Pros and Cons of HIPAA
HIPAA compliance offers benefits such as safeguarding sensitive data, empowering patients with rights, ensuring data security and confidentiality, fostering standardized healthcare transactions, and maintaining insurance coverage portability, but its implementation involves administrative burdens, costs, potential hindrance to innovation and research, complexities in patient communication, legal consequences for violations,...
Benefits of HIPAA Compliance
HIPAA compliance yields benefits including enhanced patient data security, privacy protection, improved trust through transparent handling of personal health information, standardized and efficient healthcare transactions, patient empowerment through control over their data, and the preservation of health insurance coverage portability during job transitions or life events. HIPAA compliance has brought about a series of significant...
Is Microsoft OneDrive HIPAA Compliant?
Many organizations in the healthcare industry take advantage of cloud storage services because of their convenience and cost-effectiveness. Microsoft OneDrive is one of the most popular cloud storage services as it is included in all Microsoft business subscriptions; but is OneDrive HIPAA complaint and suitable for storing Protected Health Information in the cloud? The answer to the question is OneDrive HIPAA compliant is that no...
Who Created HIPAA?
HIPAA was created by the United States Congress and signed into law by President Bill Clinton on August 21, 1996. The primary objective of HIPAA is to protect individuals’ health information privacy and enhance the security of electronic healthcare transactions. The creation of HIPAA (Health Insurance Portability and Accountability Act) involves some debate regarding its origins and the individuals credited with its development....
Is WhatsApp HIPAA Compliant?
WhatsApp is widely used in healthcare organizations to accelerate workflows and improve patient outcomes, but is WhatsApp HIPAA compliant and can the messaging platform be used to send and receive Protected Health Information? In 2016, WhatsApp announced the implementation of end-to-end encryption across all web and mobile apps. Not only are chat messages encrypted, but also images, attachments, and voice calls. In theory, this would...
HIPAA Compliance for Home Health Care
HIPAA compliance for home health care workers can be especially challenging due to working in multiple – and sometimes unfamiliar – environments and often encountering scenarios that do not occur in purpose-built healthcare facilities. Home health care workers provide a valuable service to patients in the community. As well as visiting patients unable to go to a healthcare facility and providing feedback to physicians, home health...
What Does it Take to Make Microsoft Teams HIPAA Compliant?
To make Microsoft Teams HIPAA compliant, it is necessary to select a plan with the capabilities to support compliance, configure the platform to meet the requirements of the Security Rule, and train members of the workforce how to use Microsoft Teams in compliance with HIPAA. It is also necessary to accept the terms of Microsoft’s Business Associate Agreement. Many businesses in the healthcare industry take advantage of Microsoft...
HIPAA Changes 2023
HIPAA changes – and changes to other Rules that impact HIPAA compliance – happen more frequently than many people appreciate. This article looks at some of the most recent changes to HIPAA and HIPAA compliance, and looks ahead to potential HIPAA changes in 2023. Since the publication of the HIPAA Omnibus Final Rule in 2013, there have only been two minor changes to Part 164 of the HIPAA Administration Simplification Regulations – the...
How to Make Google Forms HIPAA Compliant
HIPAA Covered Entities and Business Associates need to know how to make Google Forms HIPAA compliant before using the Workspace service to collect, store, or share Protected Health Information (PHI). Google Forms is a web-based service that is part of the Google Workspace suite of productivity and collaboration tools. The service can be used by healthcare organizations to create surveys and obtain feedback from employees and patients...
4 Out of 10 Medical Devices Have Unpatched Critical Vulnerabilities
A new report from the cybersecurity firm Armis has identified the riskiest connected medical devices used by hospitals in the United States. Connected medical devices are a security weak point, and each year many new vulnerabilities are detected. One of the main problems for healthcare organizations is keeping on top of patching, which can be a challenge for connected medical devices as they are constantly in use. One of the biggest...
HHS Publishes New Resources for Improving Healthcare Cybersecurity
The Health Sector Coordinating Council Cybersecurity Working Group and the HHS 405(d) Program have published three additional resources for the healthcare sector to help them manage cybersecurity risks. Hacking incidents at healthcare organizations have increased sharply in recent years and data breaches are being reported at extremely high levels. For the past two years, around 700 large data breaches have been reported by...
Healthcare Providers, Google Meet and HIPAA Compliance
For the past few years, the good faith use of Google Meet and HIPAA compliance has not been an issue for healthcare providers due to OCR’s Notice of Enforcement Discretion for telehealth during the COVID-19 pandemic. However, with the COVID-19 public health emergency about to expire, healthcare providers will have to start using Google Meet in compliance with HIPAA. During the COVID-19 pandemic, the use of chat, phone, and video...
