Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals
Dec05

Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals

Sports Medicine & Rehabilitation Therapy (SMART), based in Massachusetts, has contacting 7,000 clients regarding a breach of their protected private health information that occurred in September 2017. Potentially, the breach impacted all clients whose data was saved during a visit to a SMART outlet prior to December 31, 2016. Hackers, in an extortion attempt, accessed SMART systems, allegedly stole private information, and asked for a ransom payment to prevent the information from being made available online. It was not confirmed, in the breach notification letters, if the ransom was paid, although SMART has told its clients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.” The matter has been reviewed by the FBI and Homeland...

Read More
Multiple Breaches Leads to $2m Fine for Cottage Health
Dec04

Multiple Breaches Leads to $2m Fine for Cottage Health

Cottage Health, the Santa Barbara-based healthcare provider, will pay $2 million to resolve multiple violations of state and federal laws as per a directive from the California attorney general’s office. The group was examined by the California attorney general’s office in relation to a breach of private patient data back in 2013. The breach of data was found by the organization on December 2, 2013, when someone made the healthcare network aware of it that fact, using the voicemail warning system, that sensitive patient information was listed by the search engines and was available for everyone via Google. Over 50,000 patients had their sensitive information available online, without authentication requirements such as a password and the server on which the information was stored was not...

Read More
Rocky Mountain Health Care Services has Second Unencrypted Laptop Stolen
Nov30

Rocky Mountain Health Care Services has Second Unencrypted Laptop Stolen

An unencrypted laptop has been stolen from one of its employees of Rocky Mountain Health Care Services of Colorado Springs. This is the second such incident to be identified in just three months. The most recent incident was identified on September 28. The laptop computer was seen to store the protected health information of a small number of patients. The types of data stored on the device included first and last names, addresses, dates of birth, health insurance details, Medicare numbers, and limited treatment details. The breach incident has been reported to law enforcement and patients affected by the incident have been alerted by mail. Rocky Mountain Health Care Services, which also conducts business as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long...

Read More
Clinic Worker Who Stole PHI Jailed for Five Years
Nov27

Clinic Worker Who Stole PHI Jailed for Five Years

A staff member at a clinic who stole the protected health information of mentally ill patients and sold the data to identity thieves for profit has fail in an appeal to get a five-year jail term lessened. Jean Baptiste Alvarez, aged 43, of Aldan, PA, obtained daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility located in Philadelphia. The census sheets included all the information required to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth along with other personally identifiable information. Alvarez had the chance to obtain the data without being detected, as the area where the sheets were kept did not have security cameras in operation. Alvarez was paid $1,000 per...

Read More
Suspected UPMC Susquehanna Phishing Attack Exposes 1,200 Patients’ PHI
Nov23

Suspected UPMC Susquehanna Phishing Attack Exposes 1,200 Patients’ PHI

A network of hospitals and medical centers in Williamsport, Wellsboro and Muncy in Pennsylvania, called UPMC Susquehannam has revealed that the protected health information of 1,200 patients has possibly been accessed by unauthorized people. Access to patient information is thought to have been obtained after an worker replied to a phishing email. While information regarding the breach date have not been published, UPMC Susquehanna says it found the breach on September 21, when a worker reported suspicious activity on their computer. An inquiry was begun which revealed unauthorized people had gained access to that person’s computer. They have not yet discovered whether the attacker viewed, stole or misused any patient data, but the possibility of data access and misuse could not be ruled...

Read More
Blue Cross and Blue Shield of Florida Breach Impacts Almost 1,000 People
Nov22

Blue Cross and Blue Shield of Florida Breach Impacts Almost 1,000 People

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced to the public that the personally identifiable information of a small number of insurance applicants has been improperly accessed online. Florida Blue discovered to the exposure of patient data in late August 2017 and immediately initiated a review. Florida Blue reports that the showed that 475 insurance applications had been saved to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ). The data backup incorporated agency files and some copies of health, dental, and life insurance applications from the time period 2009-2014. Those files were left accessible as an unsecured cloud server was utilized to store the backup files. As a direct result of this, those files could have been obtained by...

Read More
New Jersey Medical Practice has Boxes of Medical Records Stolen
Nov21

New Jersey Medical Practice has Boxes of Medical Records Stolen

Otolaryngology Associates of Central Jersey is making contact with patients to advise them of breach of their protected health information, following a theft at an off-site storage service in East Brunswick, NJ. The thieves removed thirteen boxes of paper medical records from the service, which included data like names, addresses, health insurance account numbers, birth dates, dates of military duty served, and the names of treating physicians. A small number of driver’s license numbers and Social Security numbers were among the stolen records. The theft was quickly spotted and law enforcement was alerted. An internal inquiry was begun, and steps were taken to reduce the potential for similar breaches to occur in the future. The medical records were being stored at the service in...

Read More
Alex Azar Nominated for HHS Secretary by President Trump
Nov16

Alex Azar Nominated for HHS Secretary by President Trump

Alex Azar, the former Deputy Secretary of the Department of Health and Human Services, is now the favorite to take over the reins from former Secretary Tom Price after receiving the presidential nomination for the role by President Trump. During the Presidential term of George W. Bush, Azar served as general counsel to the HHS and Deputy Secretary President Trump confirmed, via his Twitter account, that he believes Azar is the best person the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The role of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September 2017, after revelations about his controversial use of military aircraft...

Read More
Hospitals System and Cook County Health Patientshave Patients
Nov15

Hospitals System and Cook County Health Patientshave Patients

Illinois-based Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County, has advised its patients of a possible breach of their protected health information. The breach was experienced at the offices of Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is utilized to calculate insurance eligibility and limited patient information is given to the business associate for this aim. The breach was suffered in March 2017 while an upgrade of Experian Health’s computer system was being carried out. The protected health information of 727 patients was sent to other healthcare systems by mistake. The PHI disclosed was limited and did not incorporate the sort...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov14

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

The Risk Based Security (RBS) 2017 data breach report has shown there has been a 305% surge in the number of records exposed in data breaches in the last 12 months. For its latest breach report RBS, a provider of real time information and risk analysis tools, reviewed analyzed breach reports from the first three quarters of 2017. RBS explained in a recently published blog post, this year has been “yet another record breaker for data breaches.” In Quarter 3, 2017, there were 1,465 data breaches filed, bringing the complete number of publicly reported data breaches up to 3,833 incidents for the year to date. So far in 2017, over 7 billion records have been illegally accesed or stolen. RBS reveals there has been a steady surge in publicly disclosed data breaches since the end of May, with...

Read More
NY AG Brings in Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Nov08

NY AG Brings in Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

Aiming to protect New Yorkers from unwelcome breaches of their personal information, The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. It is hoped that this Act with ensure that those affected will be notified when such breaches are incurred. Sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), the program bill is intended to strenthen protections for New York residents without placing an unnecessary burden on companies. The introduction of the SHIELD Act comes in the aftermath the Equifax data breach which affected more than 8 million New Yorkers. In 2016, more than 1,300 PHI breaches were filed to the New York attorney...

Read More
New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack
Nov03

New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack

A new variant of the WannaCry ransomware has been detected in a cyber attack on FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health provider. WannaCry ransomware came to global attention in cybers attacks in May 2017. In excess of 230,000 computers were infected within one day of the worldwide attacks starting. The ransomware variant had wormlike features and was capable of spreading quickly and affecting all vulnerable networked comptuing technology. The hacking campaign was blocked when a kill switch was found and switched on, preventing file encryption.  However, FirstHealth has identified the malware used in its cyber attack and is of the opinion that it is a new WarnnaCry ransomware variant. The FirstHealth ransomware attack began on October 17, 2017. The...

