OCR Issues Guidance on HIPAA in Emergencies
Nov09

OCR Issues Guidance on HIPAA in Emergencies

The outbreak of Ebola has raised numerous issues of personal privacy and the information that should be disclosed in situations when there is a public health concern. Under HIPAA regulations, protected health information such as the diagnosis of a disease should remain private, and the disclosure of this information with the name of the patient can be a potential HIPAA violation. The issue of sharing private information in an emergency situation is not addressed in the HIPAA privacy rule, although the Privacy Rule does cover what information can be shared. In cases where the sharing of patient information can aid treatment of the patient or other patients, medical information can be disclosed without authorization. The OCR explained that “Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.” If an entity is covered by HIPPA it is permitted to submit medical information about a patient to public health authorities in cases where...

Read More
Connecticut Supreme Court to Allow HIPAA Negligence Claim
Nov07

Connecticut Supreme Court to Allow HIPAA Negligence Claim

A recent ruling by the Connecticut Supreme Court could potentially pave the way for a wave of lawsuits from victims of theft and fraud who have had their protected health information disclosed and have suffered losses or harm as a result. The case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, was heard by the court after a patient’s medical records were provided to a third party when explicit instructions were provided to the contrary. While this is just one individual case, legal experts are now considering how this ruling will apply to data breaches involving millions of potential victims. HIPAA violations are investigated by the Office for Civil Rights of the Department of Health and Human Services and financial penalties are issued to organizations that breach regulations. HIPAA makes no provision for the private right of action to sue for loss and damage caused by non-compliance issues or data breaches, although a small number of cases have been heard by the courts where HIPAA has been allowed as the Standard of Care in negligence claims. It was not possible...

Read More
Connecticut Court Allows Claim for a Breach of HIPAA to Proceed
Nov06

Connecticut Court Allows Claim for a Breach of HIPAA to Proceed

The Connecticut Supreme Court has ruled that a plaintiff can proceed with a claim for a breach of HIPAA after her private health details were released without her consent. Emily Byrne brought her claim for a breach of HIPAA after advising her doctor at the Avery Center for Obstetrics and Gynecology in Westport not to provide her protected health information to the father of the child to whom she was pregnant as their relationship had broken up – Andro Mendoza. However, after Mendoza had obtained a subpoena to support a paternity suit, the health center released Emily´s protected health information without telling Emily or fighting the subpoena in court. Emily´s former partner then used the information to launch “a campaign of harm, ridicule, embarrassment and extortion”. Emily took her claim for a breach of HIPAA to the Appellate Court – claiming that the Avery Center had been negligent in releasing her protected health information to Mendoza. The court decided that HIPAA preempted the negligence suit which meant that the health center could admit to a breach of HIPAA...

Read More
How Safe are your Medical Records?
Nov05

How Safe are your Medical Records?

We would like to believe that our confidential medical records are kept under digital lock and key; however this is not always the case. The safety of patient data depends on the diligence of health care organizations and the cyber-security measures they implemented. Simple oversights and errors can result in private and confidential patient medical data being made available in the public domain, as recently happened for 7,000 patients in a diagnostic clinical laboratory in Huntsville, Al. The company, Diatherix Laboratories, was forced to notify its 7,016 patients that a HIPAA breach led to their data being made available in the public domain for a period of three years, and during that time outsiders had accessed that information. The problem occurred because the patient data was stored on a third party server and which had not been made secure. The breach occurred in September of 2011, yet the issue was not noticed until July 2014. This is far from an isolated incident. A Temple University doctor’s office recently reported a laptop theft from the premises with data of 3,780...

Read More
HIPAA Health Plan Identifiers Delayed Until Further Notice
Nov03

HIPAA Health Plan Identifiers Delayed Until Further Notice

The CMS introduced the rule that a national health plan identifier must be used for transactions, yet it appears to have had second thoughts on the issue and its HPID plans have now been “delayed until further notice”. The Office of E-Health Standards and Services of the CMS previously ruled in 2012 that it would require health plans to have a numerical identifier, while other covered entities would also be required to use them and would be covered in future mandates. The Health Insurance Portability and Accountability Act of 1996 uses HPIDs along with other identifiers to simplify administration. HIPAA provider IDs were first introduced in 2007, although plans for the introduction of a national patient identifier have been on hold since 2000 due to privacy and security concerns. The use of health plan identification numbers has not been met with praise by all in the healthcare industry and concern has been voiced that the use of these identifiers would just add granularity; over-complicating transactions unnecessarily. The purpose of HPIDs has also been questioned, in particular...

Read More
Data Breach Report Demonstrates Why Healthcare Data Encryption is Essential
Nov01

Data Breach Report Demonstrates Why Healthcare Data Encryption is Essential

The California State Attorney General has released a damming report on the state of data security in the healthcare industry, and in doing so has highlighted an essential need for the healthcare industry to encrypt patient data across all mobile devices such as laptops and Smartphones. 70% of data breaches which have affected the healthcare industry in California involved the loss or theft of portable hardware on which protected health information was stored. In other industries, breaches of this nature only accounted for 19 percent of reported breaches. The healthcare industry is particularly vulnerable due to the nature of the data stored and its value to thieves. The wide range of portable devices used in the healthcare industry also makes it an easy target for cyber criminals. According to the report, between 2012 and 2013 there were 25 data breaches affecting the healthcare industry which accounted for 15% of the total number of data breaches reported for the year and involved 1.5 million potentially compromised records. The retail industry was hit particularly hard with 43...

Read More
FTC  to Address Gaps in HIPAA Regulations to Better Protect Consumers
Nov01

FTC to Address Gaps in HIPAA Regulations to Better Protect Consumers

Privacy and security are two areas of grave concern in healthcare today due to the high volume of highly personal and sensitive patient data being stored and transferred. With Apps now collecting personal information directly from consumers, The Federal Trade Commission (FTC) is likely to become more involved in security and protection of data; a role usually given to the Department of Health and Human Services. The Health Insurance Portability and Accountability Act (HIPAA) covers health tech companies and health care providers that have business relationships with each other. Many companies, software developers and tech companies are not part of the health care system and are therefore not covered under the regulations. Wearables, health apps and a host of other tech collects personal information on patients and the volume of data being collected and stored has raised serious concerns about privacy and security issues. FTC commissioner Julie Brill has recently voiced her concern on the issue. She believes that appropriate security controls and privacy protection must be enforced...

Read More
High-Tech Healthcare on the Way
Oct31

High-Tech Healthcare on the Way

And You Thought We Already Lived in a High-Tech Age? Enter any modern medical facility and you will be immediately surrounded by an assortment of high-tech gadgetry designed to make our lives easier, healthier and more secure. Much of the technological wizardry would not have been conceived a decade ago and yet now we rely on it every day to care for your young, or elderly and our sick. For many people, even when they leave a medical facility, high-tech healthcare still follows them around. It has been estimated that – by 2015 – 500 million people around the world will be using Smartphone apps to monitor weight, blood pressure, cholesterol levels, heart rate and sleep quality; and some claim apps that they are even able to detect cancer. However, not everybody is so keen to adapt to healthcare by phone and, in the same way as the Government had to “incentivize” the healthcare industry to start using EHRs, patients are now being bribed to engage in remote monitoring programs which could not only save their lives – but win them a cash prize too! Not Had a Heart...

Read More
40,000-Record Healthcare Database Stolen from Storage Shed in New Jersey
Oct23

40,000-Record Healthcare Database Stolen from Storage Shed in New Jersey

A bizarre report has been released this week on the theft of confidential patient records from a physician in New Jersey. The theft has potentially exposed the medical records of approximately 40,000 patients to unknown individuals. The patient records belonged to Dr. Nisar A. Quraishi, an internal medicine specialist and assistant professor of medicine at the NYU Langone Trinity Center in New York, who was storing the PHI in a shed at his office storage facility. The theft was noticed on Tuesday October 21, although the actual date of the theft remains unknown. Dr. Quraishi last visited his storage facility in August this year, and after leaving ensured that the shed was secured with two padlocks. This week, on his return to the shed, he discovered that both latches had been cut and on entering the shed he noticed that all of his patient records had been stolen. Dr. Quraishi was unable to provide the authorities with any details of the persons affected, only that the documents related to patients treated between 1982 and 2009, some of whom were possibly still being treated by the...

Read More
November 5th Deadline to Obtain Health Plan Identifier for Group Health Plans
Oct21

November 5th Deadline to Obtain Health Plan Identifier for Group Health Plans

The Department of Health and Human Services (HHS) has now issued the final version of its regulations following the passing of the Affordable Care Act (ACA), which will require all group health plans to use a health plan identification number (HPID) to conduct standard transactions. Do you need to take immediate action? If you are responsible for a large group health plan – with over $5M in receipts per annum – you must obtain a HPID before November, 5 2014. Small group health plans will also require a HPID, although not for another 12 months. The deadline for small health plans to obtain a HPID is Nov, 5 2015. The HPID will be required on standard transactions involving the electronic transfer of health data under Health Insurance Portability & Accountability Act of 1996 (HIPAA) regulations. Claims, authorizations, payments and enrolments will all require a HPID, and while group health care plans will not be required to use the identity number until November 7, 2016, a deadline has been imposed on obtaining a HPID number. CHPs and SHPs Controlling Health Plans (CHPs) and Sub...

Read More
Breakthrough in HIPAA-Compliant Remote Diabetes Care
Oct20

Breakthrough in HIPAA-Compliant Remote Diabetes Care

The FDA-cleared Remote Patient Monitoring system from ALR Technologies’ (ALRT) has been hailed as a potential breakthrough in remote diabetes care. The system providing doctors and health care professionals with a method of being reimbursed for time spent providing remote treatment to long term diabetes sufferers and to receive recompense for the chronic care management services provided. The system – termed Health e-Connect – is an off-the-shelf software system that helps to connect diabetes patients with care providers, no matter where the team members are based in the country. Members of the care team are able to log on through a secure web portal and enter data and communicate with the entire team. Based on the payment system and schedule due to be decided on Nov 1, 2014, the Centers for Medicare and Medicaid Services (CMS) would issue doctors a monthly payment of $41.92 for the provision of up to 20 minutes remote care per patient. Once the system is implemented and ALRT begins invoicing for its services, the system could generate up to $2.3 million in monthly revenue...

Read More
Cybercriminals Target Health Care Organizations for Patient Medical Data
Oct20

Cybercriminals Target Health Care Organizations for Patient Medical Data

The value of patient’s confidential medical data has risen to ten times that of credit card numbers on the black market according to recent Reuters reports. Medical data can be used by cyber criminals to fraudulently obtain products and services – as with credit cards – although medical data theft has the advantage of being harder to detect than other cyber crime activities such as credit card phishing. Hackers are now targeting health organizations in an attempt to obtain confidential patient data and other personally identifiable information from their websites, databases and internal computer systems. The threat of attack has prompted the FBI to issue warnings to a wide range of organizations in the health care sector alerting them to the risk of cyber theft of data. The warning was issued following the theft of 4.5 million patients’ data by a group of hackers in an attack on Community Health Systems. The theft ranks as the biggest HIPAA data breach by hackers and the second largest data breach in history. In this case the data obtained was non-medical in nature,...

Read More
Pennsylvania Hospital Advises of Data Breach
Oct16

Pennsylvania Hospital Advises of Data Breach

Penn Highlands Brookville has issued a public notice confirming a recent “data security incident”, which the Pennsylvania Hospital says involved the data of 4,500 patients under the care of Barry J. Snyder, M.D. The statement was issued as a PHIprivacy press release. Penn Highlands Brookville is part of a quartet of Dubois, PA hospitals comprising Penn Highlands Healthcare, although this incident only affected one doctor’s patient database. On August 14, 2014 a server containing Barry J. Snyder’s patient database was found to have been compromised. A third party had gained access to the server on which the data was stored and potentially had access to protected health data of all of the doctor’s patients. It could not be determined whether the intruder had actually accessed any of the patient data. The data was held on a server belonging to an Ohio third party vendor under contract to maintain Dr. Snyder’s records. The data stored on the server included names, addresses, social security numbers, medical and insurance information, driver’s license numbers, telephone numbers and the...

