 or 3 audit...

Read More
Unanimous Yes Vote Sees 21st Century Cures Bill March Forward
May21

Unanimous Yes Vote Sees 21st Century Cures Bill March Forward

The 21st Century Cures bill has been unanimously been passed by the House Energy and Commerce Committee today with a vote of 51-0. This is the first major legislative bill to be passed without a single no vote in a very long time. The bill has been some time in the making, with work starting in April of last year. The discussion draft of the bill was released early last week, with the markup version following a week before the vote. During the full committee markup period a number of changes were made to the bill, in particular the inclusion of mandatory funding for the FDA, although the figure of $550 million is much lower than it was seeking. However, since the since the bill has such strong support it looks likely to sail through the full house vote. The popularity of the bill is understandable. The goal is to remove some of the major obstacles that are holding back medical research, and ultimately slowing down the rate at which new cures can be developed, especially for diseases that are currently untreatable. The recent Ebola epidemic highlighted the health dangers currently...

Read More
Quantifying the Effect of a Data Breach on Brand Image
May21

Quantifying the Effect of a Data Breach on Brand Image

The fallout from a healthcare data breach can be considerable. Organizations that have experiences large-scale data breaches, in particular when they have resulted from HIPAA violations, are forced to cover a substantial cost. This may exceed insurance cover or even violate the insurer’s terms and conditions, potentially resulting in no insurance payout. Calculating the Costs of a Data Breach Many of these costs are fairly easy to quantify. For breach notifications it is the cost of first class post, printing and stationary multiplied by the number of individuals affected, while a year or two of credit monitoring services for breach victims is easy to calculate. Other costs are harder to predict – and quantify the financial damage caused – until sometime after a data breach has occurred, and that can be many years. Class action lawsuits may be filed quickly, but they can take a number of years to resolve. Financial penalties from the Department of Health and Human Services’ Office for Civil Rights may be issued, but this will not be known for a number of months. One of...

Read More
CareFirst BCBS Reveals 1.1 Million-Record Cyberattack
May21

CareFirst BCBS Reveals 1.1 Million-Record Cyberattack

CareFirst BCBS Security Audit Reveals 1.1 Million-Record Cyberattack CareFirst BlueCross BlueShield has discovered a cybercriminal infiltrated its computer network last year on what appears to be a single occasion. Protected data of approximately 1.1 million individuals has potentially been disclosed in the incident. Following the two mega data breaches to hit health insurers this year – Anthem’s hack exposed 78.8 million-records and Premera’s 11 million – and the Community Health Systems 4.5 million record-breach last year, CareFirst BCBS decided to take a closer look at its own systems and check for suspicious activity. The insurer used an external IT security company, Mandient, to conduct a thorough inspection of its computer network and database. That internal review uncovered a cyberattack had occurred in which the insurer’s cybersecurity defenses were shown to have been breached on June, 20, 2014. No Healthcare Data or Social Security Numbers Exposed The information accessed was contained in a single database, according to a breach notice posted on a website set up to...

Read More
Consolidated Tribal Health Project Learns of Employee HIPAA Breach
May20

Consolidated Tribal Health Project Learns of Employee HIPAA Breach

The Consolidated Tribal Health Project, Inc. (CTHP) has discovered that a former employee accessed Protected Health Information (PHI) and Personally Identifiable Information (PII) information stored on its computer network that the individual had no legitimate reason for viewing. In accordance with the HIPAA Breach Notification Rule, a breach notice has been issued to the media and CTHP said it started mailing notification letters to affected individuals on May, 12. No mention was made of when CTHP learned of the data breach or for how long it had continued before it was detected. The press release did confirm that an investigation is underway to determine the nature and scope of the incident, and law enforcement officers have been notified and are conducting a criminal investigation. CTHP enlisted the help of external computer forensics experts to analyze login and access attempts and to ascertain exactly what data was exposed and how many individuals were affected. Social Security Numbers and Financial Information of Patients and Employees Compromised The total number of victims...

Read More
Thomas Boyd Hospital: Potential HIPAA Violations; Theft Allegations; No exposed PHI
May19

Thomas Boyd Hospital: Potential HIPAA Violations; Theft Allegations; No exposed PHI

Boyd Hospital in Carrollton, Ill. has potentially violated the HIPAA Security Rule after it failed to remove medical records from an old property before it was sold. A resident of Jerseyville, Edward Crone, purchased an old property – an ambulance shed in Main Street – from the county on March 19, after it had been sitting dormant on the market for over a year. The shed was being used by the hospital as an off-site storage facility. The property was used to store office equipment such as desks, chairs and filing cabinets and it was also home to a number of boxes of medical records. A breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights – dated May, 21 – announcing that 8,300 records were in the boxes. Boyd hospital had made the transition to Electronic Health Records some time ago, and the data on the paper files had been scanned into digital documents which were stored on the hospital network. The paper files appear to have been something of an issue, as they could not be disposed of and the hospital was...

Read More
HHS Launches Redesigned Responsive Website
May18

HHS Launches Redesigned Responsive Website

The Department of Health and Human Services has completed the re-vamp of its website and its visitors are now presented with a clearer, crisper and more user-friendly interface thanks to a design that was developed to work on all devices and screen sizes. The change has been long overdue as any regular visitor to the HHS website could attest; the information was always there, but finding that information was a slow process and searching was especially difficult on a handheld device. Designed with Current and Future Visitors in Mind Before the site was developed, the HHS conducted market research survey, web analytics, workshops and usability testing with the public, and took the initiative from companies such as WIRED and NPR; both of which have recently redesigned, reorganized and re-purposed their own web content. “Out with the old and in with the new” has been taken to heart, with the HHS clearing out 154,000 files that were obsolete, removing all of the unnecessary files to speed up site searches. With less files to search with every query, search sped has been greatly...

Read More
Cybersecurity Firm Accused of PHI Theft and Mafia Style Extortion
May18

Cybersecurity Firm Accused of PHI Theft and Mafia Style Extortion

According a recent report on CNN, cybersecurity firm Tiversa has been staging break-ins, stealing PHI and extorting its clients in an attempt to get them to pay for additional services provided by the firm. An accusation firmly denied by Tiversa. The story of Tiversa is likely to become well known over the coming weeks, as a whistle-blower has come forward with tales of extortion, theft, scare tactics and fraud closer to what would be expected of the mafia, not a cybersecurity company. The company may not be particularly well known, but some of its board members are. According to the CNN report, “board members include several highly-decorated experts in the security and privacy fields, including the retired four-star U.S. Army General Wesley K. Clark (formerly NATO’s Supreme Allied Commander in Europe) and Larry Ponemon (founder of the Ponemon Institute, a pro-privacy think tank).” Whistle-Blower Reveals Details of Mafia-Style Extortion An ex-employee of the company, Richard Wallace, has testified in a Washington D.C court claiming, as one of the company’s former...

Read More
No Insurance Cover for Cottage Health HIPAA Breach?
May17

No Insurance Cover for Cottage Health HIPAA Breach?

Columbia Casualty Co – a unit of Chicago-based CAN Financial Corp. – is seeking a ruling from a judge in an attempt to avoid paying a $4.1 million settlement for the HIPAA breach suffered by the Cottage Health System; a not-for-profit network of hospitals in Southern California. The data breach in question took place between October 8, 2013, and December 2, 2013, not at the Cottage Health System, but a Business Associate (BA). The breach occurred when data was placed on an unencrypted network server, allowing the information to be indexed in Google and be made freely available on the internet. The data breach resulted in approximately 32,500 medical records being exposed along with Personally Identifiable Information (PII) and Social Security numbers. A class action lawsuit was filed against Cottage Health System for the disclosure of information with a $4.1 million settlement being sought. That settlement received preliminary court approval in December 2014, and Columbia Casualty is trying to avoid paying. Breach of Policy Could Mean No Payout Since the Cottage Health...

Read More
NLRB Judge Rules HIPAA Violation not Grounds for Employment Termination
May14

NLRB Judge Rules HIPAA Violation not Grounds for Employment Termination

A National Labor Reform Board (NLRB) judge has ruled that the termination of an employee’s contact on the grounds of a clear HIPAA violation was not justified under the circumstances. The International Union of Operating Engineers (Charging Party or Union) alleged that Rocky Mountain Eye Center, P.C. had violated the National Labor Relations Act (NLRA) by terminating the employment of a worker, Britta Brown, on the grounds of a HIPAA violation. The employee had accessed protected records of co-workers to obtain contact information for a union-organizing campaign. In this case, the violation occurred because the organization in question was a medical practice and its patients included employees. The records needed to be legitimately accessed, but the employee used Centricity – Rocky Mountain Eye Center’s healthcare IT system – to obtain the information. When employee contact information is accessed, it is also possible for authorized users to access the Protected Health Information of those individuals. The National Labor Relations Act offers protections to employees, the...