Read More
Dental Offices And HIPAA Compliance: What Needs to Be Addressed?
Oct31

Dental Offices And HIPAA Compliance: What Needs to Be Addressed?

Dr. Joseph Beck became the first ever dentist to be receive a HIPAA violation fine in 2014. This alerted dental offices to HIPAA compliance and the importance of it.  Until then, dental offices had not been subjected fines for noncompliance with HIPAA Rules. The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for what was believed to be the mishandling of the protected health information of 5,600 people. Since then, many settlements have been agreed with covered bodies for HIPAA violations. Dental office have not be subjected to further penalties since then, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing...

Read More
Consolidated Inc. Data Breach Impacts 21,856 People
Oct29

Consolidated Inc. Data Breach Impacts 21,856 People

Nebraska-based CBS Consolidated Inc., operating as Cornerstone Business & Management Solutions, completed a routine audit of system logs on July 10, 2017 and found an unfamiliar account on the server. Closer inspection of that account showed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 people who received durable medical supplies from the group through their Medicare coverage have potentially been affected. The types of data taken by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was breached, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details...

Read More
3,725 Veterans Have Their PHI Exposed Due to Missing Laptop
Oct27

3,725 Veterans Have Their PHI Exposed Due to Missing Laptop

A laptop computer, no longer in use, owned by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has gone missing, potentially leading to the exposure of sensitive patient data. The laptop was linked to a hematology analyzer and held data related to hematology tests. The laptop was in operation between April 2013 and May 2016, but was put out of use when the device became unusable. The laptop, which had been purchased from a vendor, was replaced; however, an equipment inventory showed the device to be missing. The device should have been returned to the vendor it was purchased from, although the vendor has no record of the laptop ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab found the device was missing. A complete search of the medical center...

Read More
Data Breaches Drop For Second Consecutive Month
Oct26

Data Breaches Drop For Second Consecutive Month

The latest report of the Breach Barometer from Protenus/Databreaches.net Healthcare shows that data violations have dropped for the second consecutive month, according to . In August, there were 33 reported healthcare data violations, down from 36 incidents in July and 56 in June. While the drop int he number of data breaches is encouraging, that is still more than one healthcare data breach per day. While it was the second best month of the year so for in terms of the number of reported incidents, it was the third worst in terms of the number of individuals impacted. 575,142 people were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise even more as two incidents were not included in that total since it is not yet...

Read More
New Service Streamlines Process of Finding HIPAA Compliant Vendors
Oct25

New Service Streamlines Process of Finding HIPAA Compliant Vendors

Finding HIPAA compliant vendors can be difficult for healthcare providers, health plans and other HIPAA covered entities. Any prospective vendor is required to comply with Health Insurance Portability and Accountability Act Rules. They must agree to implement robust security controls to safeguard any PHI that is supplied, comply with HIPAA Privacy Rule provisions, and agree to send notifications in the event of a PHI breach. Once a prospective vendor has been identified, their business associate agreement must be scrutinized, which often incurs legal fees. Only when their BAA has been confirmed as meeting HIPAA requirements, and reasonable assurances have been obtained that the business associate will follow HIPAA Rules, can a contract be signed, and their service or products used....

Read More
Multiple Security Weaknesses in Alabama’s Medicaid Management Information System OIG Identified
Oct24

Multiple Security Weaknesses in Alabama’s Medicaid Management Information System OIG Identified

The HHS’ Office of Inspector General (OIG) has completed an audit of Alabama’s Medicaid data and information systems to adetermine whether the state was in compliance with federal regulations. The review included the Medicaid Management Information System (MMIS) and associated policies and processes. OIG also carried out a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive information. The audit showed Alabama’s MMIS had multiple weaknesses that could possibly be exploited by hackers to gain access to its systems and Medicaid data. Alabama had implemented a security program for its MMIS, although several weaknesses had been allowed to continue. OIG stated in its...

Read More
HHS Withdraws Proposed Rule for Health Plans Certification of Compliance
Oct20

HHS Withdraws Proposed Rule for Health Plans Certification of Compliance

A new rule for certification of compliance for health plans was proposed by the HHS In January 2014, requiring all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate HIPAA compliance. The proposed rule ‘Administrative Simplification: Certification of Compliance for Health Plans’ was drafted to promote more consistent testing procedures for CHPs. The HHS has now dediced to withdraw the proposal. If the rule had been passed, CHPs would have been required to show adherence with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. Not complying with the new rule could have lead to...

Read More
Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership
Oct17

Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership

A new working relationship d between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS) will focus on helping advance medical device cybersecurity and improve patient data security. The two groups will cooperate to aid members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, teaching about the threats to device security, training members, and promoting data sharing. For the past three years, AEHIS has been assisting healthcare groups improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have availed of the education and networking...

Read More
Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices
Oct13

Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices

The Internet of Medical Things Resilience Partnership Act, aimed at establishing public-private stakeholder partnership which will be tasked with developing a cybersecurity framework to prevent data breaches, has been approved by the U.S. House of Representatives. The hope is that this framework will be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more secure from cyberattacks. The range of medical devices now being employed in the healthcare industry is considerable and the number is only likely to keep increasing. As more devices are developed, the risk of harm to patients grows. These devices are currently used in hospitals, worn by patients receving treatment, fitted surgically or used in the home. The devices...

Read More
HHS Withdraws Proposed Rule for Certification of Compliance for Health Plans
Oct11

HHS Withdraws Proposed Rule for Certification of Compliance for Health Plans

Early in 2014 the HHS proposed a new rule for certification of compliance for health plans that would have meant all those managing health plans (CHPs) to complete a range of documentation to HHS to show compliance with electronic transaction standards set by the HHS under HIPAA Rules. The proposed rule rule was aimed at to supporting more consistent testing processes for CHPs. The HHS has now revealed that the proposed rule has now been withdrawn from condiseration. Had it made it to the final rule stage, CHPs would have been asked to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status,and health care electronic funds transfers (EFT) and remittance guidance. The inability to...

Read More
Over Half of Cloud Storage Services are Misconfigured: Report
Oct10

Over Half of Cloud Storage Services are Misconfigured: Report

A recent report by cloud threat defense firm RedLock claims more than half of businesses have made errors that have exposed sensitive data to the general public vuia the cloud. The study shows many organizations are not adhering to established security best practices, such as using multi-factor authentication for all privileged account subscirbers. Worse again, many groups are failing to constantly review their cloud environments which means data is being exposed without detection. The issue seems to worsening as RedLock’s last review for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for onee. A new study, released in its most recent Cloud Security Trends Report, shows that percentage grew to 53%...

Read More
Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization
Oct09

Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization

After a seemingly prolonged period of inactivity, the hacking group TheDarkOverlord has revealed another attack on a U.S. healthcare supplier, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly happened on September 13, 2017, with the announcement of the data theft released by TDO on Twitter on Friday 22, 2017.  No details were given as to how access to the data was gained, although it was revealed to databreaches.net that the attack took advantage of the use of fragile passwords. The entire database of patients was reportedly obtained. Databreaches.net was provided with the patient database and has was able to  confirm that the attack was genuine. The database held a wide range of data on 16,428 patients, including contact information, dates of birth and Social Security...