Read More
Colorado Behavioral Health Patients Advised of HIPAA Breach
Oct14

Colorado Behavioral Health Patients Advised of HIPAA Breach

A recent postcard mailing by the Colorado Department of Health Care Policy and Financing has, albeit accidentally, disclosed protected health information on patients and is in breach of HIPAA regulations. The breach has now been made public and the patients concerned have been notified by mail. The HIPAA breach was due to a survey being mailed to approximately 15,000 patients, each of whom had received treatment through Medicaid or the Office of Behavioral Health belonging to the Department of Human Services. The HIPAA violation was not due to social security numbers and addresses being listed in the communication or any other information which could potentially be used by thieves or fraudsters. The HIPAA violation was for using a postcard rather than a sealed envelope for the survey. By using a postcard the name and the address of the recipient was clearly visible, while the survey identified them as being behavioral services patients. The survey contained questions about the behavioral health care services they had received and someone other than the intended recipient could...

Read More
Data Breaches Prompt Change in Florida Law
Oct14

Data Breaches Prompt Change in Florida Law

A new state law has been passed to give Florida residents greater protection by ensuring both private companies and government agencies store electronic data securely. The recent spate of cyber attacks and HIPAA breaches have highlighted the fact that consumers now face a very real threat and that their personal and confidential data could fall into the hands of criminals. The elevated risk has prompted Florida to draft new legislation to better protect its residents and in July of this year the Florida Information Protection Act of 2014 (FIPA) came into force. The new FIPA act is similar to the Health Insurance Portability and Accountability Act of 1996. The legislation has been introduced to protect the privacy of consumers and to hold offenders accountable for data breaches. The Attorney General’s Office also wants rapid action following a data breach to limit the harm, damage and loss caused. By sending notifications to victims promptly they are able to take action to protect their identities and prevent further loss or damage. Under FIPA, organizations must take...

Read More
Leading Texas Hospice Embraces Secure Messaging
Oct08

Leading Texas Hospice Embraces Secure Messaging

The Solaris Hospice is one of the largest palliative care providers in the Southwest – operating from sixteen locations to provide care and support for more than four hundred patients each day. The hospice´s 150 physicians and nurses work in a vast rural area in which effective communication is a must in order to maintain the organization´s reputation as a healthcare leader among the communities it serves. One of the biggest issues experienced by the organization was maintaining the integrity of its client´s protected healthcare information (PHI) while its workforce was distributed throughout the community. Following the enactment of new regulations within the Health Insurance Portability and Accountability Act (HIPAA), all PHI now has to be encrypted and monitored when it is at rest or in transit. The new regulations mean that “traditional” methods of communicating patient data – such as SMS and email – are effectively outlawed, and this created an issue for community nurses who wanted to escalate patient concerns to the organization´s medical team or send images...

Read More
HIPAA Audits to Recommence in 2015
Oct06

HIPAA Audits to Recommence in 2015

Following on from a series of pilot HIPAA audits, the HHS Office for Civil Rights (OCR) is planning a second round of random audits to ensure healthcare organizations are fully compliant with current HIPAA regulations. The next round of audits will also carry severe financial penalties for any violations uncovered. The next round of HIPAA audits was planned to start in October 2014, although the date has now been pushed back until 2015. It was announced at the San Diego American Health Information Management Association (AHIMA) annual convention that a round of 350 audits would be conducted on healthcare organizations, with a further 50 audits to be conducted on business associates to ensure compliance. Insurers and clearinghouses will also be subjected to audits in 2015. The healthcare organizations due to be audited have already been selected, although entities have also been selected to ensure better coverage across the whole of the United States and to ensure that a good diversity of entities are assessed for HIPAA compliance.  This only gives healthcare organisations a few...

Read More
FDA Finalizes Guidelines on CyberSecurity and the Usage of Medical Devices
Oct05

FDA Finalizes Guidelines on CyberSecurity and the Usage of Medical Devices

This month the Food and Drug Administration (FDA) has finalized its guidelines on the development of management strategies covering cybersecurity, the use of medical device and requirements for premarket submissions. The document is titled: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and is available on the FDA website. The document is essential reading for any medical device manufacturer to ensure future premarket submissions are accepted, and that steps are taken to ensure current medical devices being produced adhere to the new guidelines. The guidelines were prepared to force manufacturers to take the potential risk of cyber attacks into consideration and to incorporate appropriate security measures and safeguards to reduce the risk of susceptibility of attack and of device failure. The FDA identified potential vulnerabilities which could lead to the loss or theft of private data, although the agency has so far not released any information on specific injuries caused by cyber attacks. The presence of spyware/malware on doctors or...

Read More
FDA to Address Security Issues and HIPAA Compliance of Older Medical Devices
Oct04

FDA to Address Security Issues and HIPAA Compliance of Older Medical Devices

The FDA is to take action to address problems relating to the cybersecurity of medical devices following complaints from hospitals and healthcare providers that manufacturers of the devices are not being proactive in providing protection against cyber attacks. There has also been criticism of the makers of medical equipment for failing to upgrade older models, meaning threats remain or new equipment must be purchased. The FDA has already commenced a drive to build a more strategic and comprehensive cybersecurity program and has been running workshops to hear about security risks and concerns. The Agency is determined to get manufacturers to build in security controls rather than bolt them on afterwards and is in the process of finalizing its guidelines on pre-market approval procedures, which were first issued in the summer of 2013. The FDA director of Emergency Preparedness/Operations and Medical Countermeasures, Suzanne Schwartz, has stated that new guidance will be released imminently. Debunking Myths There is a common misconception that makers of medical devices have to obtain...

Read More
Privacy Protection Strengthened in California
Oct01

Privacy Protection Strengthened in California

On Tuesday 30th September, California Governor Edmund Brown introduced new legislation to improve the level of privacy protection for California residents. The new set of bills introduced a number of changes to the legislation which included clearer posting of privacy policies on government department websites, together with a requirement for private companies to offer victims of a data security breach services to prevent identity theft and financial loss as a result of the PHI exposure. According to the new legislation, “If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information” The new legislation also clarifies the procedures organizations must follow when issuing breach...

Read More
Important Information on HIPAA Business Associate Agreements
Sep30

Important Information on HIPAA Business Associate Agreements

The Omnibus Rule has now been in effect for a week and is an amendment to HIPAA regulations which requires all Business Associate Agreements to be HIPAA-compliant. Any new BAA’s issued – or those issued after Sept 23, 2014 – must comply with the HIPAA Omnibus Rule; however the same applies to any business agreements already in place. Existing agreements must also be updated to take the new Omnibus Rule into account. If any agreements have not been updated, the HHS’ OCR will consider this a HIPAA violation and would be within its rights to issue a financial penalty for each agreement that does not comply with the new rule. It is therefore essential that healthcare organizations perform a full review of all BAA’s currently active and address any non-compliance issues. Issuing HIPAA Compliant Business Associate Agreements A HIPAA-compliant BAA must be issued and signed by a Business Associate (BA) to ensure that PHI is properly protected. A Business Associate is classed as any individual, company, organization or other entity that performs a function, offers a service or conducts...

Read More
Oct 6 Deadline for Laboratories to Comply with HIPAA Privacy Rule Changes
Sep29

Oct 6 Deadline for Laboratories to Comply with HIPAA Privacy Rule Changes

The deadline for compliance following the introduction of the new HIPAA Privacy Rule is October 6, 2014. Hospitals with on-site laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) as well as laboratories covered by HIPAA must adapt policies and procedures to take the new legislation changes into account. The change provides patients with improved access to their medical data. The changes have now been finalized by the HHS Office for Civil Rights and the Centers for Disease Control and Prevention and Centers for Medicare & Medicaid Service, which amended CLIA regulations earlier this year. Laboratories are currently permitted to provide medical test results directly to patients, provided that it can be established that the results of the tests belong to patient in question. Results can also be released to patients’ nominated representatives. The change to HIPPA privacy laws from October 6 mean that laboratories are now required to provide PHI to patients upon request and that patients have full access rights. Any non-HIPAA covered entity is...

Read More
Government Conference Highlights Importance of HIPAA Compliance
Sep25

Government Conference Highlights Importance of HIPAA Compliance

This September the Government held the 7th annual conference, Safeguarding Health Information: Building Assurance Through HIPAA Security, in Washington, D.C. The conference was co-hosted by the National Institute of Standards and Technology (NIST), the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS). One of the main aims of the conference was to highlight the current state of health information management and to explore the use of information technology in healthcare while ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance. Practical advice and strategies were also provided to streamline implementation of the HIPPA Security Rule. The HIPPA Security Rule was introduced to set a standard to protect the privacy and confidentiality of patients’ health information. Healthcare organizations and other HIPAA covered entities are required implement appropriate safeguards to protect electronic health information during storage and transit. Appropriate technical, administrative and physical safeguards must be employed to prevent...

Read More
WEDI Announces HIPAA Health Plan Identifier (HPID) Usage Survey Results
Sep22

WEDI Announces HIPAA Health Plan Identifier (HPID) Usage Survey Results

The nation’s leading non-profit authority on Information Technology usage in the U.S healthcare industry has announced the results of a recent survey conducted on the use of the Health Plan Identifier (HPID) in electronic transactions under the Health Insurance and Portability and Accountability Act (HIPAA). The Workgroup for Electronic Data Interchange (WEDI) has now processed the responses from 262 participants from its recent survey, which was conducted between Aug 20 and Sept 5 of this year. Respondents included software vendors, providers, clearing houses, administrators and multiple stakeholders. The findings have been posted online and sent to the Department of Health and Human Services (HHS). Key findings of the survey: • The value of HPID use was only recognized by 15% of stakeholders • Almost a quarter (24%) of respondents had no issues with the implementation of HPID alongside other mandates • 39% of respondents are not able to predict the likely impact while 51% believe they will be impacted by an increase in granularity • 55% of respondents agreed that HPID use within...

Read More

New OCR Director Makes First Speech on OCR HIPAA Enforcement

New OCR Director, Jocelyn Samuels, has chosen National Health IT Week to make her first major speech as head of the government’s HIPAA enforcement team. Samuels took over from Director Leon Rodriguez earlier this year at a time when the second round of compliance audits were in the process of being finalized. The audits are scheduled to take place this fall and the healthcare industry is keen to discover the new director’s plans for enforcing HIPPA. Samuels has a wealth of experience in federal law enforcement having previously served as acting assistant attorney general for civil rights at the U.S. Department of Justice where she was tasked with enforcing the government’s regulations on discrimination. She also served as senior policy attorney at the Equal Employment Opportunity Commission, although she has not previously worked in the healthcare sector. In her 10-minute speech at the ONC’s 2014 Consumer Health Summit in Washington, Samuels announced that the OCR will be enforcing privacy provisions to ensure patients are given access to their health records. She believes it...

Read More
Jury Still Out on the Medicare Experiment
Sep14

Jury Still Out on the Medicare Experiment

The introduction of President Barack Obama’s healthcare reform was met with much debate and has resulted in many heated exchanges between proponents and critics. Now the law has been passed, experts have been analyzing the effectiveness of all aspects of the system to determine how effective and efficient the healthcare program has been. So far early analyses have produced highly mixed results. The theory is that Accountable Care Organizations (ACOs) – groups of doctors/hospitals and health care providers that give their time to Medicare voluntarily – will be able to offer coordinated care for patients and by doing so make savings in operation costs, prevent unnecessary treatments from being performed and ensure that patients do not experience a fall in the standard of care provided. It has not all been plain sailing as some medical institutions refused to join the Center for Medicare & Medicaid Services’ Pioneer ACO program and many who did agree have already pulled out. There are just 19 of the 32 participants still in the program. The Mayo Clinic and Cleveland...

Read More
Data of 31K Patients Exposed by Potential HIPAA Breach at Utah Clinic
Sep11

Data of 31K Patients Exposed by Potential HIPAA Breach at Utah Clinic

The Central Utah Clinic is the latest healthcare facility to announce it has suffered a potential HIPAA breach after an unknown group or individual was identified as having had unauthorized access of a server. The server was accessed in June although it cannot be determined if the intruders viewed any protected health information. No evidence has so far been found to suggest that material was copied from the server or was indeed viewed. The clinic confirmed that only one server was affected and hardware used by the clinic remained secure and was unaffected by the security incident. The data breach potentially affects 31,677 patients of the Central Utah Clinic according to a press release issued by the hospital. The victims are being contacted by mail to advise them of the potential data breach and that the problem has been resolved and data now secured. In accordance with HIPAA regulations the appropriate authorities were advised of the intrusion and alerted to the potential compromising of some protected health information. Data stored on the server included names and addresses of...