Read More
21st Century Cures Bill Could Weaken HIPAA Protections
May12

21st Century Cures Bill Could Weaken HIPAA Protections

Under current HIPAA legislation, Covered Entities (CEs) and their Business Associates (BAs) are not permitted to disclose the Protected Health Information (PHI) of patients without permission, except when PHI is to be used for treatment, payment of CE operations. However, a new bill has now been drafted which changes the permissible uses of PHI to include research. The new bill is intended to remove some of the roadblocks that are preventing U.S healthcare providers from developing new cures. HIPAA is perceived by many researchers to be detrimental to the healthcare industry, slowing down research, innovation and the development of new drugs and medical treatments. The aim of the 21st Century Cures Bill is to alter HIPAA Privacy Rules to allow healthcare providers to use PHI for research – or supply it to their BAs – without express permission being obtained from patients. Should the Cures Bill be passed, the Secretary of the Department of Health and Human Services would be required to update HIPAA Privacy Rules within 12 months. The discussion draft of the bill – released on...

Read More
HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys
May08

HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys

According to a recent article in Lexology, the Department of Health and Human Services’ Office for Civil Rights has started transmitting pre-screening surveys to HIPAA-covered entities signaling the start of the long awaited second round of HIPAA compliance audits. However, the OCR has yet to post a notice on its website to that effect. OCR Prepares for the Second Phase of Compliance Audits   The OCR previously placed a notice in the Federal Register stating its intention to send out pre-audit screening questionnaires to up to 1200 covered entities and their Business Associates last year, allowing organizations to be contacted to assess their suitability for audit. The OCR must ensure that a representative sample of covered entities are audited, including both large and small healthcare providers, healthcare clearinghouses, insurers, health plans as well as Business Associates of covered entities. The audits must also be geographically representative, covering the whole of the United States. According to the OCRs Susan McAndrew, the screening questionnaires are to “assess the size,...

Read More
Almost Three Quarters of Companies Unprepared for Data Breaches
May06

Almost Three Quarters of Companies Unprepared for Data Breaches

A day after the Department of Justice announced released new guidelines for responding to data breaches, the results of a survey conducted by EiQ Networks, a provider of security, risk and compliance solutions, confirms the need for assistance. Nearly three quarters (72%) of respondents claimed they were not prepared for a data breach. The survey was conducted on 168 IT decision makers, with the sample including respondents from a range of industries. The data suggests IT staff do not have much confidence in either the defenses they have employed or how their organizations will deal with a data breach when it occurs. There were numerous problems highlighted by the survey, with a general lack of resources cited as one of the main issues. IT departments simply do not have the staffing levels required to safeguard systems and prevent data breaches, but 62% if respondents claimed their main concern was a lack of process – or only a partial process – to protect their company. There were inadequate checks being conducted to determine whether a security incident had actually...

Read More
Calculating the Cost of a HIPAA Data Breach
Apr30

Calculating the Cost of a HIPAA Data Breach

Calculating the cost of a HIPAA data breach is not a straightforward process, at least not until a number of years after a data breach has occurred. Actions must be taken following a breach, and the cost of notification and damage mitigation can spiral. Financial penalties are also being issued with increasing frequency to healthcare organizations fail to implement the appropriate privacy and security measures to protect patient healthcare data. HIPAA and Breaches of Protected Health Information The Health Insurance Portability and Accountability Act places a requirement on covered entities to employ the appropriate administrative, physical and technical safeguards to prevent the unauthorized disclosure of Protected Health Information (PHI). Patients must also be allowed access to their healthcare information on request, privacy must be respected and policies developed to de-identify data before it is used for research and marketing purposes. Business Associates – any vendor required to come into contact with PHI – must also be vetted to make sure they comply with HIPAA Rules. When...

Read More
Study Suggests HIPAA Data De-identification Improvements Required
Apr28

Study Suggests HIPAA Data De-identification Improvements Required

Under HIPAA Rules, healthcare providers and other covered entities (CEs) are permitted to use the Protected Health Information (PHI) of patients – and share this information with others – provided that the data has been de-identified. It must not be possible for PHI data to be tied to any individual. CEs are permitted to share the data if it can be demonstrated that the risk of that data being associated with a particular patient is small and have two options for de-identifying healthcare data prior to sharing that information with a Business Associate: They can de-identify data using a model such as k-anonymity, or they can set a rule-based policy – the Safe Harbor model – that changes data values; for example, changing dates of birth to the following or preceding year, or stripping out days and dates to just provide a patient’s age. However, while the latter method is often used, it is far from perfect. According to a recent study published in the Journal of the American Medical Informatics Association (JAMIA), this procedure does not tailor protections to the...

Read More
Utah Students Get Around HIPAA  Rules and See Medical Operations
Apr24

Utah Students Get Around HIPAA Rules and See Medical Operations

Under the Health Insurance Portability and Accountability Act of 1996, students have been prevented from visiting operating rooms to view surgical procedures being performed. This was not an intentional privacy and security measure implemented as part of the HIPAA, rather an unfortunate consequence. Many moons ago, students were permitted to visit hospitals and see medicine in action which had the dual purpose of giving an in depth knowledge of surgical procedures which cannot – or could not – be gained in the classroom. It also “sorted the men out from the boys” and had the capability to both inspire and repulse. Both reactions are equally valuable, as both can help to ensure that valuable career preparation time is not wasted in high school. This was the thinking of the Utah State Office of Education, which together with Intermountain Healthcare started up a “Virtual Healthcare Interactive” partnership. The main aim was to keep interest in medicine high for teens; to improve understanding and help students decide whether it was the right career choice for them. The program allows...

Read More
EEOC Releases New Rules for Wellness Programs
Apr18

EEOC Releases New Rules for Wellness Programs

The Equal Employment Opportunity Commission (the EEOC) has proposed some long awaited rules for wellness programs, which in many cases fall outside of current regulations with regards to data privacy and security. The new regulations are intended to work alongside those already laid down in the Health Insurance Portability and Accountability Act (HIPAA) and the Americans with Disabilities Act (ADA). The Rules will help to make sure appropriate security measures are implemented to protect any medical data that is collected on employees, and also ensure that privacy safeguards are put in place to restrict access to that data. Regulations for HIPAA-Covered and Non-HIPAA-Covered Wellness Programs The new rules proposed by the EEOC apply to wellness programs that involve medical examinations being conducted, in addition to any that make inquiries about disabilities. Wellness programs that are offered to employees as part of a group health plan are already covered under HIPAA regulations, and any data collected on the employees would be classed as Protected Health Information (PHI). That...

Read More
Faster Delivery of Lab Test Results Achieved by Pathology, Inc.
Apr15

Faster Delivery of Lab Test Results Achieved by Pathology, Inc.

Privately owned pharmacies and laboratories are covered by HIPAA Rules, and they must therefore ensure that all Protected Health Information (PHI) stored and transmitted, is appropriately secured, with the security measures used dictated by the standards laid down in the HIPAA Security Rule. The privacy of patients must be assured at all times. Highly sensitive health information, such as medical test results, could cause patients to come to harm if accidentally disclosed to the wrong individuals. Efforts should therefore be made to ensure any transmission of data cannot be intercepted and read. To reduce the risk of HIPAA breaches, many laboratories stick to tried and tested delivery methods, and accept there will be a delay in data reaching physicians. Some companies have risen to the challenge, and now ensure faster delivery of lab test results by utilizing new technology. They have leveraged Smartphones to coordinate patient care more efficiently and ensure treatment to patients is provided more rapidly. This smart use of technology has allowed HIPAA-covered entities to improve...

Read More
You Ain’t Seen Nothing Yet – OCR Indicates Major Hike in HIPAA Audits
Apr15

You Ain’t Seen Nothing Yet – OCR Indicates Major Hike in HIPAA Audits

They were last seen in 2012, but the second round of HIPAA compliance audits have yet to commence, but they are apparently coming back this year with plans in place for them to be bigger and bolder than ever before. The Department of Health and Human Services’ Office for Civil Rights (OCR) indicated to Washington lawyer and HIPAA expert, Adam Greene – partner of Davis Wright Termaine – that compliance enforcement is set to significantly increase. OCR Has Already Increased Its Enforcement Actions In a presentation at HIMSS15 in Chicago on Tuesday, Greene pointed out that there had been an increase in enforcement actions involving financial penalties in recent years. Greene said there “was one or three fines levied in 2008-2011, five in 2012 and 2013 and seven last year in 2014”. The OCR has had to deal with more than 100,000 claims since it started enforcing HIPAA legislation and in the majority of cases these claims have been resolved without any investigation being necessary. In almost a quarter of cases (24%) the Covered Entity (CE) took voluntary corrective action...