Read More
What is the Definition of a HIPAA Covered Entity?
Oct09

What is the Definition of a HIPAA Covered Entity?

The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and business associates, but what is the definition of a HIPAA covered entity and what are HIPAA business associates? Knowing the definition of a covered entity and business associate is essential. If you are classed as either, you must comply with HIPAA Rules. There are severe financial penalties for noncompliance with HIPAA and ignorance is not a valid defense. What is the Definition of a HIPAA Covered Entity? The definition of a HIPAA covered entity is a healthcare provider, health plan or healthcare clearinghouse that electronically transmits protected health information for transactions for which the Department of Health and Human Services has adopted standards. The above healthcare...

Read More
Catholic Charities of the Diocese of Albany Discovers Long-Term Malware Infection
Oct09

Catholic Charities of the Diocese of Albany Discovers Long-Term Malware Infection

Catholic Charities of the Diocese of Albany (CCDA) has discovered, during a software upgrade in August 2017, that malware  was installed on one of the computer servers used by its Glens Falls premise, which provides services in Saratoga, Warren and Washington Counties in New York. A quick response was taken to block access to the server and CCDA called in a computer security firm to carry out an investigation into the unauthorized access. The review, which took several weeks to finish, revealed that access to the server potentially as far back as 2015. While access to the server was possible and malware had been put in place, the investigation did not uncover proof to suggest the protected health information of patients had been accessed or stolen. A review of the server showed the...

Read More
Responding to a Cyberattack Advised Issued by OCR
Oct05

Responding to a Cyberattack Advised Issued by OCR

Recently, the Department of Health and Human Services’ Office for Civil Rights published new guide lines for covered organizations on the correct way to respond to a cyberattack. These guideline included a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of steps that should be taken. Preparation is key is a correct response. Covered entities must have response and mitigation procedures in place and contingency plans should implemented immediately following the identification of a cyberattack, malware or ransomware attack. The first step in a response is to take quick action to prevent any impermissible disclosure of electronic protected health data. If a network intrusion has occurred, unauthorized access to the...

Read More
128,000 Arkansas Patients Attacked by Ransomware
Oct05

128,000 Arkansas Patients Attacked by Ransomware

128,000 patients at the Arkansas Oral Facial Surgery Center in Fayetteville have had their private information potentially impacted following a a ransomware. Ransomware was believed to have been placed on its network between July 25 and 26, 2017. The attack was identified quickly, although not before files, x-ray images, and documents had been encrypted. The incident did not break through the encryption of its patient database, except for a ‘relatively limited’ set of patients who data related to their recent visits encrypted. Those patients had visited the center for medical services in the three weeks before to the ransomware attack. The ransomware attack is still under review, although to date, no proof of data theft has been located. Arkansas Oral Facial Surgery Center believes the...

Read More
Microsoft OneDrive: Does it adhere to HIPAA Compliance Rules?
Oct01

Microsoft OneDrive: Does it adhere to HIPAA Compliance Rules?

With the proliferation of cloud storage coming at the same time that HIPAA Compliance Rules have become increasingly strict in order to secure private data, organizations are beginning to examine if Microsoft OneDrive is OneDrive HIPAA compliant? A multitude of healthcare groups are already using Microsoft Office 365 Business Essentials, including Microsoft Exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a user friendly platform for storing and sharing information and files. There is certainly no issue with HIPAA-covered bodies using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without breaching HIPAA Rules. That said, before OneDrive – or any cloud service – can be implemented...

Read More
Cloud Computing Platforms and the Implications of HIPAA
Sep28

Cloud Computing Platforms and the Implications of HIPAA

Prior to cloud computing services being used by healthcare providers for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered bodies must ensure the services are kept in a secure manner. Even in case where a cloud computing platform provider has being given HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used to store ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is a vital element of HIPAA compliance for cloud computing services. After completing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§...

Read More
HITRUST/AMA Begin Project to Assit Small Healthcare Firms with HIPAA Compliance
Sep28

HITRUST/AMA Begin Project to Assit Small Healthcare Firms with HIPAA Compliance

HITRUST has revealed it will be working with the American Medical Association (AMA) for a new project that will assist small healthcare companies with HIPAA compliance, cybersecurity and cyber risk management. Small healthcare providers can be more exposed to cyberattacks, as they usually lack the resources to dedicate to cybersecurity and do not tend to have the budgets at their disposal to employ skilled cybersecurity staff. This week has highlighted the need for small practices to strengthen their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord. Recent ransomware attacks have also pointed to the fact that healthcare organizations of all sizes are likely to be attacked. Organizations, both big and...

Read More
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep23

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

A partial waiver of HIPAA has been issued by the U.S. Department of Health and Human Services in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands, the thrid such waiver of 2017 following the has already issuing of waivers of HIPAA sanctions and penalties in areas affected by hurricanes earlier this year. The previous waivers were issued in relation to Hurricane Harvey and Hurricane Irma  and, as was the case in those instances, the waiver only applies to covered groups in areas where a public health emergency has been declared, only for 72 hours following the beginning of the hospital’s disaster protocol and only for specific provisions of the HIPAA Privacy Rule: The requirements to receive a person’s agreement to speak with family members or friends involved...

Read More

Hurricane Maria Disaster Zone: Partial HIPAA Privacy Rule Waiver Issued by HHS

A third HIPAA waiver has been issued by the U.S. Department of Health and Human Services, following applying two earlier partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes previously in 2017. On this occasion the waiver is in relation to the Hurricane Maria disaster zone in Puerto Rico and the U.S. Virgin Islands. As with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered bodies in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster procedures, and only for specific provisions of the HIPAA Privacy Rule: The requirements to receive a patient’s agreement to speak with family members or friends involved in the patient’s...

Read More
Imperial Valley Family Care Medical Group Passes HIPAA Audit
Sep20

Imperial Valley Family Care Medical Group Passes HIPAA Audit

The second round of HIPAA compliance audits was commenced late in 2018 by the Department of Health and Human Services’ Office for Civil Rights. The audit program will include of desk-based audits of HIPAA-covered companies, organizations and business associates followed by a round of complex audits incorporating site visits. The desk audits part of this round have been completed but with the site audits had been delayed but are now due to start in early 2018. Only a small number of covered organizations have been picked to be audited as part of the second phase of compliance audits; however, covered organizations that have avoided an audit may still be required to show they are in compliance with HIPAA Rules. In addition to the audit program, any HIPAA-covered organizations that...

Read More
Imperial Valley Passes OCR HIPAA Audit With Help From The Compliancy Group
Sep19

Imperial Valley Passes OCR HIPAA Audit With Help From The Compliancy Group

The Department of Health and Human Services’ Office for Civil Rights (OCR) has investigated a Californian Physician’s group following a reported breach of protected health information. Covered entities can implement policies and procedures to prevent data breaches, but security incidents are still likely to occur. Responding correctly to those breaches and ensuring HIPAA Rules are carefully followed will help to ensure financial penalties for HIPAA violations are avoided. As with all breaches that result in the protected health information of more than 500 individual being exposed, OCR launched an investigation of Imperial Valley Family Care Medical Group (IVFCMG) when the breach summary was submitted through its breach portal. The breach in question was the theft of a laptop computer...