Read More
Behavioral Health Treatment Requires Change to be HIPAA Compliant
Sep11

Behavioral Health Treatment Requires Change to be HIPAA Compliant

Behavioral health disorders are the main cause of disability in the United States. 25% of the population suffers from behavioral health issues at some point in their lives, with conditions such as anxiety disorder more common than highly publicized diseases such as Diabetes. Fortunately, excellent training means today’s health care providers are now much better at diagnosing these disorders and advances in treatment mean behavioral health disorders and be effectively managed. It is essential that sufferers are given access to healthcare and that patients are encouraged to come in for treatment. There are many sufferers who are not yet receiving treatment while those who have been diagnosed face an inefficient health care system. Addiction and other behavioral health problems can deeply affect communities and cause great deal of stress to family members who have to deal with individuals and their actions. It is therefore essential that the system is improved to help both communities and individual sufferers; in particular, getting rid of the stigma attached to behavioral health...

Read More
Your Name and Medical Condition in the Classified Ads
Sep09

Your Name and Medical Condition in the Classified Ads

Your medical data, name and contact information could be online and up for sale. Legions of data miners are trawling the internet to unearth patient’s medical data and contact information to sell on to interested parties. Even if you do not have any known diseases it does not make your health records and contact information safe, as was recently highlighted by 42-year old IT worker, Dan Abate. His contact information was listed for sale along which stated he had registered interest in Diabetes, indicating he had or at least suspected he may have the condition. The reality was he has not, and never has shown “diabetes interest” yet his name was included in a list sold by Acxion (ACXM); one of the largest online data brokers operating in the U.S. The data was purchased and resold by Exact Data and Dan’s name appeared online in the public domain in a sample of the data listed for sale. Medical databases are valuable to a broad range of companies and individuals from blue chip companies for direct marketing purposes to cybercriminals hoping to exploit their victims. As the volume of...

Read More
Fines for Violations Issued for HIPPA Non-Compliance and Data Breaches
Sep03

Fines for Violations Issued for HIPPA Non-Compliance and Data Breaches

Following on from high profile data breaches in recent months, in particular the breach of PHI across 209 hospitals operated by CHS, compliance with HIPAA regulations is now high on the agenda, especially considering the steep fines being issued by the OCR. Any data breach involving more than 500 individuals must be reported at both state and national levels, with the report launching an investigation by the OCR. The investigation will assess how the data breach occurred and the measures and safeguards put in place to protect data. Fines are issued for any breaches which have resulted from failures to adhere to HIPAA guidelines. However data breaches alone are not the only reason for fines being issued. Compliance with HIPAA requires policies to be adopted and procedures to be followed to ensure security risks are effectively dealt with. When an organization is assessed it will be against a standard to determine if there has been willful neglect, and whether a violation has occurred. A failure to conduct a thorough risk analysis is a violation of HIPAA regulations. If the risk...

Read More
Iron Mountain X-Ray Theft Causes HIPAA Breach
Aug22

Iron Mountain X-Ray Theft Causes HIPAA Breach

The Orthopaedic Specialty Institute Medical Group has recently reported that one of its Business Associates advised it of a theft from its facilities in the Inland Empire in which thieves managed to obtain 742 boxes of X-ray prints of its patients. The x-rays were being stored by Iron Mountain Record Management and were from old patient files from 10-15 years previously. The medical data exposed is confined to any information shown in the x-ray such as the body part and medical issue. Patient names, dates of birth and medical record numbers were also printed on the x-ray jackets, although there was no financial information or Social Security numbers present. Under HIPAA Privacy and Security Rules, a data breach involving Protected Health Information along with personal identifiers that can tie that information to a particular patient must be reported to the Department of Health and Human Services’ Office for Civil Rights. The organization affected must also send out breach notification letters to any individual whose information was exposed in the incident if they perceive there to...

Read More
Plaintiffs HIPAA Privacy Case Against Advocate Health Dismissed
Aug05

Plaintiffs HIPAA Privacy Case Against Advocate Health Dismissed

An Illinois circuit court in Kane County has dismissed a class action lawsuit that arose from the Massive HIPAA breach affecting the healthcare provider last August. The incident potentially exposed the data of approximately 4 million patients when four unencrypted computers were stolen from its Park Ridge facilities. The class action lawsuit was filed by two plaintiffs who alleged Advocate Health acted with negligence by failing to implement the appropriate safeguards to protect their data. The lawsuit also claims Advocate Health violated both the Illinois Personal Information Protection Act and the Illinois Consumer Fraud Act in addition to the incident causing an invasion of privacy. The court ruled in favor of Advocate Health & Hospitals because the case lacked standing. While there was no doubt that the PHI of the patients had been potentially exposed, the plaintiffs were unable to offer enough evidence to confirm that the data had actually been viewed by an unauthorized individual. Without this proof it was not possible to establish whether any harm or damage had actually...

Read More
Parkview Health System Receives $800K HIPAA Privacy Rule Fine
Aug04

Parkview Health System Receives $800K HIPAA Privacy Rule Fine

The financial penalties for violations of HIPAA can be severe, as was discovered by Indiana-based Parkview Healthcare System recently when it was ordered to pay $800,000 in fines as a settlement for violation of the HIPAA Privacy Rule. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one if its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however the delivery was made and the boxes were left on the doctor’s driveway while he was out of the house. The confidential patient records could have been accessed by any number of individuals as the boxes were left unattended in a “highly trafficked” area for a considerable period of time. The complaint was made against Parkview Health as it was responsible for the paper records and should have taken greater care to protect the confidentiality of its patients. Acting Deputy Director of Health Information Privacy at OCR, Christina Heide, issued a statement regarding the incident and...

Read More
Federal Prosecutors Pursue Criminal Charges Against Hospital Worker for HIPAA Violations
Jul15

Federal Prosecutors Pursue Criminal Charges Against Hospital Worker for HIPAA Violations

Under the Health Insurance Portability and Accountability Act of 1996, individuals and covered entities can face criminal charges for violations of HIPAA Privacy and Security Rules, and federal prosecutors have now taken this somewhat uncommon step following a case of wrongful disclosure of PHI. Texan prosecutors filed an indictment in the Tyler District Court against Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas. The case was filed earlier this year but it was sealed until July 3. Hippler faces one count of violations of HIPAA Rules after he stole medical records from the hospital where he worked. According to a statement provided to Security Media Group, and reported on databreachtoday.com, a spokesperson for the Department of Justice said “We cannot comment on how many patient records, his job, employer or the nature of the violation in detail as this is an ongoing investigation,” she says. “The violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records. Although criminal HIPAA...

Read More
Record HIPAA Complaints Received about Healthcare Organizations
Jul08

Record HIPAA Complaints Received about Healthcare Organizations

Over the past 12 months the number of reported violations of Health Insurance Portability and Accountability Act (HIPAA) regulations has skyrocketed. The Department of Health and Human Services has seen a substantial increase in late 2013 with the upward trend continuing in 2014 according to a recent data analysis. Year on year figures show HIPAA complaints have increases by 45.7% with 6,701 complaints received up until May. Not all cases have resulted in action being taken against the organization concerned although a relatively low number – 14% – resulted in no action being necessary. However, although out of the cases which were investigated, 26% called for HHS action to be taken. The rise in HIPAA complaints can be attributed in part to increased public awareness of data security laws. High profile thefts and data breaches have been headline news in recent months and the reporting of compliance issues is being encouraged. The introduction of new legislation and regulatory changes have also played a part, and the widespread use of mobile devices in healthcare creates many...

Read More
Security Lapses Could See Majority of Health Practices Fined for HIPAA Non-Compliance
Jul08

Security Lapses Could See Majority of Health Practices Fined for HIPAA Non-Compliance

Healthcare organizations face considerable data security risks, yet evidence suggests that while the importance of compliance may be understood, too little is being done to secure ePHI data. A recent survey has highlighted than many healthcare organizations are not paying attention to the warnings being issued by the government. Physicians Practice conducted its annual Technology Survey and discovered that mobile devices are a particular area of concern, with only 31% of the respondents claiming to have implemented the policies and procedures covering the use of mobile devices in the workplace as demanded by HIPAA regulations. Mobile devices are a major security risk due to the ease of theft or loss, yet many healthcare organizations have not taken steps to ensure mobiles are HIPAA compliant. Mobile devices often contain unencrypted patient data and personal mobiles are particularly high risk if used to access, transfer or view patient data. The survey revealed that almost 70% of healthcare organizations have so far failed to implement strategies to deal with the security threat...

Read More
OCR Tasks Jocelyn Samuels with HIPAA Enforcement
Jul01

OCR Tasks Jocelyn Samuels with HIPAA Enforcement

A new director has been appointed to take over the helm of the Office for Civil Rights of the Department of Health and Human Services following the departure of its director, Leon Rodriguez. An email was recently sent to all staff at the agency confirming that the position has been accepted by Jocelyn Samuels. According to an OCR spokesperson, “Leon is in the process of planning his departure, and we look forward to Jocelyn joining us here at OCR in the near future.” A date has not yet been announced when Samuels will take over at the OCR. Rodriguez has served as Director since September 2011 and has played an important role in the development of the OCR audit program. He was also committed to increasing the scope of the audits and policing HIPAA more rigorously. He was confirmed as having been accepted for the position of U.S. Citizenship and Immigration Services at the Department of Homeland Security on June 24, after the senate agreed to his appointment. Jocelyn Samuels is due to vacate her position as acting assistant attorney general in the civil rights department, where...

Read More
PriceWaterhouseCoopers Report on HIPAA Compliance
Jun30

PriceWaterhouseCoopers Report on HIPAA Compliance

The state of healthcare compliance in the US has been assessed by PriceWaterhouseCoopers, following a survey conducted this summer. A report on the survey findings has now been issued with the results indicating that compliance is often not being given the importance it requires. Healthcare Chief Compliance Officers are often part time positions while 43% of respondents claimed they “are responsible for other functions and those other duties and responsibilities generally took precedence over compliance.” There was also a feeling that more could be done to improve compliance and to raise its perception and profile within organizations. Compliance clearly is not forefront in the minds of all senior leaders and board members when decisions are made relating to day to day operations or even for strategic planning. Since compliance is not a profit making activity, it is essential for CCOs to convince board members of the value to be had from introducing and running a compliance program. One problem raised was the fact that budgetary constraints are hampering compliance efforts. Ten...

Read More
OCR Submits HIPAA PHI Breach Reports To Congress
Jun29

OCR Submits HIPAA PHI Breach Reports To Congress

In accordance with HITECH, the Health and Human Services Office for Civil Rights has submitted its annual reports to congress detailing the Breaches of Unsecured Protected Health Information it was notified of during 2011/2012. The report shows that 98% of victims of PHI data breaches involving over 500 individuals have come from 1% of recorded breaches. The large scale data breaches caused by these security lapses and targeted attacks are affecting millions of Americans. The total count of victims has now risen to 32 million and the total number of recorded HIPAA data breaches is about to reach the 100 mark. The report highlighted the state of HIPAA compliance and clearly showed that healthcare organizations are failing to take the required actions to protect patient data and keep PHI private and confidential. Over the course of the past 12 months there have been record fines issued for security breaches and violations of HIPAA procedures and HHS Chief Regional Civil Rights Counsel Jerome Meites has predicted “a huge spike in the fines from violations” over the coming months. In...

Read More
Online Thieves Steal 1.3 Million Patient Records
Jun25

Online Thieves Steal 1.3 Million Patient Records

The recent security breach at the Montana Department of Public Health and Human Services involving the ePHI of 1.3 million patients may not be the largest data theft to date, but it certainly ranks as one of the largest potential HIPAA security breaches reported to date, and is the biggest data breach caused by hackers at the time of writing. Not only has the data been accessible in full by hackers, access to the data was possible for almost 12 months before the security breach was identified and access blocked. Officials have determined that the data was first accessed in July 2013 with a second attempt to access the data also occurring on May 22 this year. The identities of the intruders have so far not been established. The data has now been transferred to a new secure server. Without a safeguard in place to alert the network operator to the unauthorized access in real-time, the cyberattack allowed the perpetrators to gain full unmonitored access and take their time exploring the data held on the server. In spite of the long window of opportunity, no evidence has been found to...