Read More
Class Action Lawsuit Filed Against Anthem with Evidence of Harm
Apr15

Class Action Lawsuit Filed Against Anthem with Evidence of Harm

Three insurance agencies have been accused of failing to secure HIPAA-covered data and have been cited in a class action claim as a result of the Anthem data breach in February. Now the lawsuit has allegedly attracted three new plaintiffs, each of who claim to have suffered identity theft as a result of the security breach. There have been a slew of lawsuits filed in recent months since the Connecticut Supreme Court ruling that individuals can sue for data breaches that exposed their PHI. However many of these class action claims against insurance companies and healthcare providers have been thrown out by judges as plaintiffs have been unable to substantiate the claims for damages with evidence of actual loss or harm suffered. The Missouri class action against the insurers was filed in February in St. Louis County by one female breach victim; shortly after the data breach was announced. Each of the three new plaintiffs that have been signed up for the suit alleges that they suffered actual losses as a result of the breach. In December and January each of the three plaintiffs had...

Read More
Horizon Class Action Claim for HIPAA Breach Tossed
Apr06

Horizon Class Action Claim for HIPAA Breach Tossed

According to a report in the New Jersey Law Journal, a class-action claim for a HIPAA breach has been thrown out by a NJ judge. The claim was filed by four plaintiffs against New Jersey’s largest health insurer, Horizon Blue Cross Blue Shield (HBCBS). The incident that triggered the lawsuit was a breach of HIPAA data caused by the theft of two unencrypted laptop computers from the Newark office of the HBCBS back in November 2013. The breach exposed the data of approximately 840,000 of the insurer’s members in one of the largest data breaches to be reported that year. The quartet alleged that as a result of the breach they – and more than 830,000 other members – were placed at an elevated risk of suffering identity fraud because PHI had been obtained by thieves along with their Social Security numbers. There is no private right of action under HIPAA; however the Connecticut Supreme Court made the decision to allow individuals affected by data breaches to sue the organizations after data breaches, provided there is evidence of negligence. A class action lawsuit for a breach of...

Read More
Data Breach Bill Rejected by New Mexico Senate
Mar27

Data Breach Bill Rejected by New Mexico Senate

The New Mexico Data Breach Notification Act (HB 217) may have been unanimously passed by the house, but the senate has rejected the Act, which would have required businesses to notify customers in the case of a breach of Personally Identifiable Information (PII). The New Mexico description of PII includes Social Security numbers, Government ID numbers, Driver’s license numbers, credit/debit card numbers, bank accounts and information giving access to financial accounts; in cases where that is combined with the person’s full name or last name and initial; although data covered by the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 are exempted. The decision not to pass the Act is peculiar. It went before the senate and was unanimously passed by the Corporations Committee; however the Act did not get passed the Judiciary Committee, even though no one voiced concern over the bill. Rep. The rejection however now means that in New Mexico, any individual affected by a data breach involving PII will not be required by law to be notified...

Read More
No Fees for Health Exchange Say Patients
Mar23

No Fees for Health Exchange Say Patients

The Society of Participatory Medicine – in conjunction with ORC International – has released survey data that indicates that three quarters of patients believe that Protected Health Information (PHI) should be easily and freely shared between hospital workers, physicians and other health care providers. The lack of sharing and poor interoperability is believed to have a serious impact on the medical care that patients receive. According to the poll, a fifth of patients had previously experienced difficulty receiving medical care because their healthcare data was not shared between providers. A PWC survey indicated that it is not only the sharing of data that is a problem. When data is shared, in 60% of cases providers face significant delays accessing the required information. In addition to full sharing of information between authorized individuals, 87% of patients said that they believed that access to their PHI should be free of charge. One of the issues that doctors have to face is that providing access to PHI incurs a significant cost: Healthcare providers are required...

Read More
Delegates Prepare for the 23rd National HIPAA Summit
Mar09

Delegates Prepare for the 23rd National HIPAA Summit

Next week, government department heads and industry leaders will meet at the 23rd National HIPAA Summit to give updates on the progress that has been made over the past 12 months and to provide information on new laws and regulations. The summit also offers an opportunity for compliance officers and other healthcare professionals to receive training on a wide range of healthcare IT and HIPAA-compliance issues. The threat of cyberattacks on healthcare providers has risen to an all time high and healthcare costs are spiraling out of control. The industry may be in critical condition, yet healthcare providers, health plans and other covered entities must find the funding to improve data security and protect the privacy of patients and health plan members. Since the introduction of HIPAA this has been a major challenge, but with the introduction of HITECH, the Affordable Care Act (Obamacare), the move to IC10 coding and the passing of the HIPAA Omnibus Rule the challenge has grown. HIPAA-covered entities now face a huge financial and administrative burden to comply with these...

Read More
Possible HIPAA Violations in Medical College of Wisconsin Breach
Mar03

Possible HIPAA Violations in Medical College of Wisconsin Breach

The Medical College of Wisconsin has issued a statement announcing a data breach that has affected approximately 400 of its patients. WDJT Milwaukee, an affiliate of CBS, was contacted on Feb 28, 2015 by a spokesperson for the Medical College of Wisconsin detailing a data breach which exposed some confidential information of its patients. The breach occurred on February 15, 2015, when a document and a laptop computer were stolen from a physician’s car. The document contained information relating to approximately 400 patients. The laptop is understood only to have only contained the information of one patient. It is not clear exactly what information was stored on the laptop computer or in document at this stage; although MCW has confirmed that no Social Security numbers or patient addresses were stolen. In spite of legislation that requires data encryption is addressed, the healthcare industry has been slow to respond and use data encryption on its desktop computers, laptop computers and other portable storage devices. Data encryption ensures that if a device is stolen, no...

Read More
HIPAA Breach or Not? When the OCR Must be Informed?
Feb21

HIPAA Breach or Not? When the OCR Must be Informed?

The Health Insurance Portability and Accountability Act lays down the procedures which must be followed after covered entities (CEs) discover that hackers have gained access to networks, laptops containing unencrypted PHI have been lost or stolen or members of staff have been found to have accessed patient health records without authorization. But how can you tell if your incident is a HIPAA breach or not? When the OCR must be informed of a Data Breach Not all data breaches are HIPAA breaches and not all HIPAA breaches involve data breaches. So, when should the OCR be informed and how should a data breach be classified? The Omnibus Rule made a number of amendments to terminology and definitions in HIPAA. The Breach Notification Rules were not amended, so the response to breaches remains the same as before, but additional elements were changed, most importantly relating to how a breach is reviewed. The change places a requirement on the CE to determine the level of risk that exists after a breach has occurred, and to conduct a thorough risk assessment to determine if PHI has...

Read More
300,000 Records Exposed in University of Maryland Security Breach
Feb19

300,000 Records Exposed in University of Maryland Security Breach

309,079 staff and students at the University of Maryland have been affected by a security breach that exposed Social Security numbers, names, dates of birth and university ID numbers. The victims are from the Shady Grove and College Park campuses, and their information was stored in an old database containing the records of people who had previously been issued with University identity cards. The records date back to 1998. Hackers were able to gain access to the database via a server, in spite of several layers of security being in place. They located the database and essentially “made a Xerox of it and took off” according to Brian Voss, the University of Maryland’s Vice President and Chief Information Officer. Once inside the network, the hackers were able to make a copy of the data, but what is concerning in this incident is the how the hackers past the several layers of security that U-Md had put in place. A recent data breach report in the Washington Post reported Voss as saying “what most concerns him is the sophistication of the attack.” He went on to say that the hacker or...

Read More
AIS Network Announces Launch of HIPAA Compliant Secure Cloud Services
Feb16

AIS Network Announces Launch of HIPAA Compliant Secure Cloud Services

AIS Network has announced the launch of a range of managed High Security Private Cloud services which are fully HIPAA-compliant, and have been developed to offer the highest levels of security as required by the healthcare sector. The company’s new range of services is fully compliant with HIPAA, HITECH, PCI and FISMA, and has been developed specifically for highly regulated industries. Many healthcare providers are reluctant to outsource their IT services, in particular if they require contact with highly sensitive data. Outsourcing payment and patient portals and data storage can increase the risk of committing HIPAA-violations. In order for healthcare providers to make the switch to managed cloud services they must be confident that the service provider they choose understands healthcare regulations and can guarantee 100% HIPAA compliance. Few providers are prepared to give such a guarantee. AIS Network provides a solution with a suite of compliant High Security Cloud Services built on the Microsoft Cloud Platform. This ensures easy integration with existing healthcare...