What Makes an Electronic Signature HIPAA Compliant?
The Department of Health and Human Services has not issued specific guidance about what makes an electronic signature HIPAA compliant other than stipulating “any electronic signature used will result in a legally binding contract under applicable State or other law”. However, this may soon be about to change. In the original text of the Health Insurance Portability and Accountability Act (HIPAA), the Secretary for Health and Human...
HIPAA Security Rule Failures Land Banner Health with $1.25M Financial Penalty
Banner Health has agreed to settle alleged violations of the HIPAA Security Rule with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and will pay a $1.25 million financial penalty. Banner Health will also adopt a corrective action plan to ensure full compliance with the HIPAA Security Rule and will be monitored by OCR for two years. The OCR investigation into HIPAA Security Rule compliance was...
Does HIPAA Apply to Employers?
The answer to the question does HIPAA apply to employers is complicated for, although the Health Insurance Portability and Accountability Act impacts around half of employers, only a small percentage of employers are required to comply with the Privacy, Security, and Breach Notification standards of the Administrative Simplification provisions. According to a September 2022 report compiled by the Bureau of Labor Statistics, 70% of...
Does HIPAA Apply to Schools?
In most cases, HIPAA compliance is not applicable to education institutions as they are not deemed HIPAA covered entities, but in some instances a school can be classified as a covered entity if healthcare services are given to students. At such times, HIPAA may still not apply because any student health information obtained would be included in the students’ education records and education records are not governed by the HIPAA...
What is HIPAA Email Archiving Compliance?
HIPAA email archiving compliance is an alternative way to describe HIPAA compliant email archiving. However, there is more than one way to archive emails; and different compliance requirements apply depending on whether emails are archived on-premises, in the cloud via an email service provider, or in the cloud via a third-party service provider. It is also important to be aware the requirements for HIPAA email archiving compliance...
HIPAA Waiver Form
A valid HIPAA waiver form is required whenever a Covered Entity wants to use or disclose Protected Health Information for a purpose not otherwise required by the General Provisions of the Administrative Requirements or permitted by the HIPAA Privacy Rule. Generally, Covered Entities are required to disclose Protected Health Information (PHI) when requested to do so by the Department of Health and Human Services (HHS) or by an...
How Often is HIPAA Training Required?
The text of the HIPAA Privacy Rule and Security Rule related to training doesn´t help answer the question how often is HIPAA training required. However, by reviewing other areas of HIPAA, it is possible to establish that the frequency of HIPAA training should be as often as it is required. Considering the importance of HIPAA and the severity of the penalties for noncompliance – fines of more than $1.9 million can be imposed per...
What are the HIPAA Password Requirements?
Before answering the question what are the HIPAA password requirements, it is important to note that passwords are not a requirement of HIPAA if Covered Entities use an alternative authentication method to “verify that a person or entity seeking access to ePHI is the one claimed” (Security Rule Standard §164.312(d)). According to the Department of Human Services´ Guide to the Technical Security Standards there are three ways in which...
HIPAA and Pictures – The Challenge of Compliance
The relationship between HIPAA and pictures is a challenging area of compliance – especially for healthcare providers who may often receive unsolicited images that do not qualify as Protected Health Information, or who have to contend with patients and visitors taking photos and videos in healthcare environments that can reveal the identities of other patients. Pictures play an important role in the provision of healthcare. They can...
Criminal Prosecutions for HIPAA Violations by Ohio Hospital Employee
Criminal prosecutions for HIPAA violations made by hospital employees are a relatively uncommon occurrence; but the recent spate of HIPAA prosecutions over the past few years suggests that has now changed. Another case of improper accessing of PHI has resulted in criminal charges for HIPAA violations being brought against an employee, this time a healthcare provider that worked at the ProMedica Bay Park Hospital in Oregon, Ohio....
What Does Pharmacy HIPAA Compliance Consist Of?
Pharmacy HIPAA compliance consists of meeting the requirements of the HIPAA Administrative Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, some pharmacies may be subject to more stringent federal and state laws whose requirements pre-empt HIPAA, while some may not be HIPAA Covered Entities at all. Pharmacies qualify as healthcare providers under HIPAA when they “dispense drugs, devices,...
What are the HIPAA Rules for Medical Devices?
Following the introduction of the HITECH Act and the passing of the HIPAA Privacy and Security Rules, Pharmaceutical companies and medical device manufacturers have had to navigate HIPAA Rules for medical devices, and this has caused some of those companies a number of problems. For any company required to record, store or transmit electronic Protected Health Information (ePHI) there are a number of considerations, the most important...
Are Pagers HIPAA Compliant?