Read More
Study Highlights Mobile Data Security Concerns
Jun24

Study Highlights Mobile Data Security Concerns

A recent comparative study conducted on mobile phone users on both sides of the Atlantic has highlighted the differences and similarities in attitudes about the security of mobile phones and the data they contain. The survey, conducted by iReach Insights on behalf of Inhance Technologies, set out to investigate attitudes to mobile phone security and whether there is interested in enhanced product warranties which include coverage of the data contained on mobile devices. The data from the survey showed that in both the UK and the USA mobile phone users are concerned about the security of the data stored on their phones and in the cloud. While today’s Smartphones are expensive, the majority of users rate the data stored on their mobiles as being at least of equal value to the phone itself. Three quarters of U.S respondents believed the data to be of equal value as the phone, with the figure rising to 80% in the 18-54 age range. Fear of loss of a phone has increased with over a quarter (27%) of U.S respondents more worried about the loss of their device than 12 months previously,...

Read More
L. A. County to Increase Data Encryption as 3.5K More HIPAA Breach Victims are Identified
May28

L. A. County to Increase Data Encryption as 3.5K More HIPAA Breach Victims are Identified

L.A County has recently announced that the Sutherland Healthcare HIPAA breach has also affected patients who had previously received Medi-Cal services. This is the second time the number of potential victims has been increased since the February 5th data breach at Sutherland Healthcare’s Torrance facilities was first reported. In March this year, Los Angeles County announced that the theft of 8 computers resulted in the exposure of medical records and personal information of 168,500 patients. Less than a month later the number of potential victims doubled, then the forensic investigation determined that the medical records of a further 170,200 patients were stored on the computers. The latest announcement adds a further 3,497 patient records bringing the total number of potential victims to 342,197; making it one of the largest HIPAA data breaches to occur this year. The data breach was reported to the Office for Civil Rights of the Department of Health and Human Services which will be conducting an investigation into the data breach to determine whether it could have been...

Read More
Security Metrics Wins State Award for HIPAA Compliance Services
Apr17

Security Metrics Wins State Award for HIPAA Compliance Services

SecurityMetrics’s Guided HIPAA Compliance has earned the company a Best of State Award for HIPAA Compliance Services and makes it a tally of two recognition awards collected by the firm this year for its program. The “Best of State” Award is Utah’s most respected recognition and awards program. The awards aim to recognize the efforts made by companies in the state that have shown excellence in their field. Each nomination is assessed by a panel of expert judges who decide on the winners based on the usefulness of the product or service, how it benefits state residents and the level of innovation in its development. SecurityMetric was nominated in the Business Category for its Guided HIPAA Compliance program; a simplified risk-based approach that can help healthcare organizations improve security and comply with HIPAA regulations. The program is aimed at smaller organizations, which typically find it harder to achieve compliance. The program of pilot compliance audits conducted by the Office for Civil Rights in 2011/2012 showed that smaller healthcare providers struggled...

Read More
First Anniversary of the HIPAA Omnibus Rule
Apr16

First Anniversary of the HIPAA Omnibus Rule

Just over 12 months ago the HIPAA Omnibus Rule was introduced to plug a number of gaps in the legislation and bring Business Associates more comprehensively under HIPAA Rules. The new Rule also brought financial penalties in line with the HITECH Act. The amendment to HIPAA has been effective for a year now and it has been enforceable for 6 months. Not long is left before the Department of Health and Human Services’ Office for Civil Rights (OCR) starts conducting compliance audits again. It is currently preparing the second round of HIPAA compliance audits, in addition to investigating organizations reporting breaches of Protected Health Information (PHI) The anniversary of the introduction of the rule will probably not feel like something worth celebrating for many organizations, especially those that have struggled under the new requirements. For those that have made the necessary updates to policies and procedures already, standards must not be allowed to slip. Now is a good time to take stock and assess compliance before the audits commence. HIPAA Compliance Audits are Coming...

Read More
New HHS Tool Released to Assist with HIPAA Risk Assessments
Apr09

New HHS Tool Released to Assist with HIPAA Risk Assessments

Conducting a thorough risk assessment is a requirement under the HIPAA Security Rule; however it can be a complex process requiring all potential security risks to be identified. The process can be a daunting task for any organization, especially when the risks of non-compliance are so severe. Under the Security Rule, HIPAA-covered entities are required to conduct a risk assessment to determine any potential vulnerabilities and take the appropriate actions to reduce and, as far as is possible, eliminate data security risks. Incorporating the necessary safeguards, software systems and data encryption services is essential under HIPAA regulations in order to keep electronic health records private and confidential. The HHS understands the issues faced by healthcare organizations and has developed a tool to help organizations conduct thorough risk analyses and ensure they are fully HIPAA-compliant. Any organization about to conduct a risk analyses under HIPAA should use the new tool provided by the HHS on its website. The tool takes the user through a series of questions which need to...

Read More
Nurses Find a Replacement for Hospital Pagers
Apr08

Nurses Find a Replacement for Hospital Pagers

A survey has recently been conducted by Spyglass Consulting Group that indicates nurses are violating HIPAA regulations by using personal Smartphones in hospitals. The survey indicated that 67% of nurses were taking their iPhones and android phones to work and using them, even though 89% of hospitals do not permit the devices to be used at work. The Spyglass survey indicates that nurses are not being given a pager alternative, as only 4% of hospitals currently reported having a Smartphone system installed for nurses. Furthermore, out of the 53% of hospitals that did have a Bring Your Own Device (BYOD) scheme in place, only 11% included nurses in that scheme. The situation does appear to be improving as more than half of the organizations taking part in the survey claimed to be about to extend coverage to nurses. The use of mobile phones for hospital communications is forbidden, as the devices are insecure and lack the necessary controls to keep confidential data secure. The sending of any PHI via text message is an immediate HIPAA violation, unless the text is sent via a secure...

Read More
$2 Million Budget Increase for OCR to Police HIPAA
Mar10

$2 Million Budget Increase for OCR to Police HIPAA

The Fiscal Year 2015 Budget in Brief has been prepared by the Obama administration and there is some bad news for the Department of Health and Human Services’ Office for Civil Rights. The Privacy and Security Budget for 2015 has been increased to $41 million for the coming year, but this only represents an increase of $2 million year on year. The Office for Civil Rights has many roles: It is required to ensure equal, nondiscriminatory access to HHS services and to make sure they are received; it must ensure health information is properly protected; that patient privacy is protected; and it must also police HIPAA Rules and conduct compliance audits. Its budget is stretched and has to go a long way, and this year the OCR has a number of costly tasks ahead of it, in particular the upcoming second round of compliance audits. It is going to need every cent of that money. The increase will be welcomed, even though it may not be enough. The money is intended to “support OCR’s centralized case management operations and online complaint system. Further, the budget supports continued HIPAA...

Read More
Study Shows Healthcare IT Security is in a Shocking State
Mar04

Study Shows Healthcare IT Security is in a Shocking State

Two recent studies confirm that the healthcare industry has not invested sufficiently in IT and the general state of healthcare cybersecurity is dire. There has been a marked rise in reported data breaches in recent years and while the increase has been, in part, attributed to increased reporting of security breaches – as required by HIPAA and HITECH – there are two areas of healthcare IT security that must be immediately addressed; certainly if HIPAA violations and penalties are to be avoided. The first is training. Data breaches have many causes, although a substantial percentage result from carelessness. Doctors and nurses unaware of the rules covering the disclosure of PHI are also inadvertently causing HIPAA breaches. Hospital administrators are improperly disposing of paper records and failing to securely delete electronic health records. Physicians are still leaving laptops containing unencrypted PHI in plain sight in unattended vehicles. Tackling these issues will prevent the majority of data breaches reported to the OCR each year. The Future of Healthcare Data Security...

Read More
OCR to Commence Round 2 HIPAA Compliance Audits
Feb28

OCR to Commence Round 2 HIPAA Compliance Audits

The Office for Civil Rights of the Department of Health and Human Services is a step closer to commencing the second round of HIPAA compliance audits issuing a notice in the Federal Register announcing its intention to start a series 1,200 pre-audit surveys. The OCR is authorized to conduct compliance audits under Section 13411 of the HITECH Act and intends to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules. The notice states that the OCR intends to survey 800 healthcare providers, clearing houses and health plans in addition to 400 of their business associates as part of the next round of compliance audits. Since the introduction of the Omnibus Rule, Business Associates can be held liable for HIPAA non-compliance issues and data breaches and the OCR wants to ensure that the new legislation is being followed. OCR Deputy Director, Susan McAndrew, announced at the 2014 HIMSS Annual Conference on February 24 that the aim of the survey is to assess suitability for audit. Since the sample was taken at random, the OCR must first weed out organizations in its...

Read More
Pre-Audit HIPAA Compliance Survey Finalized by OCR
Feb25

Pre-Audit HIPAA Compliance Survey Finalized by OCR

The Office for Civil Rights has set the wheels in motion for its upcoming HIPAA compliance auditing program by filing an information collection request in the Federal Register, which post-Omnibus Rule now includes Business Associates as well as entities previously covered by HIPAA. No schedule for the audits has been announced, nor was an announcement expected. The collection request is just the first step in the process and the audits are not expected to take place until the fall this year. The request is to allow it to conduct a pre-screening survey which will permit it to contact up to 1,200 covered entities and Business Associates, in part to gain an understanding of each organizations readiness for audit and also to “assess the size, complexity, and fitness of a respondent for an audit.” The information the OCR plans to collect relates to recent activities in relation to HIPAA regulations laid down by the Omnibus Rule and Privacy Rule in particular. It will require information to be provided on the use of electronic patient health records which are to be the major focus of the...

Read More
138 Percent Annual Increase in Reported HIPAA Data Breaches
Feb05

138 Percent Annual Increase in Reported HIPAA Data Breaches

A new data security report released by healthcare IT security company Redspin suggests the number of data breaches reported to the U.S. Department of Health and Human Services has increased by 138% over the course of the past 12 months. The figures are likely to be higher still, as the report only details data breaches which have been reported by HIPAA-covered organizations that have affected more than 500 individuals (incidents involving data being compromised where under 500 individuals are affected do not need to be a matter of public record and are therefore not included in the report). Even with the strict reporting requirements under the HIPAA Security Rule, many incidents involving data breaches go unreported according to industry officials. The total number of people affected by data breaches is currently estimated to be approximately 29.3 million, although it is highly probable that the actual number of victims is far higher. The Director of Privacy and Security at HIMSS calculated the actual number of victims to be in the region of 40 and 45 million back in 2012. Even...

Read More
Patents Rights to Medical Test Data Improved under HIPAA
Feb03

Patents Rights to Medical Test Data Improved under HIPAA

Access to personal healthcare information empowers patients to take charge of their health and work alongside their care providers. Gaining access to information has now become easier following the issuing of the final rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA). The new change, which was announced today, allows a patient or his or her nominated representative to access the complete laboratory reports following medical testing. Previously a restriction existed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule preventing access to the data in certain circumstances. As before, patients will be able to obtain their test results from their doctor, although now they are also able to request the information directly from the laboratory that conducted the tests. The new law ensures patient data is kept private with strong protections in place to prevent unauthorized access while ensuring the patient is provided with timely information they can use to improve their health. Three agencies within the HHS are responsible...

Read More
March 1st Deadline for 2013 HIPAA Breach Reports
Feb03

March 1st Deadline for 2013 HIPAA Breach Reports

The U.S Department of Health and Human Services requires all HIPAA covered entities to submit annual reports of HIPAA breaches, and the deadline for submitting 2013 breaches is fast approaching. While there is a requirement under the Breach Notification Rule for healthcare institutions and their business associates to notify the HHS of any breaches involving more than 500 individuals without delay, smaller breaches affecting fewer than 500 individuals only need to be included in an annual report. HIPAA-covered entities now only have a few weeks to submit the reports, which must be received by the HSS no later than March 1st, 2014. A PHI breach involving less than 500 individuals must be reported to the HHS within 60 days of the end of the calendar year during which the breach was discovered. Therefore any data breaches identified during 2013 must now be included in the report to the HHS. In many security breaches it is not immediately clear how many individuals have been affected. If an investigation is still ongoing, the entity in question should provide an estimate of the number...