Read More
Details Emerge of Anthem HIPAA Breach
Feb11

Details Emerge of Anthem HIPAA Breach

The colossal security breach at Anthem Inc, which exposed the Social Security numbers and personal details of 78.8 million plan members, is understood to have involved data from as early as 2004. The investigations are ongoing and it is currently not known exactly how many of its members have been affected. A recent U.S. News and World Report indicates that hackers previously attempted to access the system as early as December 10, 2014. Anthem’s announcement of the breach indicated that January 27, 2015 was the first occasion that access had been gained. Anthem Spokeswoman, Kristin Binns, did not confirm the exact date of the breach, but later announced that “The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27”. Forensic investigators have discovered a number of network access attempts that all carry the same hallmarks, and it would appear that numerous unauthorized data access queries were made during this period using the login credentials of five Anthem Technical workers. The company’s security system appears to...

Read More
Federal Officials to Explore HIPAA Rules on Data Encryption
Feb10

Federal Officials to Explore HIPAA Rules on Data Encryption

On Friday last week, a day after Anthem Inc., announced the largest ever reported HIPAA breach, the Senate Health, Education, Labor and Pensions committee announced that the healthcare IT security is to be addressed and that it will “take up the matter as part of a bipartisan review of health information security”. The AP reports Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn, as saying “We will consider whether there are ways to strengthen current protections.” Last year saw major data breaches at Sony Pictures and Target which exposed highly sensitive information about employees and customers, while the healthcare industry was hit with a number of breaches including the successful hacking of Community Health Systems in April and June, in which 4.5 million patient records were exposed. The latest incident is on an unprecedented scale in healthcare, having affected up to 80 million individuals. The latest breach confirms the FBIs warning of increased attacks on healthcare organizations. Hackers are targeting organizations for the data they hold and the...

Read More
HHS Updates HIPAA Data Breach Reporting Portal
Feb05

HHS Updates HIPAA Data Breach Reporting Portal

A new OCR HIPAA Web Portal has been installed on the HHS website, streamlining data collection on potential HIPAA violations and the reporting of HIPAA Privacy and Security Breaches. The second round of HIPAA compliance audits – originally penciled for October 2014 – were delayed due to the implementation of the new web portal. The update signals that the Office for Civil Rights is making good progress, and that it will soon be in a position to start sending pre-audit surveys and commence Phase 2 of its HIPAA compliance audit program. HIPAA Breach Report Portal Changes The previous web portal consisted of a single page for filing reports, while the new Java-based wizard takes the user through a multi-step complaint/breach reporting process. Each step must be completed before progressing to the next section. The new wizard makes it more straightforward to file reports, although initially it may prove to be more time consuming for users to file reports. When filing breach reports or making HIPAA Privacy complaints, the user is routed through a series of specific questions with the...

Read More
2016 Budget Increases Funding for HIPAA Audit Program
Feb04

2016 Budget Increases Funding for HIPAA Audit Program

The 2016 budget set by President Obama’s administration on Monday this week proposes a 4.8% increase in funding for the Department of Health and Human Services, while its Office for Civil Rights is to see a budget increase of 10% from the 2015 fiscal year; if congress approves the appropriation bills to provide the funding. The OCR had a proposed budget increase for the 2015 fiscal year, although it did not receive that additional funding; instead it received a flat budget following the signing of the Consolidated and Further Continuing Appropriations Act, 2015 on December 16th, 2014. The proposed 2016 budget raises funding for the Office for Civil Rights to $42.7 million – an increase of $3.9 million – which is intended to help it set up a permanent HIPAA audit program, and will allow the OCR to employ a further four permanent members of staff. The HIPAA Compliance Audit program commenced in 2011 with a series of pilot audits which highlighted numerous failures by the healthcare industry to bring policies and procedures up to date with the HIPAA Omnibus Rule of 2013, but also...

Read More
Anthem Inc. Reeling After Behemoth 80M-Record HIPAA Breach
Feb02

Anthem Inc. Reeling After Behemoth 80M-Record HIPAA Breach

The Nation’s second largest health insurance provider, Anthem Inc, has been the target of a highly sophisticated cyberattack which has resulted in the theft of 78.8 million records, making this the largest ever data breach to affect the healthcare industry. The data breach is on a par with the Target data breaches of 2013 and 2014 which exposed a total of 110 Million confidential customer records and eclipses the Tricare Management Activity Data breach of 4.9 Million records in 2009 and the 1.9 million record breach of Health Net Inc. in 2011. The attack has reportedly exposed personal information including names, dates of birth, addresses and email addresses, along with Social Security numbers, Medical IDs, some income data and employment information, although no health data is believed to have been exposed and no credit card numbers were stored with the compromised data. Both employees and health plan members have been affected. The insurer discovered the data breach last week and notified the FBI of the attack. The agency is currently conducting an investigation, while Anthem is...

Read More

Timeline of Important Events in the History of HIPAA

The Health Insurance Portability and Accountability Act of 1996 is widely accepted to be one of the most important pieces of healthcare legislation ever to be introduced in the United States. Next year will be the 20th Anniversary of the introduction of the act, and during that time there have been some major updates to that legislation. The legislation was originally introduced during Bill Clinton’s tenure as president, and was originally intended to improve the portability and accountability of health insurance coverage. The act promoted the use of medical savings accounts by introducing tax breaks and ensured coverage for employees with pre-existing medical conditions. It also ensured that coverage continued when individuals changed employer. Since the act was introduced, its scope has grown considerably and it has become a vehicle to encourage healthcare providers and other covered entities to make the change from paper files to electronic healthcare records, and along with that change, introduce a number of measures to ensure patient healthcare data is kept secure. When...

Read More
NAAC Announces HIPAA Compliance Program for Ambulance Privacy Officers
Jan19

NAAC Announces HIPAA Compliance Program for Ambulance Privacy Officers

NAAC – The National Academy of Ambulance Compliance – has announced that it will be launching the nation’s first Certified Ambulance Privacy Officer (CAPO) program to help ambulance professionals conform with the Health Insurance Portability and Accessibility Act of 1996 (HIPAA) and its subsequent amendments. “The Certified Ambulance Privacy Officer program is a ground-breaking opportunity for an industry that often struggles with the difficult challenges that HIPAA presents,” according to National EMS attorney, Steve Wirth; one of the developers of the compliance program. The healthcare industry has been hit with a number of high profile breaches in recent years and millions of individuals have had their protected health information exposed. The industry faces an increased threat of targeted attacks by cybercriminals looking to steal data to commit identify and medical fraud and the penalties for HIPAA violations as considerable. The OCR has been enforcing HIPAA more aggressively since the introduction of the HITECH Act and substantial financial penalties are being issued...

Read More
No Timetable for HIPAA Audits Provided by OCR Director
Jan14

No Timetable for HIPAA Audits Provided by OCR Director

OCR Director Jocelyn Samuels has revealed the expected round of HIPAA audits are could still be some time off. In a Jan 13 media briefing the OCR Director refused to commit to a timescale for the next round of audits, which were originally expected to take place in the fall of 2014. The delay has previously been attributed to issues with the implementation of new technology to allow audit documents to be collected and processed. No reason was given for the continued delay to the audit program, other than the fact that the OCR still has plenty of work still to do before the audits program can be launched. The pilot audits first took place in 2012, with an initial 115 organizations assessed for compliance. KPMG conducted the audits and the procedures and protocols have needed to be revised to accommodate the changes made by the introduction of the Omnibus Final Rule in 2013. The delay gives healthcare organizations some more time to conduct risk assessments, review and revise business associate agreements and make sure all HIPAA regulations are being followed. Samuels confirmed that...

Read More
Top 10 Technology Trends for Healthcare in 2015
Jan12

Top 10 Technology Trends for Healthcare in 2015

The latest technology offers healthcare providers an incredible opportunity to improve the standard of care they are able to provide to their patients, and C-Suiter’s appear keen to implement the new tech; however it is essential that any technological advance is assessed for its cost effectiveness as well as the benefit it has to patients. This week the ECRI Institute has published a list of the top ten technologies which could revolutionize the healthcare industry, which have potential to improve the level of care provided to patients as well as reduce operational costs. The Top 10 Hospital C-Suite Watch List highlights the most exciting new technologies that could benefit the healthcare industry and suggests that top level management keeps a close eye on developments over the coming 18 months. ECRI is a not-for-profit organization dedicated to researching new technologies, medications, processes and different approaches with the aim of improving the level of care provided to patients. ECRI has over 45 years experience providing technical assistance to the healthcare industry and...

Read More
HIPAA-Compliant Custom App Development Services Now Provided by Caspio
Jan06

HIPAA-Compliant Custom App Development Services Now Provided by Caspio

Caspio has recently announced it is now offering HIPAA Compliant Professional Services for App Development, following on from the success of its popular HIPAA Enterprise Platform as a service. Caspio is a leading cloud platform provider and offers its platform-as-a-service to businesses and organizations in the public and private sector, allowing them to develop powerful web and mobile applications to improve efficiency, usability and integration between colleagues and customers. Its cloud platform has been adopted by hundreds of businesses including some of the biggest names in retail, insurance, manufacturing, logistics and online media, as well as by numerous non-profit organizations, educational establishments and government agencies. The company’s platform allows web and mobile applications to be created quickly that can streamline administrative processes, provide a greater level of automation and secure data management. Applications can be developed to track inventory, schedule resources, log registrations and training, create online customer portals, automate billing...