Read More
Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver
Sep13

Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver

A  limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Hurricane Irma has been issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. Virgin Islands, Puerto Rico, and Florida. OCR says that the HIPAA Privacy and Security Rules are still in place and covered organizations must continue to obey HIPAA Rules; however, certain parts of the Privacy Rule have been temporarily waived in line Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. Should a hospital in the disaster zone not comply with the following stated aspects of the HIPAA Privacy Rule, penalties and sanctions will not be applicable: 45 CFR 164.510(b) – Obtain a patient’s agreement to consult with family members or...

Read More
OCR Warns Covered Bodies to Prepare for Natural Disasters
Sep09

OCR Warns Covered Bodies to Prepare for Natural Disasters

Medical Centers and Hospitals were recently stretched before and after Hurricane Harvey, in Texas and Louisiana, as they sought to provide medical services without breaching HIPAA Rules. Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights racted by issuing guidance to covered bodies on the HIPAA Privacy Rule and disclosures of patient health information in cases of emergency to assist healthcare groups protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document. Following quickly after Hurricane Harvey comes hurricanes Irma and...

Read More
Finding ‘Big, Juicy, Egregious’ HIPAA Breach Priority for OCR Head
Sep07

Finding ‘Big, Juicy, Egregious’ HIPAA Breach Priority for OCR Head

The main enforcement priority for 2017 of Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), is to find a “big, juicy, egregious” HIPAA breach to use as an example for other healthcare groups on the risks of failing to follow HIPAA Rules. When choosing which cases to pursue, OCR considers the chance to use such a case as an educational tool to warn covered groups of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino said “I have to balance that law enforcement instinct with the educational component that we do.” Severino added, “I really want to make sure people come into compliance without us having to enforce. I want to underscore...

Read More
Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions
Sep01

Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions

HHS Secretary Tom Price announced that OCRis issuing a partial waiver of sanctions and financial penalties for specific Privacy Rule breaches for hospitals in Texas and Louisiana in the Hurricane Harvey emergency zone. This partial waiver is only applicable to the provisions of the HIPAA Privacy Rule as outlined below: The obligations to recieve a patient’s agreement to talk with family members or friends involved in the patient’s treatment. See 45 CFR 164.510(b). The obligation to honor an opt out request in relation to the facility directory. See 45 CFR 164.510(a). The requirement to issue a public notice of privacy practices. See 45 CFR 164.520. The patient’s expressed right to request privacy restrictions. See 45 CFR 164.522(a). The patient’s right to request confidential...

Read More
HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey
Aug28

HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey

Secretary of the U.S. Department of Health and Human Services Tom Price has announced that certain HIPAA Privacy Rule violation penalties will be waived in the disaster area of Hurricane Harvey in Texas and Louisiana. Following any natural disaster, hospitals and health systems must operate in difficult circumstances. During such times, it can be a major challenge to provide treatment while complying with all aspects of HIPAA Rules. With resources stretched, HIPAA Privacy Rule violations can easily occur. In emergencies situations, such as when healthcare organizations are required to assist in disaster relief efforts, HIPAA Rules must still be followed. The HIPAA Privacy Rule is not suspended in such situations, although the HHS Secretary can waive certain provisions of the HIPAA...

Read More
Getting Basics Correct Key to Avoiding Data Breaches
Aug16

Getting Basics Correct Key to Avoiding Data Breaches

Intrusion identification systems, next generation firewalls, insider threat management software and data encryption will all help healthcare groups recognize danger, cut out security violations, and identify attacks quickly when they happen. even with all of these measures it is still vitally important to address the security basics. The Office for Civil Rights Breach portal is filled with examples of HIPAA data breaches that have been caused by the simplest of errors and security errors. Strong security begins the fundamentals. This was recently highlighted in a number of blog posts by the FTC. The posts are aimed at aiding businesses improve data security, prevent data violations and prevent regulatory fines. While the blog posts are not specifically targeted at healthcare groups, the...

Read More
Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications
Aug12

Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that covered organizations to advise the HHS’ Office for Civil Rights of any violation of private health information and issue notification correspondence to affected people as soon as is unreasonable and no later than 60 days after the identification of the breach. July’s Breach Barometer reports from Protenus indicated that many covered organizations have had difficulty in complying with the HIPAA Breach Notification Rule and have disclosed their violations to OCR after the deadline has expired. 2017 has seen a major reduction in average reporting times. The Protenus 2017 Breach Barometer Mid-Year Review outlines that between January and June, it took a mean time of 54.5 days from the identification of a breach to...

Read More
U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors
Aug07

U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors

Last week, the U.S. Senate passed new legislation – Jessie’s Law – that allows details of patients’ past drug abuse to be shared with physician’s if patients give their consent. At present, drug abuse histories are prohibited from being shared to protect the privacy of patients. That information is kept separate from a patient’s medical record. Unfortunately, the law can have terrible consequences, as was highlighted by a tragic incident involving a recovering addict Jessica Grubb. Jessica had been struggling with opioid addiction for several years, although after undergoing treatment, she had been sober for six months. Jessica had turned her life around and had taken up running, but suffered an injury that required surgery. Jessica was admitted to hospital. Her parents were at the...

Read More
2017 Healthcare Data Breach Trends Highlighted in Protenus Report
Aug04

2017 Healthcare Data Breach Trends Highlighted in Protenus Report

Protenus, working with Databreaches.net, has released its Breach Barometer mid-year review. The report includes all healthcare data violations reported over the past six months and gives important insights into the latest data breach trends. The Breach Barometer is a detailed review of healthcare data breaches, including not only the data breaches made known to the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also public media reports of incidents and public findings. Prior to being included in the report, all breaches must be independently confirmed as genuine by databreaches.net. The Breach Barometer reports look into the main factors causing data breaches suffered healthcare providers, health plans and their business associates. In a...

Read More
NotPetya Attack on Nuance Communications Decides Not Reported to OCR
Aug03

NotPetya Attack on Nuance Communications Decides Not Reported to OCR

The Department of Health and Human Services’ Office for Civil Rights has previously made it clear, in its ransomware guidance, if ePHI is encrypted ransomware attacks are usually HIPAA breaches and are always reportable violations. In the guidance on ransomware guidance OCR says that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” adding that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A ransomware attack is designated as a HIPAA breach because the actions of the hackers have lead to the acquisition of PHI, in the sense that unauthorized people have taken control...

Read More
HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update
Jul28

HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update

In June 2017, the Department of Health and Human Services announced it was considering an update to its data breach portal, normally called the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act states that the OCR must maintain a public list of breaches of protected health information that have affected more than 500 individuals. All 500+ record data breaches submitted or made known to OCR since 2009 are listed on the breach portal. The data breach list contacts a wide variety of violation, many of which happened through no fault of the covered organization and involved no breaches of HIPAA Rules. OCR has been criticized for its breach portal due to this, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current...

Read More
33% of Patients Access Their Health Data on Patient Portals
Jul28

33% of Patients Access Their Health Data on Patient Portals

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow people to view information regarding their health stored by their providers. However, as revealed in a recent U.S. Government Accountability Office (GAO) report, few patients are actually exercising this right using the provided patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare organizations to move from paper to electronic medical records and now almost 90% of subscribers to participating providers have access to patient portals where they can view their health data. Even though patients have been given the access, fewer than a 33% of patients are accessing patient portals to view their health information. GAO viewed patient health information access from the...