Many healthcare providers are asking the question “are pagers HIPAA-compliant?” The simple answer to the question is no, pagers are not HIPAA-compliant, but they can be used without violating HIPAA Rules, but only if electronic Protected Health Information (ePHI) is not transmitted via pagers, or that data is encrypted. Unfortunately, just like unencrypted emails and SMS text messages, information sent via pager can be intercepted,...
Using a Business Password Manager to Share ePHI in Compliance with HIPAA
Using a business password manager to share ePHI in compliance with HIPAA is a viable alternative to other secure forms of communication if your organization implements a business password manager and the vendor is willing to sign a Business Associate Agreement. One of the most challenging requirements of HIPAA compliance is communicating ePHI in compliance with the Security Rule safeguards. Familiar channels of communication such as...
Meta Facing Class Action Lawsuit over Use of Health Data for Serving Targeted Advertisements
Another lawsuit has been filed against Meta by a patient who claims her private healthcare information was collected without consent and was used to serve targeted advertisements related to her medical condition. The plaintiff, Jane Doe, was a patient of UCSF Medical Center and the Dignity Health Medical Foundation, who have also been named in the lawsuit. The case stems from the inclusion of Meta Pixel on web pages behind a login on...
HIPAA Compliance for Dental Offices
HIPAA compliance for dental offices is not as straightforward as complying with the standards of the Privacy, Security, and Breach Notification Rules because there are instances when federal or state laws can pre-empt HIPAA, when exemptions can apply, or when dental offices do not qualify as HIPAA Covered Entities. Judging by the volume of news stories covered by this website relating to data breaches and HIPAA violations, HIPAA...
NIST Releases Updated HIPAA Security Rule Guidance
The National Institute of Standards and Technology (NIST) has refreshed its HIPAA Security Rule compliance guidance. The guidance was last updated in 2008 and a lot has changed in the past 14 years ago, including the release of the NIST Cybersecurity Framework. The new guidance serves as a practical guide for the healthcare industry to help with the implementation of the HIPAA Security Rule, to better protect healthcare data from...
HIPAA Compliance and Dropbox: What You Need to Know
Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However,...
Web Server Hacking Incident Results in $875,000 HIPAA Fine for Oklahoma State University
On January 5, 2018, Oklahoma State University – Center for Health Sciences (OSU-CHS) reported a web server hacking incident to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The subsequent OCR investigation determined multiple areas of noncompliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA). Yesterday, OCR...
Is Calendly HIPAA Compliant?
Is the scheduling service Calendly HIPAA compliant? The service streamlines how businesses can organize meetings – saving time and improving productivity by eliminating the confusion that results from lengthy email chains. This makes Calendly a popular service across a variety of sectors, but can it be used in the healthcare industry in a HIPAA-compliant manner? The Calendly platform integrates with a number of other...
Guidance on HIPAA and Telehealth for When the COVID-19 Public Health Emergency Ends
The U.S. Department of Health and Human Services has issued guidance on HIPAA and Telehealth to help healthcare organizations ensure compliance when the COVID-19 Public Health Emergency (PHE) comes to an end. The Health Insurance Portability and Accountability Act (HIPAA) does not prevent healthcare organizations from providing telehealth services, although it does place certain restrictions on the technologies that can be used, and...
Sharing Patient Information with Family Over the Phone
When sharing patient information with family over the phone, healthcare providers need to ensure they verify who they are speaking to, that the patient has not objected to their health information being shared, and that any details disclosed to family members comply with the HIPAA Minimum Necessary Standard. When a patient enters hospital, it is understandable that family members want to enquire about their wellbeing. One of the most...
Is SharePoint HIPAA Compliant?
It may be one of the most popular cloud services worldwide, but is SharePoint HIPAA compliant? Microsoft’s SharePoint Online service offers a collaborative cloud-based platform for the storage, management, and sharing of documents. It allows multiple users to view and edit a document simultaneously from various devices and can be integrated with other popular Microsoft applications in most Microsoft 365 and Office 365 enterprise...
Is Box HIPAA Compliant?
Is the cloud storage service Box HIPAA compliant? Box is a cloud data storage and management service that allows users to access data from different devices. However, before it can be utilized in a healthcare setting to manage and store protected health information (PHI), Covered Entities must ensure Box is HIPAA compliant. There are a number of features of Box that make it attractive for users. Once information is uploaded to its...
HIPAA Compliance Software
HIPAA compliance software is an application for overcoming the challenges of complying with HIPAA. Depending on the capabilities of the software, it can help compliance officers more easily identify gaps in compliance, more effectively eliminate gaps in compliance, and more accurately track compliance activities to ensure the organization is complying with HIPAA at all times. HIPAA compliance is a “100% task” inasmuch as if you comply...