Read More
Windows XP No Longer HIPAA Compliant
Jan15

Windows XP No Longer HIPAA Compliant

If your organization has not yet upgraded your IT operating systems and is still using Windows XP on some or all workstations, it has only until April 8, 2014 to migrate to a new OS as Windows XP will no longer be HIPAA or meaningful use compliant in six weeks. Any organization found to be using the outdated software will be in violation of The Security Rule of the Health Insurance Portability and Accountability Act of 1996. Windows XP is now old and out of date with the software first introduced in 2001. Microsoft has now made the decision to stop issuing patches and security updates for XP, rendering it obsolete. Since software updates are a requirement under the Security Rule, companies will be forced to upgrade computer software. The cost of upgrading computer systems can be considerable, but the financial penalties organizations now face for HIPAA non-compliance are likely to be substantially higher. Since the deadline for upgrading software is just 12 weeks away, it does not give institutions very long to effect the appropriate changes. Healthcare organizations, government...

Read More
OCR HIPAA Enforcer to Leave OCR for Pastures New
Jan09

OCR HIPAA Enforcer to Leave OCR for Pastures New

Leon Rodriguez, Director of the Office for Civil Rights and the man charged with enforcing the Health Insurance Portability and Accountability Act, has been nominated by President Obama for the position of Director of United States Citizenship and Immigration Services at the Department of Homeland Security. The position has been vacated by Alejandro N. Mayorkas who will be taking up a new role as Deputy Secretary at the Department of Health and Human Services. Rodriguez does not yet have the job – his appointment will have to be authorized by the senate – but he is looking increasingly likely to leave the OCR, where he has served as Director since September 2011. Rodriguez also held the position of chief of staff and deputy assistant attorney general for civil rights at the Department of Justice prior to taking up the role of enforcer at the OCR. Should Rodriguez depart it will leave a void at the OCR which will be difficult to fill. Rodriguez has been instrumental in developing the audit protocols and policing HIPAA and internally there are few suitable candidates for...

Read More
HIPAA Update Proposed to Allow National Instant Criminal Background Checks
Jan04

HIPAA Update Proposed to Allow National Instant Criminal Background Checks

President Obama is stepping up efforts to reduce gun violence; however some legal barriers remain and the HIPAA Privacy Rule is currently preventing the reporting of important information to the National Criminal Background Check System. The NCBC allows gun vendors to conduct security checks to find out if a prospective gun owner is legally entitled to own a firearm. While everyone has a right to bear arms, federal law restricts gun ownership and certain individuals – convicted felons and individuals who have been previously involuntarily committed to a mental health institution for example – are not permitted to own weapons. The system allows rapid checks to be conducted and while the database is updated with details of criminal convictions, important health information is often not provided due to restrictions of the HIPAA Privacy Rule. The system has proved successful so far and has prevented the sale of over 2 million weapons; however it is only as good as the data that it contains and there appears to be a lack of information relating to mental health, according to...

Read More
Healthcare Technology Trends to Keep Track of in 2014
Jan04

Healthcare Technology Trends to Keep Track of in 2014

Over the past year there has been a host of new technologies introduced and the progress made in Healthcare IT systems continues at an extraordinary pace. It is therefore difficult to single out the technologies which promise to have the greatest impact on healthcare over the coming year, although there are a number of key areas which are likely to see substantial advances during 2014 and promise to have a major impact on healthcare providers and patients alike. A Strong Focus on Data Security One of the major problems faced by healthcare organizations today is the need to develop computer systems to manage Electronic Health Records (EHRs). Electronic devices make record keeping easier and less labor intensive; however, keeping EHRs secure and restricting access to PHI does present a serious challenge. Patient data can be entered into EMRs from hand held devices, laptops and PCs and that data can be quickly and easily accessed, although these devices pose a major security risk. The healthcare industry has been hit by a number major data breaches over the past 12 months and it is...

Read More
Office of Civil Rights Responds to OIG HIPAA Enforcement Criticisms
Dec31

Office of Civil Rights Responds to OIG HIPAA Enforcement Criticisms

The Office of the Inspector General of the Department of Health and Human Services has recently issued a report stating that the Office for Civil Rights failed to meet all the federal requirements that it was set and specifically criticized it for not having overseen and enforced the HIPAA Security Rule to the required degree. According to the OIG, there were two key requirements under the Security Rule that the OCR had not met: OCR had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation. The OIG recommended immediate action is taken to address these failures including conducting periodic audits of covered entities to ensure that the amendments to HIPAA due to the HITECH Act are assessed. It...

Read More
Massachusetts Dermatology Clinic Settles for $150K over HIPAA Breach
Dec27

Massachusetts Dermatology Clinic Settles for $150K over HIPAA Breach

The Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. The stolen thumb drive contained patient data and was not encrypted, meaning anyone in possession of the storage device has full access to the data it contained. The missing thumb drive has so far not been located. Although the HIPAA breach involved a relatively small number of patients, the OCR has fined the dermatology clinic $150,000 for violating HIPAA regulations and failing to ensure the PHI of its patients was properly secured. The OCR has also ordered the clinic to conduct a full risk analysis to identify any remaining privacy and security issues and to develop a risk management plan to deal with any future security breaches. The investigation conducted by the OCR highlighted a number of HIPAA privacy and security problems which should have been identified and...

Read More
10 HIPAA  Myths Busted by ONC
Oct22

10 HIPAA Myths Busted by ONC

The Office of the National Coordinator for Health Information Technology (ONC) has many roles, although one of the most important is advising healthcare organizations on how data privacy and security legislation and the best practices that should be adopted to comply with regulations and keep patient and other sensitive data secure. At the HIMSS Privacy and Security Forum last month, Chief Privacy Officer of the ONC, Joy Pritts, spoke about the efforts the ONC have made to assist healthcare organizations achieve compliance and how they have adapted to make it easier to comply. Pritts said, “We were drafting materials that were meant for IT professionals and learned within a year that the content was too technical. We realized that we had to draft materials in plain language that could be distributed in small offices.” The feedback the ONC has gained over recent months suggests that many smaller healthcare organizations are struggling with HIPAA compliance. The problem has been compounded by the number of myths and incorrect assumptions that are circulating within the healthcare...

Read More
Bizarre HIPAA Breach Results in Doctor Having Medical License Suspended
Oct20

Bizarre HIPAA Breach Results in Doctor Having Medical License Suspended

A psychologist in Washington State has recently had his medical license suspended after his personal laptop, containing unencrypted data on his patients, was stolen. Laptop thefts often result in healthcare data being exposed, although what makes this case peculiar is the laptop was stolen by a prostitute the doctor had just visited. Having failed to take sufficient cash, the doctor had to visit an ATM and returned to find no laptop or prostitute. The incident occurred on February 4th, but the theft of the laptop was not reported to the police until February 14th. The Department of Health and Human Services was notified of the incident three days after the laptop had been stolen, according to a Statement of Charges by the Washington State Department of Health. A total of 652 patients were reported to have potentially been affected by the breach. However the psychologist did not was not truthful with the police and failed to inform them of the facts and a false report was also made to the HHS. Eventually the police were informed that a prostitute had stolen the laptop and they were...

Read More
HIPAA Omnibus Final Rule Improves Patient Rights
Oct06

HIPAA Omnibus Final Rule Improves Patient Rights

Healthcare organizations and their business associates are facing fines for non-compliance following the introduction of new regulations which protect the privacy of patients and the security of their data. The Omnibus Final Rule came into effect this year and covered organizations were required to update procedures and policies and comply with the new regulations by September 23, 2013. The new changes have been criticized by some members of the healthcare community; however the changes expand patient rights and allow them to have much greater autonomy and make decisions about how and what is communicated to them and the channels that can be used. If a patient is comfortable receiving information via E-mail, they are allowed to continue to use that medium to communicate with their healthcare providers or care team and information can be sent by healthcare professions to patients provided that they have been made aware of the risks. If it is explained that the medium is not totally secure and there is a chance that their data could be viewed by other people and they accept the...

Read More

Google to Sign BAA to Make its Apps HIPAA Compliant

Many healthcare organizations were unwilling to use Google Apps because under the new HIPAA regulations, Google would be required to sign a Business Associate agreement; something the internet giant has so far failed to do. Google has now agreed to remove this barrier and sign a BAA for the very first time, ensuring its Apps are fully HIPAA-compliant. This is expected to see more healthcare organizations take advantage of the services it offers. The Health Insurance Portability and Accountability Act of 1996 requires healthcare organizations to restrict access to electronic health records and identifiable information. Healthcare organizations are accountable for any data breaches, accidental or deliberate, and the disclosure of individually identifiable health information (IIHI) and protected health information (PHI) to any unauthorized individual. Protected information includes the names and contact details of patients, their health information, financial details relating to services received and medical insurance information. Under HIPAA regulations, if any of this data needs to...

Read More
HHS Publishes Guidance on how the HIPAA Privacy Rule Applies to Refill Reminders
Sep30

HHS Publishes Guidance on how the HIPAA Privacy Rule Applies to Refill Reminders

The Privacy Rule amended the Health Insurance Portability and Accountability Act of 1996 to give individuals greater controls over how their medical data can be used and disclosed to third parties. The Rule now prohibits the disclosure or use of patient PHI for the purposes of marketing. Before health information can be used to market products, services or pharmaceuticals to a patient, a written authorization must be provided stating that the patient opted in for this service. The purpose of the Privacy Rule is to offer patients better protection; however the legislation should not interfere with patients receiving the care they need. Oftentimes, communications must be sent to patients advising them of medical matters, services and even products. While there may be some overlap between marketing and general communications, provisions have been included in the legislation to take these into account. The HHS has now published further clarification on how the Privacy Rule applies to sending refill reminders and other communications which involve the provision of products and services,...

Read More
Omnibus Final Rule Now Enforceable
Sep23

Omnibus Final Rule Now Enforceable

The HIPAA Omnibus Rule came into force in March this year, although the OCR gave covered entities a grace period in which to bring their organizations policies and procedures up to date with the new regulations. The Omnibus Rule expanded HIPAA to cover Business Associates of covered entities – and their subcontractors – with the 6 month grace period intended to give these newly covered organizations time to become compliant. That grace period expired today and the Omnibus Rule is now enforceable, with the OCR able to issue fines for any non-compliance issues it now discovers. The Omnibus Rule adds a number of security measures to ensure that private medical records are properly protected, including new restrictions on who is able to access those records. Breach Notification Rules have been updated and now presume that any unauthorized access of PHI is a reportable breach, and not just those which pose a significant risk of harm. Potential victims – as well as the OCR – must be notified of the breach within 60 days of its discovery. Any security breach must be now assessed to...

Read More
HHS Makes Final Updates to HIPAA Privacy and Security Rules
Sep23

HHS Makes Final Updates to HIPAA Privacy and Security Rules

The HIPAA Omnibus Rule becomes enforceable this coming Monday, although the Department of Health and Human Services’ Office for Civil Rights has just announced that there will be a an enforcement delay for certain covered entities to give them more time to update their Notices of Privacy Practices. The introduction of the Omnibus Rule requires laboratories covered under HIPAA to update NPPs, although entities certified or exempt under the Clinical Laboratory Improvement Amendments (CLIA) will be given more time to update their NPPs, in addition to those organizations which have been relieved from the HIPAA Privacy Rule requirement to provide patients with access to their laboratory test results. The delay will not apply to laboratories which are part of larger healthcare organizations that do not have their own laboratory-specific NPPs. The delay was deemed necessary due to the requirement to update NPPs as part of the Omnibus Rule and CLIA, because of the proximity of the two rules. The Omnibus Ruling comes into force today, September 23, and CLIA, which amends § 164.524 of the...