Read More
Data Breach Reporting Tool Updated by OCR
Jul25

Data Breach Reporting Tool Updated by OCR

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights developed its data breach reporting tool to allow HIPAA-covered entities to easily submit reports of data breaches. A summary of data breach reports is published via the data breach reporting tool and is viewable by the public. The data breach list – which is commonly known as OCR’s Wall of Shame – details all reported healthcare data breaches that impact more than 500 individuals. While there have been updates to the data breach reporting tool since its release, the format of the data breach list has changed little over the years. An update to the portal, and how the information is displayed, was long overdue. Recently there have been calls for OCR to change the...

Read More
Model Patient Request for Health Information Form Issued by AHIMA
Jul25

Model Patient Request for Health Information Form Issued by AHIMA

A model patient request for health information form has been issued by the American Health Information Management Association (AHIMA) that can be used by healthcare providers to give to patients who request copies of their health information. The HIPAA Privacy Rule permits patients to obtain copies of their health data from their providers, although at many hospitals the process is inefficient, lacks transparency and patients are often left in the dark about what is happening after they have submitted their requests, according to a recent report from the ONC. Under HIPAA Rules, patients must be provided with copies of their health information within 30 days of the request being submitted. Patients are also permitted to request their information in paper or electronic form, although ONC...

Read More
Hows does HIPAA Affect Use of Google Drive?
Jul22

Hows does HIPAA Affect Use of Google Drive?

The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA.  The service does not breach HIPAA Rules, however users of the service may breach the rules themselves. G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is configured correctly and standard security practices are in place. The use of any software or cloud storage service in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) before the service is used with any PHI. Google provides a BAA for Google Drive (including Docs, Sheets,...

Read More
Study: Data Breaches by Ex Employees a Concern
Jul20

Study: Data Breaches by Ex Employees a Concern

A recent study carried out by OneLogin showed many groups are not doing enough to stop data violations by ex-employees. While access to computer systems and applications is a requirement during employment, many organizations are neglecting to block access to systems quickly when employees depart the company, even though ex-employees pose a significant data danger to security. Preventing access to networks and email accounts when an member of staff is terminated or otherwise leaves the company expose by failing to complete one of the most basic security measures, yet all too often the process is delayed. 600 IT employees who had some responsibility for security in their organization were questioned for the study and around half of respondents said they do not immediately cut ex-employees’...

Read More
ONC Office of the Chief Privacy Officer Funding Stopping in 2018
Jul19

ONC Office of the Chief Privacy Officer Funding Stopping in 2018

The withdrawal of funding for the Office of the Chief Privacy Officer has resulted in ONC National Coordinator Don Rucker, M.D. confirming that the office will be closed during 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been acting as Acting Chief Privacy Officer until a permanent replacement to the role previously filled by Lucia Savage is identified, following her departure in January. It now seems unlikely that a permanent replacement will be recruited. One of the key duties of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is properly protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies in relation to electronic health...

Read More
HIPAA Compliance and Dropbox, What You Need to Know
Jul16

HIPAA Compliance and Dropbox, What You Need to Know

Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However, healthcare groups can use Dropbox to share or store files containing protected health data without breaching HIPAA Rules. The Health Insurance Portability and Accountability Act requires covered organizations to complete a business associate agreement (BAA) with an organization before any protected health data (PHI) is shared. Dropbox is classified as a business...

Read More
ONC Offers Tips to Improve Patient Data Access
Jul15

ONC Offers Tips to Improve Patient Data Access

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has given covered entities tips to improve patient data access, explaining how important it is for patients to be given access to their health information. In its report – Improving the Health Records Request Process for Patients – ONC explains that under HIPAA Rules, patients are given the right to access their records. Healthcare organisations must provide patients with copies of their health information within 30 days of the request being received. However, in many cases, patients are not fully aware of their rights and patients are not given much information on the process. While patients can request electronic copies of their medical records, some healthcare organizations are only providing paper...

Read More
File Sharing Tools and Cloud Computing: OCR Highlights Risks
Jul05

File Sharing Tools and Cloud Computing: OCR Highlights Risks

File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information.  Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information. The Department of Health and Human Services’ Office for Civil Rights (OCR)  has recently issued a release to covered groups. clients and business associates of the potential weaknesses associated with file sharing and collaboration tools, explaining the danger these tools can introduce and how covered companies can use these tools and remain in compliance with HIPAA Rules. While file sharing services and cloud computing may incorporate all...

Read More
Anthem Agrees Largest Ever Data Violation Settlement
Jun28

Anthem Agrees Largest Ever Data Violation Settlement

The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission. A breach of that size inevitably resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years later, Anthem has agreed to settle the litigation for $115 million. If the settlement is approved, it will be the largest data breach settlement ever – much higher than $18.5 million settlement agreed by...

Read More
Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect
Jun24

Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect

The latest healthcare data breach report issued by Protenus, in conjunction with databreaches.net, shows healthcare data breaches increased in May, with 37 breaches reported compared to 34 the previous month.  The numbers of records exposed in those breaches was 255,108, although not all breach figures are known. That still represents a jump from last month when 232,060 healthcare records were known to have been exposed or stolen. One of the breaches reported in May involved the theft of 140,000 records. That was a hacking incident which involved data being stolen and a ransom demand being issued. The ransom was not paid and the records were dumped online. Hacking was the leading cause of healthcare data breaches in April, but in May it was insiders once again that caused the most...

Read More
CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late
Jun21

CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late

A data breach that happened in the second half of 2015 should have seen targeted people warned within 2 months. However it took CoPilot Provider Support Services Inc., until January 2017 to send out official breach notifications. An administration portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That person also stole the data of 221,178 people. The stolen data included names, dates of birth, phone numbers, addresses and medical insurance information. The person believed to have accessed the website and downloading data was a former worker at CoPilot. The company contacted the FBI in February 2016 to receive assistance with the breach investigation and establish the identity of the unauthorized person. However, breach notifications were not issued...

Read More
New York Attorney General Fines CoPilot for Delaying Breach Notifications
Jun19

New York Attorney General Fines CoPilot for Delaying Breach Notifications

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, covered entities must report data breaches within 60 days of the discovery of a breach. Affected individuals must also be notified within the same time frame. State legislation has been introduced that similarly requires organizations to issue notifications and report the incidents to state officials. Breach reports are also covered by other federal legislation and typically require organizations to issue breach notifications to affected individuals in a timely manner. Most organizations report data breaches promptly, although recently there have been some notable exceptions. OCR has recently fined one healthcare organization for waiting a month past the HIPAA deadline before issuing notifications. Presense Health...

Read More
HHS Looking Into OCR’s Wall of Shame Following Criticism
Jun17

HHS Looking Into OCR’s Wall of Shame Following Criticism

The Department of Health and Human Services’ Office for Civil Rights started publishing OCR’s ‘Wall of Shame’ – summaries of healthcare data breaches – on its website in 2009. The data breach list only includes a short synopsis of data breaches, including the name of the covered organization, the state in which the covered organization is based, covered organization type, date of notification, type of violation, location of breach information, whether a business associate was involved and the number of people/subcrivers affected. The list includes all officially submitted data breaches, including those which occurred due to no fault of the healthcare body. The list is not a complete record of HIPAA violations. Those are determined during OCR...