HHS Seeks Comment on HITECH Act Requirements Concerning HIPAA Enforcement
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has requested comments from the public on two outstanding requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 that relate to its enforcement of compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR is the main enforcer of HIPAA compliance and investigates complaints and data...
OCR Annouces 4 Financial Penalties to Resolve HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights has imposed four financial penalties on healthcare providers to resolve violations of the Health Insurance Portability and Accountability Act (HIPAA). Three dental practices were hit with sizable fines, one for a violation of the HIPAA Right of Access and two for impermissible disclosures of patients’ protected health information (PHI). The HIPAA Right of Access is a...
Is the Use of Mandrill by Healthcare Organizations HIPAA Compliant?
The leading automated email marketing platform Mandrill is a transactional email service that MailChimp provides. This software allows companies to automatically broadcast emails to customers and people that interact with their web apps and links to MailChimp via an API. Transactional emails are the same as marketing emails in that they are programmed to be initiated by events including password resets, confirmation of placement of...
HHS’ Office for Civil Rights Director Urges HIPAA-Regulated Entities to Improve Cybersecurity
In the United States, healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities are required to comply with the standards of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. The HIPAA Security Rule calls for HIPAA-regulated entities to implement safeguards to ensure the confidentiality, integrity, and availability of...
Bipartisan Bill Proposes Creation of Commission to Investigate U.S. Health Data Privacy Laws
Bipartisan legislation has been introduced in the U.S. to create a commission to analyze federal and state health data privacy laws and make recommendations for closing regulatory privacy gaps. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) sets minimum standards for privacy and security of healthcare data, including placing restrictions on uses and disclosures of personally identifiable...
Healthcare Providers Fined $425,000 by New Jersey for HIPAA and Consumer Fraud Act Violations
The New Jersey Attorney General and the Division of Consumer Affairs have announced a settlement has been agreed with three New Jersey healthcare providers to revolve an investigation into two data breaches that affected 105,200 individuals, including 80,333 New Jersey residents. The breaches occurred in 2019, the first was the result of a phishing attack and the second was a mailing error that occurred when sending notification...
HHS Imposes 5 Financial Penalties for HIPAA Right of Access Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the closure of five investigations into potential violations of the Health Insurance Portability and Accountability Act (HIPAA), all of which have resulted in financial penalties. The enforcement actions are part of OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. The HIPAA Right of Access gives individuals the...
$130,000 Settlement Agreed with Two New Jersey Printing Companies to Resolve Alleged HIPAA Violations
An investigation conducted by the New Jersey Division of Consumer Affairs into an unauthorized disclosure of the protected health information (PHI) of almost 56,000 New Jersey residents has been settled by New Jersey Acting Attorney General, Andrew Bruck. The two firms will pay financial penalties totaling $130,000 and have agreed to a consent order that requires them to make changes to their policies and procedures to improve data...
New Jersey Fines Infertility Clinic $495,000 for Multiple Violations of the HIPAA Rules
An investigation conducted by the New Jersey Department of Law and Public Safety Division of Consumer Affairs into a HIPAA compliance data breach at an infertility clinic has been settled, with the clinic operator agreeing to pay a financial penalty of $495,000. Diamond Institute for Infertility and Menopause, LLC (Diamond) is based in Millburn, NJ, and operates two infertility clinics in the state and one in New York. The company...
Guidance on HIPAA and COVID-19 Vaccination Status Disclosures Issued by HHS
In the United States, HIPAA compliance rules restrict uses and disclosures of healthcare data, but there has been considerable confusion about HIPAA and COVID-19 vaccination status disclosures amongst the public, and even members of Congress. The U.S. Department of Health and Human Services’ Office for Civil Rights, the main enforcer of HIPAA, has now released guidance on HIPAA and COVID-19 vaccination status disclosures to help clear...
Pediatric Care Provider Fined $80,000 for HIPAA Right of Access Violation
A pediatric hospital in Omaha, NE has agreed to settle a Department of Health and Human Services’ Office for Civil Rights (OCR) HIPAA investigation and will pay a financial penalty of $80,000 to close the case. The investigation was launched in response to a complaint from a patient who was not provided with a copy of her late daughter’s medical records in a timely manner. HIPAA gives individuals the right to obtain a copy of their...
Mid-Year HIPAA Enforcement Update
The HHS’ Office for Civil Rights has imposed 8 financial penalties on HIPAA-covered entities and business associates in the first 6 months of 2021 to resolve investigations into noncompliance with the Health Insurance Portability and Accountability Act Rules. In the first 6 months of 2020, only 1 financial penalty was imposed; however, OCR ended the year with 19 financial penalties imposed. This year, OCR has continued with its drive...