Read More
Results of 2013 Medical Identity Theft Survey Released
Sep23

Results of 2013 Medical Identity Theft Survey Released

The Ponemon Institute has published the results of its 2013 Survey on Medical Identity Theft. The survey, sponsored by the Medical Identity Fraud Alliance (MIFA), aims to discover the extent of medical identity theft in the U.S and its impact on the healthcare industry and consumers. The annual survey can be used as an indicator of the prevalence of medical identity theft in the United States and also to identify trends and gauge how effective HIPAA regulations have been. Medical Identity theft is a growing problem which has grave implications for both healthcare organizations and consumers. Data breaches carry heavy penalties for healthcare organizations if appropriate measures to protect electronic health records of both employees and patients have not been employed. Data analysis of the survey data suggests up to 1.84 million U.S. citizens have now become victims of medical identity theft and have had to cover $12 billion in costs and expenses as a result of the theft or inappropriate use of their medical data. The problem is not limited to finances as medical identity theft can...

Read More
Business Associates Responsible for 22 Percent of HIPAA Violations
Sep16

Business Associates Responsible for 22 Percent of HIPAA Violations

The introduction of the Omnibus Rule extended HIPAA’s reach to include business associates of HIPAA-covered entities and requires them to adhere to the same set of standards as the healthcare organizations with which they do business. Business Associates are classed as any organization or individual that is required to handle, view or come into contact with Protected Health Information. This means the providers of hosting or data storage services will now be covered under HIPAA and will be required to sign a business agreement that stipulates they will abide by HIPAA regulations. They will also be subject to financial penalties if the Department of Health and Human Services discovers any non-compliance issues. The new rule was introduced to ensure patient health data is protected, and in the case of business associates the change in legislation is long overdue. BAs are responsible for the exposure of a considerable amount of patient data and since HIPAA was passed, BAs have been implicated in 22% of all security breaches according to an analysis of HHS breach reports conducted by...

Read More
How the HIPAA Omnibus Final Rule Applies to E-mail Communication with Patients
Sep06

How the HIPAA Omnibus Final Rule Applies to E-mail Communication with Patients

The Omnibus Final Rule was introduced at the start of the year and covered organizations – which now include business associates and their subcontractors – now need to update procedures and policies to comply with the new regulations if they have not already done so. The deadline for compliance with the new rule is September 23, 2013 and any covered entity found not to have implemented the required changes after this date could incur a financial penalty up to $1.5 million. The new changes have been criticized by some members of the healthcare community; however the changes are necessary in order to improve the rights of patients to access their medical data. The Omnibus Rule now allows them to have much greater autonomy and make decisions about how their medical information is communicated to them. If a patient is comfortable receiving information via E-mail this has previously presented a problem for healthcare companies. E-mails can be intercepted, the emails are often stored unsecured servers – where they can remain indefinitely – and there is no guarantee that the...

Read More
53 Percent of Physicians Use a Smartphone, Tablet and Computer at Work
Aug14

53 Percent of Physicians Use a Smartphone, Tablet and Computer at Work

Doctors are clearly embracing new technology, if the results of a recent survey are representative of the nation as a whole. Epocrates, a mobile reference material vendor, has recently conducted a survey on 1,063 mid-level practitioners and physicians asking them about the use of mobile devices in the workplace. The survey results show a marked increase in the usage of all mobile devices, with a particularly telling statistic being the percentage of doctors who are using all three types of device categorized in the study: Smartphones, tablets and desktop/laptops. These “digital omnivores” as they are referred to in the study have increased from 28% in 2012 to 53% this year. As more healthcare providers implement BYOD schemes, or provide the devices to healthcare professionals, the number of digital omnivores in healthcare is expected to increase, and significantly so according to Epocrates researchers. They predict the number will grow to 82% over the course of the coming year. Oncologists Most Likely to use Smartphones, Tablets and Desktops at Work Oncologists were the most...

Read More
Wellpoint Agrees to $1.7 Million Settlement for HIPAA Violations
Jul10

Wellpoint Agrees to $1.7 Million Settlement for HIPAA Violations

Wellpoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policy holders across the United States. Between October 23, 2009 and March 7, 2010 part of its database of policy holders was accessible to unauthorized individuals. The security breach was brought to the attention of Wellpoint in March 2010 when a lawsuit was filed in California by an applicant who discovered it was possible to access the electronic Protected Health Information of Wellpoint policy holders. Wellpoint took rapid action to restrict access and began an investigation into the data security breach. It determined that the personal health data was accessible to unauthorized third parties although it was limited to 31,700 individuals. Names, addresses and contact details were accessible along with health information and social security numbers. HIPAA demands that breach notifications are sent to all those affected by a security breach to enable them to take action to mitigate any damage caused. The company complied with these regulations and sent notifications informing all those...

Read More
Programming Error Responsible for Major Indiana HIPAA Breach
Jul03

Programming Error Responsible for Major Indiana HIPAA Breach

A business associate of an Indiana healthcare organization has caused one of the largest HIPPA data breaches to data. The security breach has exposed the ePHI of 187,533 patients of the Indiana Family and Social Services Administration. Not only is this one of the largest data breaches to occur this year, it involves the disclosure of incredibly detailed personal, medical and financial information. Following an investigation into the incident, the Indiana Family and Social Services Administration was able to determine that 3,926 patient Social Security numbers had been disclosed and the patients affected have been notified separately. In addition to names, addresses and other contact information, the records included demographic data, the benefits that clients received, total monthly benefit totals, monthly income and expenses, employment details, bank balances and details of other assets owned. Medical conditions were listed along with health insurance providers and some data relating to members of the patient’s household. Programming Error Responsible for PHI Disclosure The data...

Read More
Stanford University Suffers 5th Large HIPAA Security Breach
Jun13

Stanford University Suffers 5th Large HIPAA Security Breach

Stanford University has now suffered its 5th large data breach in four years following the theft of a laptop from the Lucile Packard Children’s Hospital. The latest breach may not be the largest to date – or even the largest to affect the University – but it could potentially see the University having to pay a large settlement to the OCR for failing to secure its patients’ PHI. The latest security breach involved close to 13,000 patients, with the data that was exposed containing personal identifiers including patient’s names and contact information. The data stored on the stolen laptop also included medical diagnoses, medical record numbers, surgical procedures performed and the names of the treating physicians. No Social Security numbers were present in the data set, although the hospital is still required to notify each of the 13,000 patients affected. Victims of data breaches must be alerted to the possibility that their PHI may be used to enable them to take action to mitigate any damage or losses caused. The laptop was stolen from a private area of the hospital...

Read More
Healthcare BYOD Schemes Here to Stay Says Ovum
Jun06

Healthcare BYOD Schemes Here to Stay Says Ovum

IT Research firm, Ovum, has released details of a study conducted on full time IT workers’ participation in Bring Your Own Device (BYOD) schemes, and for the second year running participation has remained steady at around 60%. Healthcare professionals are using Smartphones and mobile devices at home, and they the preferred mode of communication for many physicians. They offer speed, convenience, practicality and they are familiar; as well as allowing the user to be in touch around the clock. However, being made to leave the devices at home or in lockers when coming to work, and instead being forced to use outdated modes of communication – such as pagers – is not something that all workers agree with. Many ignore company policies and bring their own devices to work anyway, even when BOYD schemes are not in place. The study showed that 15.4% of employees who owned their own Smartphone took it to work and used it and did not report use of the device to their IT department, while 20.4% said their employers were anti-BYOD yet they still took their devices to work and used them. If a...

Read More
Using Windows XP will be a HIPAA Violation
May16

Using Windows XP will be a HIPAA Violation

Microsoft Windows XP was one of the most liked and most used software platforms released by the Software giant. The platform became the standard operating system in use around the world and it was installed on the majority of PC’s and laptops in the healthcare industry. Microsoft sold millions of copies of its software, yet when Vista and subsequent products were released, many healthcare organizations did not upgrade. Programs had been written to be compatible with Windows XP, issues would arise with hardware and the sheer cost of upgrading software and buying new licenses for all laptops and PCs in use in an organization was deemed by many to be a cost to be put off indefinitely. Unfortunately the time has now come when the decision to upgrade computer operating system can be put off no longer, as Microsoft is finally pulling the plug on Windows XP. It will stop writing software patches and issuing security updates in less than 12 months. Microsoft stopped selling Windows XP five years ago and it has been allowed to fade away; however, while Microsoft is willing to let that...

Read More
Hearing Clarifies Rules on Disclose of PHI under HIPAA
May16

Hearing Clarifies Rules on Disclose of PHI under HIPAA

One of the main aims of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – and its five subsequent rule amendments – was to create a national standard to protect medical records and other Personal Health Information and keep the data private and confidential. The HIPAA Privacy Rule, one of the five amendments to the original legislation, was introduced specifically to address electronic PHI and ensure that healthcare organizations implemented the necessary technical, administrative and physical safeguards to maintain data security. All entities covered by HIPAA were required to comply with this rule by 2003, and since the rule came into effect, the OCR has been policing healthcare organizations and ensuring that the new rules are adhered to. The Privacy Rule defines and limits the circumstances under which an individual’s protected heath information may be used or disclosed by covered entities. Although the introduced rules have tried to simplify HIPAA policies and help healthcare organizations to put them into action, there are circumstances under...

Read More
Lawsuit Alleges IRS Violated HIPAA with Seizure of 60M Patient Medical Records
May15

Lawsuit Alleges IRS Violated HIPAA with Seizure of 60M Patient Medical Records

A class action lawsuit alleges the IRS violated HIPAA regulations when agents seized 60 million private and confidential health records relating to 10 million American individuals. The case is being filed by a healthcare provider – that wishes to remain anonymous – against the IRS and fifteen of its agents who were not named. The case is being filed with the complainant alleging the IRS breached HIPAA regulations and illegally seized 60 million personal medical records when the warrant allowed only access the financial data of one individual. The incident occurred on March 11, 2011 when the IRS gained a search warrant to access specific records relating to one individual who had previously worked for the company filing the suit. The IRS agents allegedly seized the data which included financial and medical records and made no attempt to abide by HIPAA regulations and only take the data relating to their investigation. Unrelated medical records of 10 million patients were included with the record they wanted to access. The data contains highly sensitive medical information such as...

Read More
Hospital X-Ray Scam Provides Thieves with PHI of 17K Patients
May08

Hospital X-Ray Scam Provides Thieves with PHI of 17K Patients

When the Raleigh Orthopedic Clinic arranged for its X-ray films to be modernized and transferred to digital media, the healthcare organization naturally sought external assistance. A third party vendor was located that could offer the service and the X-ray films were sent for conversion. The contract was arranged in January of this year and the films were dispatched; however when the clinic failed to receive the electronic copies of the data suspicions were aroused. An investigation was conducted into the matter in the first week of March and it was determined that the clinic had been involved in a scam. In contrast to other security breaches where thieves deliberately set out to steal ePHI to commit fraud, in this case the thieves wanted the x-ray film for the silver it contained. Raleigh Ortho discovered that its X-rays had been sold on to a recycling company based in Ohio which offers a service to recycle X-ray films. It is understood that the unspecified company used by the hospital obtained the X-rays fraudulently with a view to selling the silver. X-ray films contain...

Read More
HIPAA Omnibus Rule Places Further Restrictions on Marketing
May05

HIPAA Omnibus Rule Places Further Restrictions on Marketing

The introduction of the Omnibus Final Rule, also known as the HIPAA Mega Rule due to the extent of that it alters the current legislation, tightens up many loose ends that existed from the HIPAA Privacy Rule with regards to marketing. The use of Protected Health Information (PHI) for marketing purposes was restricted by the Privacy Rule, which required patients to provide written consent allowing the use of their health information for marketing purposes. Further restrictions were placed on the use of PHI data with the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This last piece of legislative change prevented further marketing practices that could previously be performed without prior consent being obtained. The introduction of the Omnibus Final Rule in January this year completed the changes concerning marketing, and all organizations are now required to abide by the new rules, with the final date for full adoption being October 23, 2013; the date the Final Rule will be enforced. Marketing has long been a target for the...

Read More
HIPAA Violations Result in Jail Time for New York Identity Thief
Apr11

HIPAA Violations Result in Jail Time for New York Identity Thief

A New York identity thief who stole the medical data of approximately 1000 patients and committed $10.7 million in Medicare fraud has been convicted of HIPAA violations by a New York federal court and sentenced to serve 12 years in a federal penitentiary. Over the course of a four year period, Helene Michel, the owner of Hicksville NY., Medical Solutions Management Inc. (MSM), impersonated a doctor – acting under the name Dr. Elene Allonce – as well as nurses, wound care specialists and other healthcare professionals to gain access to Social Security numbers and medical information of patients in order to make fraudulent medical claims to support her extravagant lifestyle. Michel was able to gain access to nursing facilities in Nassau, Suffolk, Queens, Kings and Dutchess Counties between April 2003 and March 2007. She was able to obtain the information necessary to make bogus Medicare claims for services provided by her company. The proceeds from her crimes were used to purchase a $2.2 million Old Brookville home, set up a personal pension plan as well as an investment brokerage...