Read More
Fewer First Baby of the Year Announcements due to HIPAA
Jan01

Fewer First Baby of the Year Announcements due to HIPAA

The first of January traditionally sees a flurry of announcements from hospitals around the country advising the public of the first babies to be born in the New Year; however 2015 has seen fewer hospitals making the announcements. Many healthcare providers have made the decision not to reveal details of newborn New Year’s babies and have extended the Health Portability and Insurance Act to include birth announcements. While the announcements may not have been made public, many have still celebrated the tradition internally, and in doing so, have mitigated any security risks that could result from the disclosure of personal information. Community Health Systems, sufferer of a major HIPAA security breach last year exposing 4.5 million patient records, operates 207 hospitals the length and breadth of the country. It is exercising extreme caution and has issued directions to its hospital administrators advising them to refrain from making public announcements of the first baby of 2015, citing security concerns. CHS Spokesperson, Tomi Galin, told the Associated Press “We know the birth...

Read More
Certificates of Creditable Coverage No Longer Required Under HIPAA
Dec29

Certificates of Creditable Coverage No Longer Required Under HIPAA

Certificates of Creditable Coverage were required by health plan providers and issuers under the Health Insurance Portability and Accountability Act (HIPPA); however the issuing of a final rule of the Affordable Care Act (ACA) changes the requirements of other healthcare regulations such as HIPAA. As a result, Certificates of Creditable Coverage are no longer required for new health plans or any issued since January 1st, 2014. Continuous coverage is guaranteed by HIPAA legislation for retirees taking advantage of the Consolidated Omnibus Budget Reconciliation Act (COBRA) as well as individuals who change employment or health plan policy. To help offset a preexisting condition exclusion under a new health plan, administrators were required to issue a Certificate of Continuous Coverage 30 days prior to the end of coverage or 30 days before employment was left. From 1st January, 2014 until 31st December, 2014, health plan providers have not been able to impose pre-existing conditions exclusions on enrollees in health plans and as of 1st January 2015, Certificates of Creditable...

Read More
Countdown to the HIPAA Compliance Audits
Dec22

Countdown to the HIPAA Compliance Audits

The countdown to the HIPAA compliance audits has begun. The HHS’ Office for Civil Rights has now implemented its new breach reporting portal which means the planning of the second round of the audits can begin in earnest. The long awaited compliance audits look set to take place in 2015 and all covered entities need to be prepared. Background to the HIPAA Compliance Audits The Department of Health and Human Services gave its Office for Civil Rights the role of enforcing the Health Insurance Portability and Accountability Act, with the Enforcement Rule giving the legislation teeth in 2006. Organizations failing to comply with HIPAA Rules have since faced financial consequences if privacy and data security policies are not introduced to the standards demanded by the legislation. Part of the OCRs role in enforcing HIPAA regulations is to conduct compliance audits. These were conducted between 2011 and 2012 and 115 organizations were audited. The Omnibus Rule and Business Associates The introduction of the HIPAA Omnibus Rule extended the coverage of HIPAA to include Business Associates...

Read More
Employee Snooping Results in Exposure of 200K HIPAA Covered Records
Dec05

Employee Snooping Results in Exposure of 200K HIPAA Covered Records

The Early Learning Coalition of Palm Beach County has announced that a former employee has inappropriately accessed a database containing the medical records of up to 230,000 patients. The database contained personal information of parents and children who have attended centers or received services from the coalition. The affected individuals are believed to be those having received school readiness services or participated in the Voluntary Prekindergarten Education Program according to a statement made by the ELC. The unauthorized access occurred at the Belle Glade office of Family Central Inc. and has been confirmed as having affected 37 patients, although the matter is still under investigation and the final number of victims is not yet known. Data potentially accessed included personal information such as names and contact details, and almost half of the records in the database contained Social Security numbers. The former employee, who was not named in the statement, “accessed the database in an unauthorized manner in order to obtain the personal information, including social...

Read More
Sony Pictures Hack Exposes Sensitive Employee Health Information
Dec05

Sony Pictures Hack Exposes Sensitive Employee Health Information

This week saw Sony Pictures attacked by a group of hackers calling themselves “Guardians of Peace”. The hackers gained access to a number of computers of Sony Pictures employees and obtained files containing highly sensitive information. The group then proceeded to publish some of the stolen documents and spreadsheets online as evidence of their successful hack. Included in the posts was what appeared to be a list of passwords to three machines the hackers claimed to control. The group is claiming to have gained access to hundreds of Sony Pictures computers According to Fusion.net, the files obtained from the computers include a spreadsheet containing the names, birth dates and social security numbers of 3,803 employees of Sony Pictures. The list also includes the details of the company’s top executives, with payroll data also available. Details of employee pay raises and other financial information is in the unprotected data. One document details the staff that had contracts terminated in 2014, with the reasons why their employment was terminated. The data is not limited to...

Read More
Extended Data Breach Notification Deadline for California Healthcare Providers
Nov20

Extended Data Breach Notification Deadline for California Healthcare Providers

A recent change to the California legislation will extend the time limit for issuing data breach notifications, with certain healthcare providers being allowed up to 15 days to issue notifications to affected persons under Assembly Bill 1755. The current deadline is 5 days. Under AB1755, healthcare providers covered by California Health and Safety Code Section 1280.15 must issue a notice of a breach of medical data to the California Department of Public Health and any individual affected – or their representative. This change affects clinics, health care facilities, hospices and home health agencies. In addition to the 10-day extension to the notification deadline some additional flexibility has been introduced with AB1755 regarding the method of contacting any patient affected by a data breach. The law currently requires that the patient (or his/her representative) is notified by mail to their last known address. The change accommodates HIPAA regulations on confidential communications (45 CFR 164.522(b)) under which a covered healthcare provider may “accommodate reasonable...

Read More
Court Dismisses CMIA Claim for $4 Billion in Damages for HIPAA Breach
Nov20

Court Dismisses CMIA Claim for $4 Billion in Damages for HIPAA Breach

Under the California Confidentiality of Medical Information Act (CMIA), companies can be fined billions of dollars for breaches in security leading to the loss of patient medical data. A Californian health care organization has recently escaped a fine of $4 billion after it lost the medical records of over 4 million of its patients. The court case saw plaintiffs filing for $1,000 in damages for the loss of data that occurred when a hard drive containing the unencrypted patient database was stolen from a health care center. The company avoided paying damages because while the laptop – and the data – was clearly stolen; it was not possible to determine if the data had been viewed. Without proof that the data had been accessed by an unauthorized individual, it was not possible to determine on the balance of probabilities that an “injury” had been sustained for which the defendant could be held liable. Because statutory damages of $1,000 can be claimed under CMIA law, any data theft or loss often results in legal action being commenced on the grounds of professional negligence,...

Read More
Indiana Court Upholds $1.44M HIPAA Privacy Breach Award
Nov14

Indiana Court Upholds $1.44M HIPAA Privacy Breach Award

Walgreen Co. has lost an appeal against the $1.44 million award for damages it was ordered to pay after a HIPAA Privacy Rule breach resulted in confidential patient PHI being shared with unauthorized individuals. This is the first time that the action of an employee has resulted in a healthcare provider being held liable for a violation of the Health Insurance Portability and Accountability Act. The Indiana appellate court decision could well set a legal precedent in cases where employees have violated HIPAA regulations and sensitive patient data has been shared with third parties. Walgreen Co. v. Abigail E. Hinchy In July 2013, a Marion Superior Court jury awarded $1.44M in damages to Abigail Hinchy after a Walgreen pharmacist shared PHI with a third party about a client who had dated her husband. A pharmacist at Walgreens at 6269 W. 38th St. in Indianapolis improperly accessed Hinchy’s prescription history. Hinchy had once dated her husband and had his child and the pharmacist knowingly accessed her prescription history and personal information and divulged that information. The...

Read More
Importance of Encryption for HIPAA Compliant Organizations
Nov11

Importance of Encryption for HIPAA Compliant Organizations

Recent cyberattacks on big corporations have demonstrated that no company is safe from cybercriminals. Individuals and groups of hackers will take advantage of easy targets, and even well known companies with considerable resources to allocate to cybersecurity have suffered highly damaging attacks. The security breach at Target in November 2013 cost the company the sum of $148 million. Investment in data encryption and other cybersecurity measures can therefore be considered money exceptionally well spent. Private and confidential data must be kept secure and one of the easiest methods to use is data encryption. Encrypted data is scrambled and indecipherable to unauthorized users. The theft of a device containing an encrypted database means loss of equipment not loss of data and the fines and lawsuits which that entails. Data Encryption Options It is possible to encrypt data stored on servers, hard drives, PCs and other devices but also of vital importance to secure data in transit between devices and over the internet to prevent interception. Encryption can be used for...