Password Recommendations from NCSC
The UK’s NCSC password recommendations have been refreshed recently and a new strategy is being shared that improves usability while also adhering to password strength requirements. There are many different schools of thought in relation to the creation of passwords, but all are based on the idea that passwords need to be complex enough so that they cannot be simply guessed, not only by humans, but also the algorithms used by hackers...
HIPAA Violation Results in Former Scripps Health Worker Being Charged for COVID-19 Unemployment Benefit Fraud
In a case being heard in San Diego, former Scripps Health employee Matthew Lombardo has been charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. This is part of a Department of Justice investigation where nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the...
US Court of Appeals Ruling Suggests Legal Action Possible for Privacy Breaches Under 14th Amendment
A ruling by the U.S. Court of Appeals for the Fourth Circuit suggests individuals whose privacy has been violated could potentially take legal action under the 14th amendment, but has confirmed that there is no private cause of action under the Health Insurance Portability and Accountability Act (HIPAA) when an individual’s privacy is violated as a result of an improper disclosure of their protected health information. The case...
HIPAA Right of Access Case Settled for $5,000 by Diabetes, Endocrinology & Lipidology Center
According to the HHS’ Office for Civil Rights (OCR), a settlement agreement has been negotiated with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) in relation to a possible HIPAA Right of Access breach. DELC is a West Virginia-based healthcare supplier that focuses on treating endocrine disorders. In August 2019, a complaint was submitted to OCR which claimed that DELC had breached HIPAA when it didn’t respond...
HIPAA Security Rule Violations Lead to $25,000 Settlement between Clinical Laboratory & OCR
The Department of Health and Human Services’ Office for Civil Rights (OCR) says a $25,000 HIPAA settlement has been agreed with Peachstate Health Management, LLC, dba AEON Clinical Laboratories, that resolves a HIPAA case involving several HIPAA Security Rule violations. CLIA-certified laboratory, Peachstate, supplies a variety of different services to HIPAA-covered entities, including clinical and genetic testing services through its...
HB 300 Training Requirements
Information on the HB 300 training requirements for companies, organizations, and individuals that do business with Texas residents that involves access to protected health information and/or sensitive personal information. What is Texas HB 300? HB 300 – Texas House Bill 300 – was passed and signed into law by Texas Governor Rick Perry in June 2011 and took effect on September 1, 2012. The bill amended existing state laws such...
HIPAA Right of Access Case Involving Massachusetts Mental Health Clinic Settled for $65,000
Following a HIPAA Right of Action investigation by the HHS’ Office for Civil Rights (OCR), Arbour Hospital, a mental health clinic in Boston, MA, has agreed to pay a $65,000 HIPAA fine. OCR was made aware of a possible breach of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital claimed he had asked for a copy of his medical records from the hospital on May 7, 2019 but had not been given with those records inside...
Six-month Prison Term for Whistleblower Who Falsely Claimed Nurse Violated HIPAA
A six-month prison-term and $1,200 fine has been handed down to a Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA compliance rules. Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower in October 2019 and reported it HIPAA violations by an employee to the authorities. He claimed that there had been significant privacy breaches by a nurse at a Savannah, GA...
U.S. Healthcare Data Breach Report for January 2021
January witnessed a 48% month-over-month drop in the number of large healthcare data breaches, down from 62 breach incidents in December to 32 in January, according to an analysis by HIPAA Journal. While this is well beneath the 38 data breaches that are reported on average each month, it is still more than 1 data breach every day. There would have been a major drop in the amount of breached records were it not for a major data breach...
Ransomware Fact Sheet Issued by the National Cyber Investigative Joint Task Force
The National Cyber Investigative Joint Task Force (NCIJTF) has published a ransomware factsheet in order to increase awareness of the threat of ransomware attacks and provide more information which can be used to address and prevent ransomware attacks. The fact sheet was created by an interagency group of over fifteen government bodies and is primarily intended to be implemented by police and fire departments, state, local, tribal and...
Blackbaud Ransomware Attack Leads to Rady Children’s Hospital Class Action Lawsuit
In May 2020, the cloud software group Blackbaud was targeted and attacked with ransomware. As is typical in human managed ransomware attacks, data was stolen before file encryption took place. A portion of the stolen data included the fundraising databases of its healthcare customers. One of the impacted healthcare clients was Rady Children’s Hospital-San Diego, the biggest children’s hospital in California. A class action lawsuit has...
More Stringent Application of HIPAA Right of Access Rules by OCR Results in $200,000 Penalty
There is further evidence of the increasingly stringent application of the HIPAA Right of Access Rules by the HHS’ Office for Civil Rights (OCR) on healthcare providers that are not providing patients with timely access to their medical records following the announcement that a settlement had been reached with Banner Health to bring a HIPAA Right of Access investigation to a conclusion for $200,000. Under the HIPAA Privacy Rule...