Read More
HHS Considers Making Changes to the OCR Wall of Shame
Jun16

HHS Considers Making Changes to the OCR Wall of Shame

Since the HITECH Act came into force in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing data breach summaries on its website. The website lists brief details of the type of data breach experienced by HIPAA-covered entities with information such as the cause of the breach, the devices that were involved, the number of individuals affected and the name of the company that experienced the data breach. HITECH requires OCR to publish breach summaries; however, this element of HITECH has been criticized recently. While some privacy proponents suggest that the site does not go into enough detail on the breach and provides little useful information for the general public, others claim the permanent listing of breached entities on the site is...

Read More
OCR Issues Guidance on the Correct Response After a Cyberattack
Jun09

OCR Issues Guidance on the Correct Response After a Cyberattack

The increase in hacking incidents in 2017 and major worldwide cyber incidents such has Wannacry ransomware attacks have prompted the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue new guidance on the correct response after a cyberattack. Yesterday, OCR sent a Quick Response Cyber Attack Checklist to its security and privacy list subscribers explaining the correct procedures to follow after a cyberattack is discovered. In addition to a checklist, OCR has produced an infographic detailing the most important steps to take after a ransomware attack or cyber-related security incident. Respond, Report Crime, Report Threat, Assess Breach The first step to take following a cyberattack is to implement response and mitigation procedures and contingency plans. The...

Read More
Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents
Jun04

Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents

Ransomware, malware and unaddressed software weaknesses pose a danger to the confidentiality, integrity and access to PHI, although healthcare groups should put in place processes to deal with the threat internally. This year has seen a multitude of cases involving employees snooping and accessing medical records without permission. The HIPAA Security Rule 45 CFR §164.312(b) requires covered organizations to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or useelectronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered organizations to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security...

Read More
$387,000 HIPAA Penalty for Disclosing HIV Status to Employer
May26

$387,000 HIPAA Penalty for Disclosing HIV Status to Employer

Following a Department of Health and Human Services’ Office for Civil Rights (OCR) investigation of a complaint about a case of impermissible disclosure of PHI, St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations In September 2014, a complaint was submitted to the OCR about a possible privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint that was submitted, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the person’s employer. The information contained in the fax was highly sensitive, including the patient’s sexual preference, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse...

Read More
Egregious HIPAA Breach Punished with $378,000 Fine
May24

Egregious HIPAA Breach Punished with $378,000 Fine

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced yet another settlement to resolve HIPAA violations, this time for the careless handling of extremely sensitive health information. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $378,000 to resolve an impermissible disclosure of patients’ protected health information to their employers. A wide range of highly sensitive information including patients’ HIV statuses, sexual orientation, sexual diseases, mental health diagnosis, medications, history of physical abuse, and details of medical care provided were impermissibly disclosed. The disclosures violated the HIPAA Privacy Rule. The disclosures were made by the Spencer Cox Center – now St. Luke’s Institute for Advanced Medicine, one of seven...

Read More
Dept. of Health Sends Out Waring Regarding Ransomware
May21

Dept. of Health Sends Out Waring Regarding Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and...

Read More
NIST Issues Guidance on Securing Drug Pumps
May17

NIST Issues Guidance on Securing Drug Pumps

Guidance on securing drug pumps has been issued by the National Institute of Standards and Technology (NIST) to help healthcare organizations mitigate the risk of cyberattacks that could cause patients to come to harm or allow sensitive data to be stolen. Over the past two years there has been concern raised about the lack of security on medical devices, with drug pumps a particularly serious concern. If threat actors are able to gain access to drug pumps they could alter drug dosages to cause patients serious harm. Increasing or decreasing drug doses via the pumps could be life threatening for patients. Federal agencies called on NIST to provide additional guidance on securing drug pumps, not only to improve patient safety, but also to ensure that cyberattacks on the devices do not...

Read More
$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach
May12

$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach

A HIPAA breach arising from disclosure on a press release issued by Memorial Hermann Health System (MHHS) in September 2015 has led to the organization agreeing to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. MHHS is a 16-hospital health system which os located in Texas, treating patients in the Greater Houston area. In September, an individual visited a MHHS clinic and presented a fake identification card to hospital workers. The fraudulent ID card was identified as such by workers at the hospital, law enforcement agencies were notified and the patient was apprehended. The hospital released the identification of the patient to law enforcement agencies, which is permitted as per HIPAA...

Read More
Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI
May11

Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI

An unauthorized disclosure of a patient’s name has resulted in a Memorial Hermann Health System HIPAA fine. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle potential HIPAA Privacy Rule violations with Memorial Hermann Health System with the payment of a $2.4 million penalty. Memorial Hermann Health System must also adopt a corrective action plan to ensure HIPAA Rules are followed in the future. MHHS is a not-for-profit, 16-hospital health system based in Southeast Texas. OCR launched an investigation following complaints made about an unauthorized disclosure of a patient’s name to the media in September 2015. In September 2015, a patient attempted to use a fraudulent ID card to obtain medical services at a MHHS hospital. The fraudulent...

Read More
New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court
May10

New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court

A New Mexico HIPAA violation lawsuit filed by the victim of a sexual assault whose identity was improperly disclosed has been referred to the Supreme Court to assess whether the claim has standing. The lawsuit was filed by the plaintiff ‘G.R.’ who suffered a sexual assault and sought treatment for her injuries at Gallup Indian Medical Center (GIMC) where she was employed. G.R. alleges that following treatment, details of the assault and her injuries were disclosed to her co-workers. The sharing of that information resulted in the patient being humiliated and suffering further trauma. The patient had spent one month off work due to the assuault, and a further two months off work as a result of the disclosure. G.R felt there was no alternative but to leave her job as a direct result to...

Read More
Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit
May09

Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit

A motion has been submitted to dismiss a MDLive HIPAA lawsuit that was filed b y a plaintiff who alleges the firm improperly disclosed protected health information to a third party without informing or obtaining consent from users of the telehealth platform. The MDLive HIPAA lawsuit was filed by plaintiff Joan Richards, who alleges MDLive takes screenshots of data entered on the app on multiple occasions during the first 15 minutes of use. During that time, users enter in sensitive data into the app in order to find a local healthcare provider. The plaintiff alleges that those screenshots are sent to a third party – an Israel-based company called Test Fairy. The lawsuit alleges Test Fairy is provided with the screenshots to track users’ experiences and search for bugs in the app....

Read More
Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum
May06

Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum

Over the next week, the HIMSS Privacy and Security Forum will be held in San Francisco. The two-day conference provides an chance for CISOs, CIOs and other healthcare professionals to obtain valuable guidance from security experts on the most recent cybersecurity threats, along with practical tips on how to limit the chance of damage being inflicted. In excess of 30 speakers will be present at the event and will provide talks on a wide range of healthcare cybersecurity topics, including securing IoT devices, stopping phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management. The conference boasts keynote presentations from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane...

Read More
Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive
Apr27

Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive

Claims that telemedicine company MDLive violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining official consent from patients have resulted in a class action lawsuit has being filed. App users must enter in a range of private information into the MDLive app; however, the complainant claims that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are transmitted to an Israeli company called Test Fairy, which carries out quality control tests for MDLive. The lawsuit claims patients are not told that their information is disclosed to a third-party company, and that all data entered into the app can be seen by MDLive employees, even though there is no valid reason for...