Read More
OCR Issues Guidance on HIPAA in Emergencies
Nov09

OCR Issues Guidance on HIPAA in Emergencies

The outbreak of Ebola has raised numerous issues of personal privacy and the information that should be disclosed in situations when there is a public health concern. Under HIPAA regulations, protected health information such as the diagnosis of a disease should remain private, and the disclosure of this information with the name of the patient can be a potential HIPAA violation. The issue of sharing private information in an emergency situation is not addressed in the HIPAA privacy rule, although the Privacy Rule does cover what information can be shared. In cases where the sharing of patient information can aid treatment of the patient or other patients, medical information can be disclosed without authorization. The OCR explained that “Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.” If an entity is covered by HIPPA it is permitted to submit medical information about a patient to public health authorities in cases where...

Read More
Connecticut Supreme Court to Allow HIPAA Negligence Claim
Nov07

Connecticut Supreme Court to Allow HIPAA Negligence Claim

A recent ruling by the Connecticut Supreme Court could potentially pave the way for a wave of lawsuits from victims of theft and fraud who have had their protected health information disclosed and have suffered losses or harm as a result. The case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, was heard by the court after a patient’s medical records were provided to a third party when explicit instructions were provided to the contrary. While this is just one individual case, legal experts are now considering how this ruling will apply to data breaches involving millions of potential victims. HIPAA violations are investigated by the Office for Civil Rights of the Department of Health and Human Services and financial penalties are issued to organizations that breach regulations. HIPAA makes no provision for the private right of action to sue for loss and damage caused by non-compliance issues or data breaches, although a small number of cases have been heard by the courts where HIPAA has been allowed as the Standard of Care in negligence claims. It was not possible...

Read More
Connecticut Court Allows Claim for a Breach of HIPAA to Proceed
Nov06

Connecticut Court Allows Claim for a Breach of HIPAA to Proceed

The Connecticut Supreme Court has ruled that a plaintiff can proceed with a claim for a breach of HIPAA after her private health details were released without her consent. Emily Byrne brought her claim for a breach of HIPAA after advising her doctor at the Avery Center for Obstetrics and Gynecology in Westport not to provide her protected health information to the father of the child to whom she was pregnant as their relationship had broken up – Andro Mendoza. However, after Mendoza had obtained a subpoena to support a paternity suit, the health center released Emily´s protected health information without telling Emily or fighting the subpoena in court. Emily´s former partner then used the information to launch “a campaign of harm, ridicule, embarrassment and extortion”. Emily took her claim for a breach of HIPAA to the Appellate Court – claiming that the Avery Center had been negligent in releasing her protected health information to Mendoza. The court decided that HIPAA preempted the negligence suit which meant that the health center could admit to a breach of HIPAA...

Read More
How Safe are your Medical Records?
Nov05

How Safe are your Medical Records?

We would like to believe that our confidential medical records are kept under digital lock and key; however this is not always the case. The safety of patient data depends on the diligence of health care organizations and the cyber-security measures they implemented. Simple oversights and errors can result in private and confidential patient medical data being made available in the public domain, as recently happened for 7,000 patients in a diagnostic clinical laboratory in Huntsville, Al. The company, Diatherix Laboratories, was forced to notify its 7,016 patients that a HIPAA breach led to their data being made available in the public domain for a period of three years, and during that time outsiders had accessed that information. The problem occurred because the patient data was stored on a third party server and which had not been made secure. The breach occurred in September of 2011, yet the issue was not noticed until July 2014. This is far from an isolated incident. A Temple University doctor’s office recently reported a laptop theft from the premises with data of 3,780...

Read More
HIPAA Health Plan Identifiers Delayed Until Further Notice
Nov03

HIPAA Health Plan Identifiers Delayed Until Further Notice

The CMS introduced the rule that a national health plan identifier must be used for transactions, yet it appears to have had second thoughts on the issue and its HPID plans have now been “delayed until further notice”. The Office of E-Health Standards and Services of the CMS previously ruled in 2012 that it would require health plans to have a numerical identifier, while other covered entities would also be required to use them and would be covered in future mandates. The Health Insurance Portability and Accountability Act of 1996 uses HPIDs along with other identifiers to simplify administration. HIPAA provider IDs were first introduced in 2007, although plans for the introduction of a national patient identifier have been on hold since 2000 due to privacy and security concerns. The use of health plan identification numbers has not been met with praise by all in the healthcare industry and concern has been voiced that the use of these identifiers would just add granularity; over-complicating transactions unnecessarily. The purpose of HPIDs has also been questioned, in particular...

Read More
Data Breach Report Demonstrates Why Healthcare Data Encryption is Essential
Nov01

Data Breach Report Demonstrates Why Healthcare Data Encryption is Essential

The California State Attorney General has released a damming report on the state of data security in the healthcare industry, and in doing so has highlighted an essential need for the healthcare industry to encrypt patient data across all mobile devices such as laptops and Smartphones. 70% of data breaches which have affected the healthcare industry in California involved the loss or theft of portable hardware on which protected health information was stored. In other industries, breaches of this nature only accounted for 19 percent of reported breaches. The healthcare industry is particularly vulnerable due to the nature of the data stored and its value to thieves. The wide range of portable devices used in the healthcare industry also makes it an easy target for cyber criminals. According to the report, between 2012 and 2013 there were 25 data breaches affecting the healthcare industry which accounted for 15% of the total number of data breaches reported for the year and involved 1.5 million potentially compromised records. The retail industry was hit particularly hard with 43...

Read More
FTC  to Address Gaps in HIPAA Regulations to Better Protect Consumers
Nov01

FTC to Address Gaps in HIPAA Regulations to Better Protect Consumers

Privacy and security are two areas of grave concern in healthcare today due to the high volume of highly personal and sensitive patient data being stored and transferred. With Apps now collecting personal information directly from consumers, The Federal Trade Commission (FTC) is likely to become more involved in security and protection of data; a role usually given to the Department of Health and Human Services. The Health Insurance Portability and Accountability Act (HIPAA) covers health tech companies and health care providers that have business relationships with each other. Many companies, software developers and tech companies are not part of the health care system and are therefore not covered under the regulations. Wearables, health apps and a host of other tech collects personal information on patients and the volume of data being collected and stored has raised serious concerns about privacy and security issues. FTC commissioner Julie Brill has recently voiced her concern on the issue. She believes that appropriate security controls and privacy protection must be enforced...

Read More
High-Tech Healthcare on the Way
Oct31

High-Tech Healthcare on the Way

And You Thought We Already Lived in a High-Tech Age? Enter any modern medical facility and you will be immediately surrounded by an assortment of high-tech gadgetry designed to make our lives easier, healthier and more secure. Much of the technological wizardry would not have been conceived a decade ago and yet now we rely on it every day to care for your young, or elderly and our sick. For many people, even when they leave a medical facility, high-tech healthcare still follows them around. It has been estimated that – by 2015 – 500 million people around the world will be using Smartphone apps to monitor weight, blood pressure, cholesterol levels, heart rate and sleep quality; and some claim apps that they are even able to detect cancer. However, not everybody is so keen to adapt to healthcare by phone and, in the same way as the Government had to “incentivize” the healthcare industry to start using EHRs, patients are now being bribed to engage in remote monitoring programs which could not only save their lives – but win them a cash prize too! Not Had a Heart...

Read More
40,000-Record Healthcare Database Stolen from Storage Shed in New Jersey
Oct23

40,000-Record Healthcare Database Stolen from Storage Shed in New Jersey

A bizarre report has been released this week on the theft of confidential patient records from a physician in New Jersey. The theft has potentially exposed the medical records of approximately 40,000 patients to unknown individuals. The patient records belonged to Dr. Nisar A. Quraishi, an internal medicine specialist and assistant professor of medicine at the NYU Langone Trinity Center in New York, who was storing the PHI in a shed at his office storage facility. The theft was noticed on Tuesday October 21, although the actual date of the theft remains unknown. Dr. Quraishi last visited his storage facility in August this year, and after leaving ensured that the shed was secured with two padlocks. This week, on his return to the shed, he discovered that both latches had been cut and on entering the shed he noticed that all of his patient records had been stolen. Dr. Quraishi was unable to provide the authorities with any details of the persons affected, only that the documents related to patients treated between 1982 and 2009, some of whom were possibly still being treated by the...