OCR Confirms HIPAA Rules on Disclosures of PHI to Health Information Exchanges
The Department of Health and Human Services’ Office for Civil Rights has published guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules related to disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA). HIEs are organizations that facilitate the sharing of electronic PHI (ePHI) between more than two...
Researchers Find More than 45 Million Medical Images Stored on Unprotected Servers
More than 45 million medical images are currently exposed on unprotected servers and can be accessed freely over the internet without usernames or passwords. The medical images include metadata that includes personal and protected health information, which could be used for a variety of nefarious purposes. The unprotected images, which include MRIs, CT scans, and X-Rays were found by researchers at the CyberAngel Analyst Team, who...
Bill Passed by House Calling for HHS to Recognize Implementation of Cybersecurity Best Practices
The House Energy and Commerce Committee has passed a new bill (HR 7898) which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been implemented by HIPAA-covered groups and business associates when making specific determinations, such as fines following security breaches or for other regulatory aims. The HIPAA Safe Harbor Bill, if passed into...
University of Cincinnati Medical Center HIPAA Right of Access Failure Results in $65,000 Fine
The 18th HIPAA financial penalty of 2020, the 12th fine under its HIPAA Right of Access enforcement initiative, has been revealed by HHS’ Office for Civil Rights. The most recent HIPAA compliance fine of $65,000 was sanctioned against the University of Cincinnati Medical Center, LLC (UCMC) and grew out of a complaint submitted by OCR on May 30, 2019 from a patient who had issued a request to UCMC on February 22, 2019 seeking an...
10th HIPAA Fine Under Right of Access Initiative Revealed by Office for Civil Rights
The 10th financial penalty under its HIPAA Right of Access enforcement initiative has been revealed by the U.S. Department of Health and Human Services’ Office for Civil Rights. California-based Riverside Psychiatric Medical Group has committed to paying a financial penalty of $25,000 to settle a possible HIPAA Right of Access breach and will implement a corrective action plan to see to it that compliance with this provision of the...
Three Data Breaches Result in $1m HIPAA Penalty for Aetna
Aetna Life Insurance Company and the affiliated covered entity (Aetna) have settled a HIPAA compliance violation case with the Department of Health and Human Services’ Office for Civil Rights (OCR) and has agreed to pay a financial penalty of $1 million. OCR investigated Aetna after receiving three breach reports in 6 months in 2017 from the health insurer. The initial data breach was made known to OCR in June 2017 and was due to the...
OCR HIPAA Right of Access Initiative Results in 9th Financial Penalty
The HHS’ Office for Civil Rights (OCR) is maintaining the pace in its crackdown on healthcare groups that are 1005 adhering to the HIPAA right of access. Recently, OCR revealed that it is sanctioning its ninth enforcement action against a HIPAA-covered group in relation to the failure to provide patients with timely access to their medical records at a reasonable price. HIPAA allocates patients permission to view or receive a copy of...
Updated Security Risk Assessment Tool Released by HHS
An updated version the Department of Health and Human Services’ Office for Civil Rights (OCR) Security Risk Assessment (SRA) Tool has now been released. The Office of the National Coordinator for Health Information Technology (ONC) developed the tool with the assistance of OCR in order to help small- to medium-sized healthcare suppliers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers...
MHealth App Developers and Cloud Services Providers New Resources made Available by OCR
New resources for mobile health app developers have been made available by the Department of Health and Human Services’ Office for Civil Rights (OCR). This comes with a planned update and rebranding of its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – supplies information for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they are relevant...
Citrix Endpoint Management/XenMobile Server Patches Released
Patches have been released to address two critical vulnerabilities in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated individual to access domain account credentials, take complete management of a XenMobile Server, and view VPN, email, and web applications and obtain sensitive corporate information. One of the flaws was discovered by Andrey Medov of Positive Technologies, who...
Ban on HHS Funding a National Patient Identifier System Removed by House of Representatives
The House of Representatives has voted to remove the ban on the Department of Health and Human Services using federal funds to create a national patient identifier system. The Health Insurance Portability and Accountability Act (HIPAA) mandated the creation of a national patient identifier system. As the name indicates, a national patient identifier system would see each person in the United States issued with a permanent, unique...
Rhode Island Health System Hit with $1 Million Fine for Noncompliance with HIPAA Rules
The Rhode Island non-profit health system, Lifespan Health System Affiliated Covered Entity (Lifespan), has been fined $1,040,000 by the Department of Health and Human Services’ Office for Civil Rights for violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. Had HIPAA Rules been followed, a data breach of 20,431 healthcare records would have been avoided. Lifespan was investigated by OCR following the...