Read More
HIPAA Omnibus Rule Comes into Force
Mar31

HIPAA Omnibus Rule Comes into Force

The HIPAA Omnibus Rule was published on Jan 25, 2013 by the Department of Health and Human Services (HHS) as an amendment to the Health Insurance Portability and Accountability Act (HIPAA). The new rule came into force on March 26, 2013 and modifies existing HIPAA regulations to provide greater protection of patient data; extending the reach of HIPAA and modifying regulations to bring them in line with the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Omnibus Rule contains many amendments, although it introduces four new rules: The HIPAA Privacy, Security and Enforcement regulations have been updated as follows: Liability for HIPAA compliance extended to include business associates and subcontractors Sale of PHI prohibited without authorization and the use of PHI for marketing or fundraising has been prohibited. Greater powers for patients allowing them access to their electronic medical and health data, while restricting information which must be disclosed to a health plan if treatment has been paid in full by the patient. Notices of...

Read More
Triple S Salud Hit with Record $6.8 Million Fine for HIPAA Breach
Feb19

Triple S Salud Hit with Record $6.8 Million Fine for HIPAA Breach

Violations of the Health Insurance Portability and Accountability Act (HIPAA) can carry heavy financial penalties and the U.S. Department of Health and Human Services’ Office for Civil Rights has already issued fines of up to $1.9 million dollars for security breaches and HIPAA non-compliance issues. However, Puerto Rican Insurer Triple S Salud revealed yesterday that it has been hit with a record breaking $6.8 million fine for breaching HIPAA regulations and exposing the data of thousands of beneficiaries of its Dual Eligible Medicare plan. The Puerto Rico Health Insurance Administration submitted an 8-K filing after the discovery of the security breach, with Triple S Salud being notified of its intentions to apply a financial penalty for the HIPAA violation earlier this month. New sanctions will also be imposed which require the insurer to notify all individuals potentially affected by the breach and also advise them of their right to leave the program. It must also suspend new enrollments to the Dual Eligible Medicare plan. HIPAA violations investigated by the OCR have resulted...

Read More
HIPAA Compliance: A Model for all Businesses
Feb01

HIPAA Compliance: A Model for all Businesses

The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 in order to set minimum standards for healthcare insurance, with the legislation also covering the safe storage of electronic healthcare data of patients. All entities covered under HIPAA, as well as their business associates, must take appropriate measures to ensure that the Protected Health Information of patients cannot be accessed by unauthorized individuals. In order for a healthcare organization to be HIPAA compliant, a number of policies and procedures must be introduced. All systems and servers must be assessed for security risks, data must be stored securely, backed up and a disaster recovery plan should be documented so that in the event that data is lost, corrupted or stolen it can be easily recovered. A standard contingency plan must be devised and a number of documents created to confirm that HIPAA regulations have been addressed. The documentation must cover the back up of data, include a detailed disaster recovery plan and there must also be procedures documented for operating in...

Read More
Data Encryption Advisable but not Mandatory Under HIPAA
Feb01

Data Encryption Advisable but not Mandatory Under HIPAA

Healthcare organizations must take steps to prevent confidential patient health data from being viewed, accessed or used by unauthorized individuals, although current HIPAA regulations do not require healthcare organizations – or their business associates – to encrypt PHI data. However, according to the Director of the Office for Civil Rights, Leon Rodriguez, it is strongly advisable. The HIPAA data breach rule requires healthcare organizations to report any loss of laptop or mobile device containing patient data as a HIPAA breach since the introduction of the HITECH Act (2009); however the loss is not reportable if the data on the device has been encrypted (provided the data encryption is in accordance with the guidance issued by the National Institute of Standards and Technology). According to Rodriguez, in all cases of laptop or computer theft reported to date, financial penalties would have been avoided if the data contained on the lost/stolen devices had been encrypted. Following a data breach, HIPAA covered entities are required to notify all individuals affected by the...

Read More
HIPAA Omnibus Rule Final Release Issued
Jan25

HIPAA Omnibus Rule Final Release Issued

The HIPAA Omnibus Rule (Health Insurance Portability and Accountability Act of 1996 Omnibus Rule) was drafted in July 2010; however the final release has been delayed until this month in order to address some of the concerns raised by stakeholders about the latest HIPAA amendment. The final rule has been held by the Office of Management and Budget since March last year although the final release has now been issued. All HIPAA-covered entities – and their business associates – must read the new rule and make changes to existing policies and procedures and factor in the new amendments. Healthcare organizations have 180 days in order to effect the changes as the Final Rule will not be enforced until Sept 22, 2013. The new rule has been issued to bring HIPAA in line with HITECH, and was introduced by the U.S. Department of Health and Human Services’ Office of Civil Rights to cover the use of Health Information Technology (HIT) and ensure that patient health information is properly protected. The final rule represents a major change to the legislation and is the most extensive...

Read More
Penalties for Data Breaches Increased Under HIPAA Omnibus Rule
Jan23

Penalties for Data Breaches Increased Under HIPAA Omnibus Rule

Financial penalties for healthcare organizations found in violation of HIPAA regulations are to be increased substantially as part of the HIPAA Omnibus Rule, which will also be applied to business associates and their subcontractors. The original fine structure was established by the American Recovery and Reinvestment Act of 2009 (ARRA), although no further increases have been made in the following four years. The new tiered financial penalties have been introduced in line with the Health Information Technology for Economic and Clinical Health Act (HITECH) and increases the maximum penalties for each non-compliance offense, in addition to increasing the maximum penalty for repeat violations. Healthcare organizations committing a one-time violation will still receive a maximum penalty of $50,000; however repeat violations can now see fines of up to $1.5 million issued, with the maximum penalty now applying to all HIPAA violation categories. While willful neglect carries a $50,000 penalty for each violation, a lack of knowledge of HIPAA and its subsequent amendments is not a...

Read More
Omnicell HIPAA Breach More Extensive than First Feared
Jan03

Omnicell HIPAA Breach More Extensive than First Feared

The theft of an electronic device from an Omnicell employee’s car was announced on 21st December by the University of Michigan Health System (UMHS) to have caused a HIPAA breach affecting 4000 patients of three of its hospitals. Omnicell has now revealed that the breach also affected approximately 56,000 patients at Sentara Health and the records of 8,500 patients of South Jersey Healthcare were also stored on the stolen device. Sentara Healthcare data related to patients who had visited one of its outpatients clinics or hospitals, although it has now been confirmed that the data is limited to patients of the Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara BelleHarbour, Sentara Independence and Sentara Port Warwick. The records on the device related to visits between Oct 18 and Nov 9, 2012. Sentara Healthcare issued breach notifications to all affected patients advising them that their clinical and...

Read More
Massachusetts Healthcare Provider to pay $1.5M HIPAA Settlement to HHS
Dec17

Massachusetts Healthcare Provider to pay $1.5M HIPAA Settlement to HHS

The theft of a laptop computer from a healthcare center belonging to Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) has resulted in a settlement of $1.5 million with the HHS Office for Civil Rights for HIPAA violations. The U.S. Department of Health and Human Services is enforcing Health Insurance Portability and Accountability Act compliance, and MEEI was deemed to have violated the Security Rule by failing to take adequate precautions to protect the health information of its patients and research subjects. The laptop contained unencrypted data which could be accessed by the person in possession of the laptop. The data includes patient prescription details, clinical information and other protected data that could potentially be used to commit medical and identity fraud. Under the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification Rule, the HHS must be notified of security breaches involving the exposure of PHI of patients. When MEEI issued the notification it triggered the OCR investigation....

Read More
Pediatricians Risking HIPAA Violations Sending SMS Messages
Oct25

Pediatricians Risking HIPAA Violations Sending SMS Messages

The pager has served doctors and medical professionals well since the 1940s and an estimated 90% of hospitals are still using the devices for communication between members of the care team. However an increasing number of medical professionals are turning to Smartphones to communicate, according to a recent survey conducted by the University of Kansas School of Medicine in Wichita. The data even suggests that phone text messaging is about to take over as the primary mode of communication in U.S hospitals. Smartphones allow doctors to communicate quickly with other members of the healthcare team, but while modern mobile devices offer convenience, the use of SMS in hospitals could result in HIPAA Privacy and Security Rule violations. Text messages are not secure, and any unencrypted PHI sent via the SMS network could potentially be read by any number of people. Uptake of Smartphones has not been quick in healthcare due to the cost of purchasing the units and making them secure. However, since the majority of medical professionals have a personal phone, Bring Your Own Device (BOYD)...

Read More
HIPAA Audit Protocol Published by Office for Civil Rights
Jul24

HIPAA Audit Protocol Published by Office for Civil Rights

The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 updated HIPAA, and as such it required the Department of Health & Human Services’ Office for Civil Rights (OCR) to conduct a program of compliance audits to ensure the new rules had been applied. Following a series of 20 preliminary pilot audits the OCR has devised an audit protocol which will be used to assess compliance at a total of 155 HIPAA-covered entities, with the audits concluding in December 2012. Since any entity can be audited – not just large healthcare providers – it is important that all organizations check their procedures and revised them as appropriate to take the new Security Rule requirements into account. The OCR has now published the long awaited details of the audit program on its website detailing the specific aspects of HIPAA, the Privacy Rule, Security Rule and Breach Notification Rules that will be assessed. OCR Pilot Audit Protocol 2012 There are three main aspects of the legislation which are being specifically tested under the audit...

Read More
Alaska DHSS Reaches $1.7M Settlement with OCR for HIPAA Security Rule Violations
Jun26

Alaska DHSS Reaches $1.7M Settlement with OCR for HIPAA Security Rule Violations

The theft of a portable hard drive from an employee of the Alaska Department of Health and Social Services (DHSS) potentially exposed the ePHI of an estimated 2,000 individuals. Following an investigation by the HHS Office for Civil Rights (OCR), a settlement has been reached and the DHHS must pay the HHS $1.7 million for the HIPAA Security Rule violations. The U.S. Department of Health and Human Services’ Office for Civil Rights was alerted to the breach when the Alaska DHSS reported the hard drive theft. All healthcare organizations must submit a report of data security breaches affecting more than 500 individuals to the HHS Secretary Sebelius under Health Information Technology for Economic and Clinical Health (HITECH) regulations (Smaller breaches need only to be reported annually). A media announcement must also be made to alert potential victims and Breach Notification Rules require all individuals to be contacted and advised of the security breach to allow them to take action to protect their identities and finances. The investigation unearthed a number of non-compliance...

Read More
Office for Civil Rights Releases HIPAA Audit Results
Jun14

Office for Civil Rights Releases HIPAA Audit Results

The introduction of the Security Rule has warranted a round of compliance audits by the Office for Civil Rights of the Department of Health and Human Services. The results of its first round of preliminary audits – conducted in March this year – have now been announced. The OCR conducted 20 audits to assess organizations for compliance with new HIPAA regulations, in particular those relating to the Privacy and Security Rules. Only a small number of audits were conducted but the results have given the OCR important insights into the general state of compliance in the healthcare industry. Some of the key findings were announced at the recent OCR and National Institute of Standards and Technology conference. OCR Compliance Audit Findings (March 2012) The results of the audits indicate that while large organizations have by and large made the appropriate updates to their data privacy and security policies, there is a discrepancy between the government’s high expectations of data privacy and security compliance and what the OCR has observed in practice. Healthcare organizations...