Read More
November 5th Deadline to Obtain Health Plan Identifier for Group Health Plans
Oct21

November 5th Deadline to Obtain Health Plan Identifier for Group Health Plans

The Department of Health and Human Services (HHS) has now issued the final version of its regulations following the passing of the Affordable Care Act (ACA), which will require all group health plans to use a health plan identification number (HPID) to conduct standard transactions. Do you need to take immediate action? If you are responsible for a large group health plan – with over $5M in receipts per annum – you must obtain a HPID before November, 5 2014. Small group health plans will also require a HPID, although not for another 12 months. The deadline for small health plans to obtain a HPID is Nov, 5 2015. The HPID will be required on standard transactions involving the electronic transfer of health data under Health Insurance Portability & Accountability Act of 1996 (HIPAA) regulations. Claims, authorizations, payments and enrolments will all require a HPID, and while group health care plans will not be required to use the identity number until November 7, 2016, a deadline has been imposed on obtaining a HPID number. CHPs and SHPs Controlling Health Plans (CHPs) and Sub...

Read More
Breakthrough in HIPAA-Compliant Remote Diabetes Care
Oct20

Breakthrough in HIPAA-Compliant Remote Diabetes Care

The FDA-cleared Remote Patient Monitoring system from ALR Technologies’ (ALRT) has been hailed as a potential breakthrough in remote diabetes care. The system providing doctors and health care professionals with a method of being reimbursed for time spent providing remote treatment to long term diabetes sufferers and to receive recompense for the chronic care management services provided. The system – termed Health e-Connect – is an off-the-shelf software system that helps to connect diabetes patients with care providers, no matter where the team members are based in the country. Members of the care team are able to log on through a secure web portal and enter data and communicate with the entire team. Based on the payment system and schedule due to be decided on Nov 1, 2014, the Centers for Medicare and Medicaid Services (CMS) would issue doctors a monthly payment of $41.92 for the provision of up to 20 minutes remote care per patient. Once the system is implemented and ALRT begins invoicing for its services, the system could generate up to $2.3 million in monthly revenue...

Read More
Cybercriminals Target Health Care Organizations for Patient Medical Data
Oct20

Cybercriminals Target Health Care Organizations for Patient Medical Data

The value of patient’s confidential medical data has risen to ten times that of credit card numbers on the black market according to recent Reuters reports. Medical data can be used by cyber criminals to fraudulently obtain products and services – as with credit cards – although medical data theft has the advantage of being harder to detect than other cyber crime activities such as credit card phishing. Hackers are now targeting health organizations in an attempt to obtain confidential patient data and other personally identifiable information from their websites, databases and internal computer systems. The threat of attack has prompted the FBI to issue warnings to a wide range of organizations in the health care sector alerting them to the risk of cyber theft of data. The warning was issued following the theft of 4.5 million patients’ data by a group of hackers in an attack on Community Health Systems. The theft ranks as the biggest HIPAA data breach by hackers and the second largest data breach in history. In this case the data obtained was non-medical in nature,...

Read More
Pennsylvania Hospital Advises of Data Breach
Oct16

Pennsylvania Hospital Advises of Data Breach

Penn Highlands Brookville has issued a public notice confirming a recent “data security incident”, which the Pennsylvania Hospital says involved the data of 4,500 patients under the care of Barry J. Snyder, M.D. The statement was issued as a PHIprivacy press release. Penn Highlands Brookville is part of a quartet of Dubois, PA hospitals comprising Penn Highlands Healthcare, although this incident only affected one doctor’s patient database. On August 14, 2014 a server containing Barry J. Snyder’s patient database was found to have been compromised. A third party had gained access to the server on which the data was stored and potentially had access to protected health data of all of the doctor’s patients. It could not be determined whether the intruder had actually accessed any of the patient data. The data was held on a server belonging to an Ohio third party vendor under contract to maintain Dr. Snyder’s records. The data stored on the server included names, addresses, social security numbers, medical and insurance information, driver’s license numbers, telephone numbers and the...

Read More
Colorado Behavioral Health Patients Advised of HIPAA Breach
Oct14

Colorado Behavioral Health Patients Advised of HIPAA Breach

A recent postcard mailing by the Colorado Department of Health Care Policy and Financing has, albeit accidentally, disclosed protected health information on patients and is in breach of HIPAA regulations. The breach has now been made public and the patients concerned have been notified by mail. The HIPAA breach was due to a survey being mailed to approximately 15,000 patients, each of whom had received treatment through Medicaid or the Office of Behavioral Health belonging to the Department of Human Services. The HIPAA violation was not due to social security numbers and addresses being listed in the communication or any other information which could potentially be used by thieves or fraudsters. The HIPAA violation was for using a postcard rather than a sealed envelope for the survey. By using a postcard the name and the address of the recipient was clearly visible, while the survey identified them as being behavioral services patients. The survey contained questions about the behavioral health care services they had received and someone other than the intended recipient could...

Read More
Data Breaches Prompt Change in Florida Law
Oct14

Data Breaches Prompt Change in Florida Law

A new state law has been passed to give Florida residents greater protection by ensuring both private companies and government agencies store electronic data securely. The recent spate of cyber attacks and HIPAA breaches have highlighted the fact that consumers now face a very real threat and that their personal and confidential data could fall into the hands of criminals. The elevated risk has prompted Florida to draft new legislation to better protect its residents and in July of this year the Florida Information Protection Act of 2014 (FIPA) came into force. The new FIPA act is similar to the Health Insurance Portability and Accountability Act of 1996. The legislation has been introduced to protect the privacy of consumers and to hold offenders accountable for data breaches. The Attorney General’s Office also wants rapid action following a data breach to limit the harm, damage and loss caused. By sending notifications to victims promptly they are able to take action to protect their identities and prevent further loss or damage. Under FIPA, organizations must take...

Read More
Leading Texas Hospice Embraces Secure Messaging
Oct08

Leading Texas Hospice Embraces Secure Messaging

The Solaris Hospice is one of the largest palliative care providers in the Southwest – operating from sixteen locations to provide care and support for more than four hundred patients each day. The hospice´s 150 physicians and nurses work in a vast rural area in which effective communication is a must in order to maintain the organization´s reputation as a healthcare leader among the communities it serves. One of the biggest issues experienced by the organization was maintaining the integrity of its client´s protected healthcare information (PHI) while its workforce was distributed throughout the community. Following the enactment of new regulations within the Health Insurance Portability and Accountability Act (HIPAA), all PHI now has to be encrypted and monitored when it is at rest or in transit. The new regulations mean that “traditional” methods of communicating patient data – such as SMS and email – are effectively outlawed, and this created an issue for community nurses who wanted to escalate patient concerns to the organization´s medical team or send images...

Read More
HIPAA Audits to Recommence in 2015
Oct06

HIPAA Audits to Recommence in 2015

Following on from a series of pilot HIPAA audits, the HHS Office for Civil Rights (OCR) is planning a second round of random audits to ensure healthcare organizations are fully compliant with current HIPAA regulations. The next round of audits will also carry severe financial penalties for any violations uncovered. The next round of HIPAA audits was planned to start in October 2014, although the date has now been pushed back until 2015. It was announced at the San Diego American Health Information Management Association (AHIMA) annual convention that a round of 350 audits would be conducted on healthcare organizations, with a further 50 audits to be conducted on business associates to ensure compliance. Insurers and clearinghouses will also be subjected to audits in 2015. The healthcare organizations due to be audited have already been selected, although entities have also been selected to ensure better coverage across the whole of the United States and to ensure that a good diversity of entities are assessed for HIPAA compliance.  This only gives healthcare organisations a few...

Read More
FDA Finalizes Guidelines on CyberSecurity and the Usage of Medical Devices
Oct05

FDA Finalizes Guidelines on CyberSecurity and the Usage of Medical Devices

This month the Food and Drug Administration (FDA) has finalized its guidelines on the development of management strategies covering cybersecurity, the use of medical device and requirements for premarket submissions. The document is titled: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and is available on the FDA website. The document is essential reading for any medical device manufacturer to ensure future premarket submissions are accepted, and that steps are taken to ensure current medical devices being produced adhere to the new guidelines. The guidelines were prepared to force manufacturers to take the potential risk of cyber attacks into consideration and to incorporate appropriate security measures and safeguards to reduce the risk of susceptibility of attack and of device failure. The FDA identified potential vulnerabilities which could lead to the loss or theft of private data, although the agency has so far not released any information on specific injuries caused by cyber attacks. The presence of spyware/malware on doctors or...