Does Amazon Web Services Comply with HIPAA?
Under the Healthcare Insurance Portability and Accountability Act, all providers of a product or service that ‘touches’ PHI are deemed to be business associates and are required to comply with HIPAA Rules. That means appropriate safeguards must be implemented to ensure the confidentiality, integrity, and availability of any PHI that is available through their products or services. Any healthcare entity or vendor obligated to comply...
Lack of Encryption & Other HIPAA Breaches Leads to $1m HIPAA Penalty for Lifespan
The HHS’ Office for Civil Rights has sanctioned a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE)after identifying systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system located in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was submitted with OCR by Lifespan Corporation, the parent company and...
Philips Ultrasound Systems Vulnerability Discovered
An authentication bypass vulnerability affecting Philips Ultrasound Systems that could targeted by a hacker to view or modify data has been discovered. The flaw is caused by the presence of an alternative path or channel that can be implemented to bypass authentication controls.The flaw is tracked as CVE-2020-14477. This is a low severity flaw which has been assigned a CVSS v3 base score of 3.6 out of 10. To target the vulnerability,...
Information on Contacting COVID-19 Patients to Request Blood & Plasma Donations
Once patients contract an infectious respiratory disease like COVID-19, the immune system creates antibodies that supply protection if the pathogen appears again. The antibodies in the blood of patients who recover from an illness like this are key to fighting it. Those antibodies could also be used to treat other patients. Through the donation of blood and plasma two preparations can be created: Convalescent plasma and hyperimmune...
Safe Partner Inc. Confirmed as HIPAA Compliant
Compliancy Group has revealed that Safe Partner Inc. has implemented an effective HIPAA compliance program and has successfully finished its proprietary 6-stage HIPAA risk analysis and remediation process. Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting firm that supplies a full range of software services, from design to development, implementation, and ongoing customer support. The company was...
Improved Compliance Revealed in Ciitizen HIPAA Right of Access Study
There has been a major improvement in compliance with the HIPAA Right of Access, according to the most recent Patient Record Scorecard Report from Ciitizen. To formulate the report, Ciitizen conducted a study of 820 healthcare suppliers to assess how well each responded to patient requests for copies of their healthcare data. A wide variety of healthcare suppliers were assessed for the study, from single physician practices to large,...
HIPAA Violations in Michigan and Illinois Lead to Healthcare Workers Being Fired
A staff member at Ann & Robert H. Lurie Children’s Hospital of Chicago has been fired accessing the medical records of patients without the appropriate authorization over a period of 15 months. The privacy violations were discovered when, after reviewing access logs, the hospital found that a staff member had viewed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The range of...
Three Actively Exploited Flaws Patched by Microsoft
On April 2020 Patch Tuesday, Microsoft made available updates to fix 113 flaws in its operating systems and software solutions, 19 of which have been rated critical. This month’s group of updates includes fixes for 3 zero-day flaws that are being actively exploited in real world attacks.Two of the actively exploited flaws were revealed by Microsoft in March and Microsoft suggested workarounds to limit the chance of exploitation. The...
Waiver of HIPAA Penalties for Good Faith Operation of COVID-19 Community-Based Testing Sites
The HHS has issued an additional Notice of Enforcement Discretion covering healthcare providers and business associates that manage some aspect of COVID-19 community-based testing sites. Under the terms of the Notice of Enforcement discretion, the HHS will not issue sanctions and penalties in relation to good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is...
PHI Disclosures for Public Health and Health Oversight Activities Allowed in Notice of Enforcement Discretion for Business Associates
On April 2, 2020, the Department of Health and Human Services revealed that with immediate effect, it will be applying enforcement discretion and will not impose sanctions or fines against healthcare providers or their business associates for good faith uses and sharing of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health...
Coronavirus Pandemic Guidance on Telehealth & HIPAA Released by OCR
After the announcement made by the HHS’ Office for Civil Rights that enforcement of HIPAA compliance linked to the good faith provision of telehealth services for the duration of the COVID-19 pandemic has been relaxed, OCR has published guidance on telehealth and remote communications. Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications...
HIPAA Compliance Achieved at SAR Technology Group Thanks to Compliancy Group
SAR Technology Group has been revealed as having achieved HIPAA compliance after completing Compliancy Group’s proprietary 6-Stage HIPAA Risk Analysis and remediation process.The regulatory standards of the Health Insurance Portability and Accountability Act ensure the confidentiality, integrity, and availability of healthcare data is safeguarded and the privacy of patients is protected. Vendors that supply healthcare clients must...
Google’s Response to Senators Questions About Ascension Partnership Deemed Incomplete
After it became public that a massive amount of patient data had been shared with Google by the Catholic health system Ascension, the second biggest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google asking for answers about the nature of the agreement and the data the company received. Ascension manages 150...