Read More
CardioNet Settles HIPAA Violations with OCR for $2.5 Million
Apr26

CardioNet Settles HIPAA Violations with OCR for $2.5 Million

Pensylvania-based CardioNet has agreed a $2.5 million settlement to resolve potential HIPAA violations. The provider of remote mobile monitoring and quick response services to patients in danger of suffering cardiac arrhythmias. Settlements have previously been agreed with healthcare suppliers, health plans, and business clients of covered organizations, but this is the first-time OCR has settled potential HIPAA breaches with a wireless health services supplier. While OCR has not fined a wireless health services provider for violating HIPAA Rules on a previous occasion, the same cannot be said of the violations found. Numerous settlements have previously been agreed with covered organizations after OCR found risk analysis and risk management failures. In this instance, the settlement...

Read More
Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement
Apr25

Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement

Risk analysis and risk management errors have resulted in a $2.5 million HIPAA compliance penalty for CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk of cardiac arrhythmias. The Department of Health and Human Services’ Office for Civil Rights agreed to settle the potential HIPAA violations with no admission of liability. In addition to the substantial HIPAA settlement, CardioNet is required to adopt a corrective action plan to address HIPAA failures that contributed to a 2011 data breach. OCR investigated CardioNet following receipt of a breach report in January 2012. An employee of CardioNet took a laptop computer home and left the device in a vehicle overnight. The device was stolen, resulting in the unauthorised disclosure of 1,391...

Read More
CCDH agrees OCR Settlement for Potential Violations
Apr23

CCDH agrees OCR Settlement for Potential Violations

The OCR recently revealed it has agreed to settle potential breaches of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice located in Park Ridge, Illinois. On August 13, 2015, OCR completed a HIPAA compliance review of CCDH following an audit of FileFax Inc., which was contracted by CCDH to store inactive patient histories and details. The FileFax investigation showed the company had not completed a business associate agreement before being supplied with patients’ PHI. The following compliance review of CCDH similarly showed that no signed business associate agreement was in place. CCDH had therefore impermissibly supplied patients’ PHI to FileFax in violation of HIPAA Rules....

Read More
Supreme Court Ruling: Donor Network Must Disclose Patient Details
Apr23

Supreme Court Ruling: Donor Network Must Disclose Patient Details

A New York Supreme Court Judge has recently ruled that patient details recorded by the New York Organ Donor Network must be handed over to a plaintiff and that HIPAA does not give basis for denying this request. Patrick McMahon believes he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he filed about organ harvesting from four patients who were still displaying clear signs of life and had not been deemed legally dead. The New York Organ Donor Network argues the plaintiff was fired for poor work performance while he was still a probationary member of staff. The claims about the procurement of organs have been denied. McMahon asked the New York Organ Donor Network hand over the medical data of the four patients as they are...

Read More
HIPAA Rules on Business Associate Agreements
Apr21

HIPAA Rules on Business Associate Agreements

This week, the HHS’ Office for Civil Rights (OCR) sent a warning to covered entities about the need to ensure HIPAA Rules on business associate agreements are followed. OCR announced a settlement had been reached with an Illinois healthcare provider for disclosing protected health information (PHI) without first obtaining a signed copy of a BAA. What is a Business Associate Agreement? Under HIPAA Rules, a business associate is classed as an entity or person that performs functions or activities on behalf of the covered entity that requires access to PHI. Prior to being provided with access to ePHI or physical records, a signed copy of a HIPAA-compliant business associate agreement must be obtained by the covered entity. A business associate agreement is a contract between a covered...

Read More
$31,000 HIPAA Penalty for a Business Associate Agreement Violation
Apr21

$31,000 HIPAA Penalty for a Business Associate Agreement Violation

The Department of Health and Human Services’ Office for Civil Rights has issued a $31,000 HIPAA penalty for a business associate agreement violation to The Center for Children’s Digestive Health (CCDH), a for-profit 7-center Illinois pediatric healthcare provider. OCR discovered potential HIPAA violations during an investigation of the document storage solution provider FileFax. The investigation revealed that FileFax had obtained the protected health information of patients, yet could not produce a HIPAA-compliant business associate agreement. The findings of the investigation prompted OCR to conduct a HIPAA compliance review of CCDH on August 13, 2015. OCR investigators asked CCDH to produce a signed copy of the business associate agreement it had obtained from FileFax prior to...

Read More
Denver-Based Metro Community agree $400,000 HIPAA Penalty
Apr15

Denver-Based Metro Community agree $400,000 HIPAA Penalty

Metro Community Provider Network (MCPN), a Denver, CO-based federally-qualified health center (FQHC), has agreed to pay OCR $400,000 and implement a stringent corrective action plan to resolve all HIPAA compliance issues found during an OCR investigation into a a data breach that occurred in 2011. The incident that lead to the OCR investigation was a phishing attack that happened on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which allowed that person that to gain access to employees’ email accounts. Those accounts stored the electronic protected health information of 3,200 patients. OCR looks into all data breaches involving more than 500 patient records to determine whether healthcare organizations have experienced a violation as a direct...

Read More
Are HIPAA Rules Outdated and is an Update Overdue?
Apr13

Are HIPAA Rules Outdated and is an Update Overdue?

Are HIPAA Rules outdated? Is an update long overdue? An article recently published in the journal JAMIA explores potential updates to HIPAA to keep the legislation relevant. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996 at a time when the Internet was in its infancy. Now, almost two decades later, a lot has changed. The majority of healthcare organizations have now switched from paper records and films to electronic forms of protected health information. ePHI is now being used and shared in ways that could not have been predicted in 1996, and the security risks to the confidentiality, integrity, and availability of ePHI and risks of patient privacy being violated have increased considerably. If HIPAA Rules were written...

Read More
Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement
Apr13

Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a $400,000 settlement had been agreed with Metro Community Provider Network (MCPN) to resolve potential security management process HIPAA violations. The Denver, CO-based federally-qualified health center (FQHC) experienced a phishing attack in December 2011 that resulted in unauthorized access to the email accounts of employees. The incident was reported to OCR as access to the email accounts allowed the attacker to view the protected health information of patients. In total, 3,200 patients were impacted by the incident and had their sensitive information exposed. OCR conducted an investigation into the breach which revealed a number of security management process HIPAA violations had...

Read More
40% of Second-Hand Devices Found to Contain PII
Mar30

40% of Second-Hand Devices Found to Contain PII

The danger of failing to ensure mobile devices have all data securely wiped before being recommissioned or resold has been highlighted by a recent study conducted by National Association for Information Destruction (NAID). In the largest study of its type to date, NAID analysed data on more than 250 devices that had been sold on the second-hand market. 40% of those devices were found to contain personally identifiable information. It appears that companies are increasingly aware of the data security requirements regarding desktop computers, servers, and cloud computing platforms, they are still paying attention to mobile devices. While it is perhaps reasonable to expect some users to fail to securely erase data on personal devices due to a lack of security awareness, NAID found that it...