Read More
Attorney General’s Office Confirms HIPAA Settlement Reached with South Shore Hospital
May27

Attorney General’s Office Confirms HIPAA Settlement Reached with South Shore Hospital

An announcement has been made by the Office of the Massachusetts Attorney General that a settlement has now been reached with South Shore Hospital. The healthcare provider will be required to pay a fine of $750,000 for violations of the state Consumer Protection Act (Massachusetts General Law Chapter 93A) and also violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement was reached for the accidental exposure of Protected Health Information and for failing to securely erase ePHI. The violation occurring when three backup tapes containing unencrypted ePHI were accidentally sent to a data archiving company to be erased and resold; however that company was not informed of the contents of the tapes. Two of those tapes were subsequently lost and have not been recovered. The Attorney General’s investigation revealed that a number of errors had been made by the hospital. The hospital had failed to obtain a signed business agreement and did not determine whether its choice of data company complied with HIPAA regulations. The passing of the Health...

Read More
Santa Rosa Memorial Hospital Sued Over HIPAA Breach
Apr09

Santa Rosa Memorial Hospital Sued Over HIPAA Breach

A class-action lawsuit has been filed in the Sonoma County Superior Court on behalf of two California residents affected by a data breach suffered by 6 hospitals in the St. Joseph Health System in California. The data breach exposed the records of 31,800 patients throughout the state of California The lawsuit has been filed naming two patients of the Santa Rosa Memorial Hospital, where 6,235 individuals were affected. The breach also exposed the records of 4,263 patients of Queen of the Valley Hospital in Napa and patients from four other hospitals. The suit is being filed on behalf of all 31,800 patients affected by the breach and seeks damages of $1,000 per patient. The HIPAA breach was discovered when a patient, Deanna DeBaek, ran a search in Google and discovered her healthcare information had been listed in the search engines. That was on January 24, with the records she found relating to treatment she had through the St. Joseph hospital system in 2011. The lawsuit alleges that the St. Joseph Health System acted with negligence and unlawfully released medical information...

Read More
OCR Warns of the Impact of HIPAA Changes on Electronic Health Records
Mar30

OCR Warns of the Impact of HIPAA Changes on Electronic Health Records

The Department of Health and Human Services’ Office for Civil Rights is preparing for the largest update of HIPAA regulations since HIPAA’s introduction in 1996. The new changes are expected to have a major impact on electronic health records; how they are stored and who is allowed to access to them. The DHHS has now sent its “Omnibus” Final Rule to the Office of Management and Budget for review, which should be completed over the course of the next three months. Once the review is complete it will be officially released and healthcare organizations will get the chance to see the extent of what has been referred to as the “HIPAA Mega Rule” due to the substantial changes being introduced. At this week’s 20th National HIPAA Summit in Washington, D.C, Deputy Director for Health Information Privacy at OCR, Susan McAndrew, called the update “one big mother of a final regulation” and indicated there are extensive legislative changes on the way. Once the new rule comes into force, the OCR is expected to start policing compliance more rigorously. According to OCR Director, Leon...

Read More
Blue Cross HIPAA Violation Costs $18.5 Million
Mar16

Blue Cross HIPAA Violation Costs $18.5 Million

A fine of $1.5 million from the Office for Civil Rights is far from insubstantial; however the total cost of correcting HIPAA issues and addressing all security issues can be considerable higher than the cost of the fine, as Blue Cross Blue Shield of Tennessee recently discovered. The insurer was the industry’s first company to receive a fine for violating the Health Insurance Portability and Accountability Act (1996) and was issued the maximum penalty of $1.5M for the colossal data breach that exposed the Protected Health Information of over a million of its policy holders in 2009. The breach occurred when 57 hard drives were stolen from its facilities in one of the largest ever HIPAA data breaches reported to date. The fine was issued for breaching the Privacy and Security Rules; however it only formed a small part of the total bill the insurer received for addressing all of the issued identified by the OCR during its investigation. The cost of bringing the company’s procedures, policies, hardware and software up to date with HIPAA and the Privacy and Security Rules has been...

Read More
Blue Cross Blue Shield to Pay HHS $1.5M for HIPAA Breach
Mar13

Blue Cross Blue Shield to Pay HHS $1.5M for HIPAA Breach

The Office for Civil Rights has made its first enforcement action stemming from the HITECH Breach Notification Rule and has fined Blue Cross Blue Shield of Tennessee (BCBST) for violating the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (1996). BCBST has now negotiated a settlement with the HHS and will pay $1.5 million for the security breach for its potential HIPAA violations. The data breach was one of the largest ever reported, involving the PHI of over 1 million individuals. Substantial patient information was exposed including Social Security numbers, dates of birth, health plan numbers, contact information and medical diagnosis codes. The data was stored on 57 unencrypted hard drives which were stolen from its facilities in Tennessee. Under the HIPAA Security Rule, healthcare organizations must ensure that the appropriate physical, technical and administrative safeguards are put in place to protect ePHI of patients. When the OCR conducted its investigation it determined that BCBST had not taken sufficient precautions to protect...

Read More
Audax Launches First HIPAA-Compliant Social Network
Jan05

Audax Launches First HIPAA-Compliant Social Network

A new social network – Careverge – has been launched today which allows users to share highly personal information about their health and fitness, yet do so totally anonymously. Accounts are created under pseudonyms allowing personal information to be shared without revealing the identity of the user. Grant Verstandig, CEO of Audax claims “Careverge is the first social network to receive HIPAA compliance, indicating a high level of security for users’ personal health data.” Privacy is assured as personal identifiers are not provided to any other member or third party on the network. The idea behind the scheme is to develop an online community allowing members to interact with others and motivate each other to achieve health and fitness goals. Online goals can be set up and progress towards them tracked. Audax Health is the name behind the new network. The startup was financed by investors who managed to raise $16 million in funding to develop and launch the project, with former Apple CEO John Sculley, IAA-CREF CEO Roger Ferguson and former Aetna CEO Jack Rowe among the...

Read More
Dramatic Rise in HIPAA Compliance Issues in 2011
Jan03

Dramatic Rise in HIPAA Compliance Issues in 2011

A recent HIPAA compliance survey conducted by the Ponemon Institute paints a worrying picture about the state of healthcare compliance. Data breaches have risen sharply over the past 12 months and data security issues continue to plague healthcare organizations, with the problem appearing to be getting worse rather than better. The survey showed that data breaches having increased by 32% over the course of the past 12 months, while 92% of the healthcare institutes surveyed claimed to have been affected by at least one security breach over the course of the previous two years. Many of these breaches involve just a handful of records, but some have caused major exposures of Protected Health Information and have affected millions of Americans. The Department of Health and Human Services is now cracking down on non-compliance issues and is already planning a new series of audits to ensure healthcare providers, health plans and other covered entities are following HIPAA regulations. The Joint Commission on Accreditation of Healthcare Organizations has stepped in and is helping to tackle...

Read More
Doctor to Plead Guilty to HIPAA Privacy Violation
Dec01

Doctor to Plead Guilty to HIPAA Privacy Violation

A former physician of Fletcher Allen Health Care in Burlington, Vermont, is due to appear before a federal judge where he is expected to plead guilty to violating patient privacy by using his position and access rights to view the medical information of a patient he was not treating. The incident occurred in 2008, and the doctor, named as Joshua A. Welch, allegedly accessed the records of a female patient in September which whom he was having a “personal relationship”. That was until the woman discovered that he had accessed her medical records. A complaint was filed with the hospital and an investigation was launched into the matter, with the case being referred to the State Medical Board. It was discovered that she was not the only woman the doctor had checked out. The healthcare provider discovered that Welch had accessed the medical records of 8 separate women without authorization and for no work reason for doing so. According to a statement issued by FAHC, “The board’s investigation determined, and respondent admitted, that respondent over the course of two years accessed...

Read More
HIPAA Sees Meritus Medical Center Stop Media Announcements
Sep24

HIPAA Sees Meritus Medical Center Stop Media Announcements

Meritus Medical Center is one of a number of hospitals that has stopped issuing information about patient conditions to the media. The hospital announced on September 22 that this courtesy would be stopped. The Health Insurance Portability and Accountability Act places certain restrictions on the disclosure of Protected Health Information to third parties, including the media. Just a few years ago, reporters would be able to call a healthcare provider to make an enquiry about the health status of a patient. The hospital staff would provide general information about a particular patient’s condition if they were asked about a patient by name. The information disclosed would be restricted, so reporters would be advised for instance, that a patient was good, fair, stable or in critical condition. Under HIPAA Rules this information may be disclosed to the media; however it is not mandatory for a hospital or healthcare provider to give out any information, except when it is in the public health interest to do so or if required by law enforcement officers to assist with an investigation....

Read More
Texas Expands HIPAA Privacy Laws to Bolster EHR Security
Aug04

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients. Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected. HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a...

Read More
Cignet Fined 4.3 M for HIPAA Privacy Rule Violation
Feb23

Cignet Fined 4.3 M for HIPAA Privacy Rule Violation

Prince George’s County has been ordered to pay a $4.3 million fine after it was discovered that two hospitals run by Cignet Health had violated the HIPAA privacy Rule on 41 separate occasions, refusing to provide patients with a copy of their own medical records. The Privacy Rule violations took place between September 2008 and October 2009. Requests can be made by patients under Privacy Rule provisions and healthcare providers must provide them with a copy of their records. All requests must be dealt with within 60 days, and while patients should not be charged for the service, healthcare providers can obtain funds from patients to cover the cost of supplying those records. Cignet did not provide information to any of those patients. When patients were refused access to their records, a number filed complaints with the Office for Civil Rights; the Department of Health and Human Services’ HIPAA enforcer. The OCR investigates potential HIPAA violations and if it strongly suspects violations have occurred, the organization in question can be subjected to a full compliance...

Read More
Newark Beth Israel Medical Center Suffers Second HIPAA Breach
Dec13

Newark Beth Israel Medical Center Suffers Second HIPAA Breach

A second data breach has occurred involving Newark Beth Israel Medical Center, with the latest incident potentially exposing the Healthcare data of 1,744 patients. Earlier this year the hospital learned of a data breach affecting 956 of its patients. The latest breach also involved a Business Associate of the Saint Barnabas Health System, in this instance, Professional Transcription Company, Inc. (PTC). The data breach is understood to have occurred on or around New Year’s Day, 2010, according to a breach notification published on the hospital’s website. PTC is contracted to provide transcription services for dictated physician reports and is therefore required to have access to certain Protected Health Information of patients. However, the company inadvertently posted some clinical reports containing PHI on a website which could potentially have been accessed by unauthorized individuals. The reports contained the full names of patients, their dates of birth, medical record numbers, hospital account numbers, physician’s name, diagnoses of medical conditions, treatments received and...

Read More
HIPAA Reportedly Stopping Drunk Driver Convictions
Oct04

HIPAA Reportedly Stopping Drunk Driver Convictions

According to data collected and analyzed from a California healthcare provider, DUI convictions for drivers injured in road traffic accidents is relatively low, at just 59%. In these cases the drivers were over the legal alcohol limit, were in a hospital where blood tests were performed – the most reliable way to determine blood alcohol content – and yet 41% escaped without a conviction. A study was performed by Dr. James F. Holmes from Sacramento’s UC Davis School of Medicine. Data was collected from 241 cases where driver’s had been tested in the hospital and were found to have blood alcohol levels in excess of 80 mm/dl, which is the legal allowable limit for driving in California. The data suggested that the more severe the injury, the less likely it was that the driver would be convicted of driving under the influence, as was the case with individuals found to have alcohol levels under 200mm/dl in their blood. In spite of the police supposedly being able to easily identify drivers that had drunk too much, the study showed that their observations were not as accurate as...

Read More
Connecticut Attorney General First to Take Action for HIPAA Violations
Jul07

Connecticut Attorney General First to Take Action for HIPAA Violations

The Connecticut Attorney General, Richard Blumenthal, has announced that a settlement has been reached with healthcare provider, Health Net, over violations of the Health Insurance Portability and Accountability Act (HIPAAA). The Connecticut AG is the first to exercise the right to enforce HIPAA since the power to do so was given to AGs following amendments to HIPAA brought about by the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). Health Net was fined £250,000 for failing to implement adequate controls to protect the health data of its patients and for violations of Breach Notification Rules. Legal action was taken against Health Net following the loss of an unencrypted disc drive in May 2009 which exposed the data of 1.5 million Americans, 446,000 of which were Connecticut residents. The incident exposed Social Security Numbers, financial information and personal identifiers, with the subsequent investigation concluding that the drive was most likely stolen. In addition to the fine, Health Net has been ordered to provide two...

Read More