Manchester Ophthalmology & UnitedHealthcare Impacted by Data Breaches
Manchester Ophthalmology in Connecticut has suffered a cyberattack in which the hackers may have gained access to patient data. The eye care supplier became aware of the cyberattack on November 25, 2019 when employees identified suspicious activity on the network. Assisted by an external technology firm, it was determined later that day that hackers had gained access to its systems and tried to deploy ransomware. Access was first...
2020 Healthcare Data Breach Report
Protenus has released its 2020 healthcare data breach report which shows the past 12 months have been the worst ever in terms of the number of reported breaches. For its 2020 Breach Barometer report, Protenus, in conjunction with databreaches.net, identified more than 572 healthcare data breaches of 500 or more records in 2019, up 48.6% compared to 2018. The number of data breaches affecting the healthcare industry has increased...
Partially Completed Prescriptions of Schedule II Drugs Must be Tracked: HHS
The Department of Health and Human Services has released a final rule changing the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that obligates pharmacies to record partially completed prescriptions for Schedule II drugs. The modification is part of HHS efforts to manage opioid abuse in the United States and will supply a greater quantum of data that may help control impermissible refills...
HIPAA Compliance Confirmed for Center for Counseling & Family Relationships
A large counseling private practice located in Fort Worth, Texas has revealed that it has demonstrated compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules after completing Compliancy Group’s 6-Stage HIPAA risk analysis and remediation process. The Center for Counseling & Family Relationships (CCFAM) used Compliancy Group’s proprietary HIPAA compliance tracking solution The Guard and, helped by its...
Novel Coronavirus Outbreak Prompts HHS Covered Entity HIPAA Data Sharing Warning
In response to the 2019 Novel Coronavirus outbreak, the Department of Health and Human Services has released a bulletin to make HIPAA-covered entities aware of the allowable methods for sharing patient information during outbreaks of infectious disease and other emergency situations, In the news release, the HHS confirmed that at such times, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must...
Can Gmail be HIPAA Compliant?
In order for Gmail to be deemed HIPAA compliant, Google would have to see to it that the email service is 100% safe and satisfies the basic standards for security as stated in the HIPAA Security Rule. A covered entity would also be obligated to obtain a signed business associate agreement from Google that incorporates Gmail, as Google would be deemed a business associate under the HIPAA Rules. While encryption for email is not an...
Survey: Cost of Healthcare Data Breaches Predicted to Reach $4 Billion in 2020
Healthcare sector data breaches are taking place at an unprecedented level. The healthcare data breach figures for 2019 have yet to be drawn up, but so far 494 data breaches of more than 500 records have been made known to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst year on record for healthcare data breaches and the second...
2019 HIPAA Enforcement
2019 was another period with stringent HIPAA compliance enforcement evident. Action taken by the Department of Health and Human Services’ Office for Civil Right (OCR) lead to has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 witnessed two civil monetary penalties sanctioned and settlements were agreed with eight groups, one less than 2018. In 2019, the average fine...
Rep. Jayapal Questions Google & Alphabet Ascension Partnership
Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, has written to Google and Alphabet in relation to their Ascension partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI. The partnership between Google and...
HIPAA Compliance for Amazon Lex
Amazon has revealed that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare groups without breaching Health Insurance Portability and Accountability Act Rules. Amazon Lex is a service that permits customers to create conversational interfaces into applications using text and voice. It permits the creation of chatbots that use lifelike, natural language to engage with clients, submit questions,...
Privacy Protections for Consumer Health Data to be Enhanced by Smartwatch Data Act
Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) have introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. This new legislation will ensure that health data gathered through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent. The Health Insurance Portability and Accountability Act (HIPAA) applies to health data...
Sentara Hospitals Agrees to $2.175M HIPAA Settlement for Breach Notification Rule and BAA Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued its eighth HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle possible breaches of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to remedy areas of noncompliance. Sentara runs 12 acute care hospitals in Virginia and North Carolina and has more than...
Timothy Noonan Revealed as New Deputy Director for Health Information Privacy at Office for Civil Rights
The Department of Health and Human Services’ Office for Civil Rights (OCR) has appointed Timothy Noonan Deputy Director for Health Information Privacy. The position of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and police the HIPAA Privacy, Security,...
Range of HIPAA Breaches Result in $2.15 Million Civil Monetary Penalty for Jackson Health System
The Department of Health and Human Services’ Office for Civil Rights has sanctioned a $2.15 million civil monetary penalty against the Miami, FL-located nonprofit academic medical system, Jackson Health System (JHS), for a slew of breaches of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of many media reports in which the PHI of a patient was impermissibly shared. The person was a...