Read More
FDA to Address Security Issues and HIPAA Compliance of Older Medical Devices
Oct04

FDA to Address Security Issues and HIPAA Compliance of Older Medical Devices

The FDA is to take action to address problems relating to the cybersecurity of medical devices following complaints from hospitals and healthcare providers that manufacturers of the devices are not being proactive in providing protection against cyber attacks. There has also been criticism of the makers of medical equipment for failing to upgrade older models, meaning threats remain or new equipment must be purchased. The FDA has already commenced a drive to build a more strategic and comprehensive cybersecurity program and has been running workshops to hear about security risks and concerns. The Agency is determined to get manufacturers to build in security controls rather than bolt them on afterwards and is in the process of finalizing its guidelines on pre-market approval procedures, which were first issued in the summer of 2013. The FDA director of Emergency Preparedness/Operations and Medical Countermeasures, Suzanne Schwartz, has stated that new guidance will be released imminently. Debunking Myths There is a common misconception that makers of medical devices have to obtain...

Read More
Privacy Protection Strengthened in California
Oct01

Privacy Protection Strengthened in California

On Tuesday 30th September, California Governor Edmund Brown introduced new legislation to improve the level of privacy protection for California residents. The new set of bills introduced a number of changes to the legislation which included clearer posting of privacy policies on government department websites, together with a requirement for private companies to offer victims of a data security breach services to prevent identity theft and financial loss as a result of the PHI exposure. According to the new legislation, “If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information” The new legislation also clarifies the procedures organizations must follow when issuing breach...

Read More
Important Information on HIPAA Business Associate Agreements
Sep30

Important Information on HIPAA Business Associate Agreements

The Omnibus Rule has now been in effect for a week and is an amendment to HIPAA regulations which requires all Business Associate Agreements to be HIPAA-compliant. Any new BAA’s issued – or those issued after Sept 23, 2014 – must comply with the HIPAA Omnibus Rule; however the same applies to any business agreements already in place. Existing agreements must also be updated to take the new Omnibus Rule into account. If any agreements have not been updated, the HHS’ OCR will consider this a HIPAA violation and would be within its rights to issue a financial penalty for each agreement that does not comply with the new rule. It is therefore essential that healthcare organizations perform a full review of all BAA’s currently active and address any non-compliance issues. Issuing HIPAA Compliant Business Associate Agreements A HIPAA-compliant BAA must be issued and signed by a Business Associate (BA) to ensure that PHI is properly protected. A Business Associate is classed as any individual, company, organization or other entity that performs a function, offers a service or conducts...

Read More
Oct 6 Deadline for Laboratories to Comply with HIPAA Privacy Rule Changes
Sep29

Oct 6 Deadline for Laboratories to Comply with HIPAA Privacy Rule Changes

The deadline for compliance following the introduction of the new HIPAA Privacy Rule is October 6, 2014. Hospitals with on-site laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) as well as laboratories covered by HIPAA must adapt policies and procedures to take the new legislation changes into account. The change provides patients with improved access to their medical data. The changes have now been finalized by the HHS Office for Civil Rights and the Centers for Disease Control and Prevention and Centers for Medicare & Medicaid Service, which amended CLIA regulations earlier this year. Laboratories are currently permitted to provide medical test results directly to patients, provided that it can be established that the results of the tests belong to patient in question. Results can also be released to patients’ nominated representatives. The change to HIPPA privacy laws from October 6 mean that laboratories are now required to provide PHI to patients upon request and that patients have full access rights. Any non-HIPAA covered entity is...

Read More
Government Conference Highlights Importance of HIPAA Compliance
Sep25

Government Conference Highlights Importance of HIPAA Compliance

This September the Government held the 7th annual conference, Safeguarding Health Information: Building Assurance Through HIPAA Security, in Washington, D.C. The conference was co-hosted by the National Institute of Standards and Technology (NIST), the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS). One of the main aims of the conference was to highlight the current state of health information management and to explore the use of information technology in healthcare while ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance. Practical advice and strategies were also provided to streamline implementation of the HIPPA Security Rule. The HIPPA Security Rule was introduced to set a standard to protect the privacy and confidentiality of patients’ health information. Healthcare organizations and other HIPAA covered entities are required implement appropriate safeguards to protect electronic health information during storage and transit. Appropriate technical, administrative and physical safeguards must be employed to prevent...

Read More
WEDI Announces HIPAA Health Plan Identifier (HPID) Usage Survey Results
Sep22

WEDI Announces HIPAA Health Plan Identifier (HPID) Usage Survey Results

The nation’s leading non-profit authority on Information Technology usage in the U.S healthcare industry has announced the results of a recent survey conducted on the use of the Health Plan Identifier (HPID) in electronic transactions under the Health Insurance and Portability and Accountability Act (HIPAA). The Workgroup for Electronic Data Interchange (WEDI) has now processed the responses from 262 participants from its recent survey, which was conducted between Aug 20 and Sept 5 of this year. Respondents included software vendors, providers, clearing houses, administrators and multiple stakeholders. The findings have been posted online and sent to the Department of Health and Human Services (HHS). Key findings of the survey: • The value of HPID use was only recognized by 15% of stakeholders • Almost a quarter (24%) of respondents had no issues with the implementation of HPID alongside other mandates • 39% of respondents are not able to predict the likely impact while 51% believe they will be impacted by an increase in granularity • 55% of respondents agreed that HPID use within...

Read More

New OCR Director Makes First Speech on OCR HIPAA Enforcement

New OCR Director, Jocelyn Samuels, has chosen National Health IT Week to make her first major speech as head of the government’s HIPAA enforcement team. Samuels took over from Director Leon Rodriguez earlier this year at a time when the second round of compliance audits were in the process of being finalized. The audits are scheduled to take place this fall and the healthcare industry is keen to discover the new director’s plans for enforcing HIPPA. Samuels has a wealth of experience in federal law enforcement having previously served as acting assistant attorney general for civil rights at the U.S. Department of Justice where she was tasked with enforcing the government’s regulations on discrimination. She also served as senior policy attorney at the Equal Employment Opportunity Commission, although she has not previously worked in the healthcare sector. In her 10-minute speech at the ONC’s 2014 Consumer Health Summit in Washington, Samuels announced that the OCR will be enforcing privacy provisions to ensure patients are given access to their health records. She believes it...

Read More
Jury Still Out on the Medicare Experiment
Sep14

Jury Still Out on the Medicare Experiment

The introduction of President Barack Obama’s healthcare reform was met with much debate and has resulted in many heated exchanges between proponents and critics. Now the law has been passed, experts have been analyzing the effectiveness of all aspects of the system to determine how effective and efficient the healthcare program has been. So far early analyses have produced highly mixed results. The theory is that Accountable Care Organizations (ACOs) – groups of doctors/hospitals and health care providers that give their time to Medicare voluntarily – will be able to offer coordinated care for patients and by doing so make savings in operation costs, prevent unnecessary treatments from being performed and ensure that patients do not experience a fall in the standard of care provided. It has not all been plain sailing as some medical institutions refused to join the Center for Medicare & Medicaid Services’ Pioneer ACO program and many who did agree have already pulled out. There are just 19 of the 32 participants still in the program. The Mayo Clinic and Cleveland...

Read More
Data of 31K Patients Exposed by Potential HIPAA Breach at Utah Clinic
Sep11

Data of 31K Patients Exposed by Potential HIPAA Breach at Utah Clinic

The Central Utah Clinic is the latest healthcare facility to announce it has suffered a potential HIPAA breach after an unknown group or individual was identified as having had unauthorized access of a server. The server was accessed in June although it cannot be determined if the intruders viewed any protected health information. No evidence has so far been found to suggest that material was copied from the server or was indeed viewed. The clinic confirmed that only one server was affected and hardware used by the clinic remained secure and was unaffected by the security incident. The data breach potentially affects 31,677 patients of the Central Utah Clinic according to a press release issued by the hospital. The victims are being contacted by mail to advise them of the potential data breach and that the problem has been resolved and data now secured. In accordance with HIPAA regulations the appropriate authorities were advised of the intrusion and alerted to the potential compromising of some protected health information. Data stored on the server included names and addresses of...

Read More
Behavioral Health Treatment Requires Change to be HIPAA Compliant
Sep11

Behavioral Health Treatment Requires Change to be HIPAA Compliant

Behavioral health disorders are the main cause of disability in the United States. 25% of the population suffers from behavioral health issues at some point in their lives, with conditions such as anxiety disorder more common than highly publicized diseases such as Diabetes. Fortunately, excellent training means today’s health care providers are now much better at diagnosing these disorders and advances in treatment mean behavioral health disorders and be effectively managed. It is essential that sufferers are given access to healthcare and that patients are encouraged to come in for treatment. There are many sufferers who are not yet receiving treatment while those who have been diagnosed face an inefficient health care system. Addiction and other behavioral health problems can deeply affect communities and cause great deal of stress to family members who have to deal with individuals and their actions. It is therefore essential that the system is improved to help both communities and individual sufferers; in particular, getting rid of the stigma attached to behavioral health...

Read More