Read More
Mecklenburg County HIPAA Violation Prompts Policy Update
Mar30

Mecklenburg County HIPAA Violation Prompts Policy Update

A recently discovered Mecklenbury County HIPAA violation has infuriated county officials. An investigation has now been conducted to determine how HIPAA Rules were so easily violated. The incident was discovered on Monday this week. A member of the Mecklenburg County staff received a freedom of information request from the media who were investigating how 185 female patients were not informed about abnormal PAP smear results. While information should have been provided as requested, a member of staff accidentally sent the media a spreadsheet containing the protected health information of more than 1,200 health department patients. The spreadsheet had been compiled for state officials who were conducting an audit. Two media outlets received the spreadsheet. The error was made by a staff...

Read More
Severino Appointed to Director of HHS’ Office for Civil Rights Role
Mar29

Severino Appointed to Director of HHS’ Office for Civil Rights Role

Former civil rights trial attorney Roger Severino has been appointed, by the Department of Health and Human Services’ Office for Civil Rights, to lead its HIPAA enforcement efforts. Mr Severino moves to the OCR from his role at the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he held the position of Director since May 2015. An official announcement about the appointment of the new OCR Director has yet to be released; however, the Heritage Foundation has stated that Severino is no longer on the staff and his name has been added to the HHS website. A representative for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to list his new position as...

Read More
New Resource Provides HIPAA Help for mHealth Developers
Mar29

New Resource Provides HIPAA Help for mHealth Developers

A new online tool has been released by the Connected Health Initiative providing HIPAA help for mHealth developers and healthcare providers. The new tool – called HIPAA Check – has been developed to aid understanding of the complexities of the HIPAA Privacy and Security Rules. Health apps now track a range of user metrics. Data collected by the apps are stored along with personally identifiable information. Much of the information collected, stored and transmitted by these apps is classed as protected health information (PHI) under HIPAA Rules. However, since these apps were not available in 1996 when HIPAA was initially enacted, no provisions are included in HIPAA Rules for the technology. OCR has previously provided HIPAA help for mHealth developers, although many mHealth app...

Read More
ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security
Mar29

ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security

The Office of the National Coordinator for Health IT (ONC) has released updated versions of its SAFER Guides. The series of guides provide useful information to help covered entities make their EHRs more usable and safer and can be used by HIPAA-covered entities to assess potential vulnerabilities in their EHRs. Hackers search for vulnerabilities in EHRs that can be exploited to gain access to data. It is therefore essential that healthcare organizations assess their EHRs for vulnerabilities. The SAFER Guides can help in this regard. ONC says its SAFER Guides “provide an easy-to-use template for voluntary provider self-assessment of EHR safety-related vulnerabilities.” The SAFER Guides consist of compilations of expert-recommended, evidence-based best practices that can be adopted to...

Read More
Roger Severino to Lead OCR’s HIPAA Enforcement Efforts
Mar27

Roger Severino to Lead OCR’s HIPAA Enforcement Efforts

The Department of Health and Human Services’ Office for Civil Rights has a new Director to lead its HIPAA enforcement efforts. Late last week, the Trump Administration quietly installed Roger Severino as the new head of OCR filling the position left vacant following the departure of Jocelyn Samuels. No official announcement about the appointment has been made by the Trump Administration, although an OCR spokesperson has confirmed that Roger Severino has taken the position. Severino has also updated his LinkedIn profile to include his new role. OCR is the primary HIPAA enforcer and is responsible for ensuring covered entities comply with HIPAA Rules. The role of director includes overseeing the issuing of guidance for covered entities on various aspects of HIPAA compliance, providing...

Read More
Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?
Mar23

Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?

A criminal investigation of a HIPAA breach is launched when health data are stolen for malicious purposes, but what about cases involving curious employees? Healthcare data breaches are often discovered during routine audits of ePHI access logs. Healthcare providers discover that rogue employees have accessed patients’ data with no legitimate work reason for doing so. In such cases, the employees are disciplined and often lose their jobs as a result, but should the matter be reported to law enforcement if a healthcare provider is satisfied that the actions of employees were not malicious, just misguided? One incident came to light this week where a healthcare organization discovered an employee had been accessing the medical records of patients without authorization. The incident was...

Read More
Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation
Mar22

Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation

An employee at the Dr. O Medical and Wellness Center in San Antonio, Texas as been sanctioned by the Texas Medical Board after allegedly retaliating against a patient by posting a video on Facebook and YouTube of them wearing only underwear. The doctor’s actions appear to be a clear violation of the HIPAA Privacy Rule. The patient in question, Clara Aragon-Delk, underwent a number of cosmetic surgery procedures beginning in 2015. Non-invasive laser treatments were carried out by Dr. Tinuade Olusegun-Gbadehan, and while consent was given by the patient to have photographs and videos recorded, permission was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’ The images and video showed full face shots of the patient. Rather than securing the...

Read More
Doctor Sanctioned Over Social Media HIPAA Violations
Mar21

Doctor Sanctioned Over Social Media HIPAA Violations

A San Antonio, TX-based doctor has been sanctioned by the Texas Medical Board for social media HIPAA violations after retaliating against a patient by posting a video testimonial of the patient on Facebook and YouTube. The video of the patient in her underwear clearly showed the patient’s face, allowing her to be identified. However, prior permission to use the video had not obtained from the patient. Dr. Tinuade Olusegun-Gbadehan from the Dr. O Medical and Wellness Center had been given authorization to record the video and use it for “the purposes of medical audit, education, and promotion,” but only anonymously. Use of the video without first deidentifying the patient was a breach of HIPAA Rules. The patient, Clara Aragon-Delk, filed a complaint with the Texas Medical Board against...

Read More
Data Breach Notification Laws in New Mexico Passed by Senate Committee
Mar15

Data Breach Notification Laws in New Mexico Passed by Senate Committee

There are currently no data breach notification laws in New Mexico, but that is likely to change soon. New Mexico is one of three states that have yet to implement data breach notification laws, the other two being Arkansas and South Dakota. All three states are now in the advanced stages of introducing laws that will require companies to notify consumers in the event that their personal information is exposed or stolen. Currently there is no federal law covering data breach notifications for all businesses, only for certain regulated industries such as finance and healthcare. Instead it is up to individual states to introduce laws to protect consumers in the event that their sensitive personally identifiable information is stolen. This week, data breach notification laws in New Mexico...

Read More
Device Theft Highlights Importance of Encrypting HIPAA-Covered Data
Mar14

Device Theft Highlights Importance of Encrypting HIPAA-Covered Data

Encrypting HIPAA-covered data is not mandatory. The Health Insurance Portability and Accountability Act does cover the use of encryption to safeguard the protected health information of patients and health plan members, but encryption is only an addressable issue. However, that does not mean that encryption can simply be ignored. HIPAA-covered entities are required to conduct a risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI. Following the risk analysis, HIPAA-covered entities must decide how best to manage and mitigate risks. Once such measure is the use of encryption technologies to safeguard ePHI at rest and in motion. HIPAA-covered entities must consider the use of encryption; however, an alternative safeguard can be adopted if...

Read More
New Security Framework for Small Healthcare Providers
Mar14

New Security Framework for Small Healthcare Providers

A security framework for small healthcare providers has been released by the Health Information Trust Alliance (HITRUST). The security framework is a revised version of the HITRUST common security framework (HITRUST CSF) and can be used to create, access, store and exchange healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA). The HITRUST CSF is the most widely adopted security framework for the healthcare industry in the United States. The framework is comprehensive, scalable, and certifiable, and has been used by many healthcare organizations as part of their HIPAA compliance and risk management programs. While the full HITRUST CSF can be adopted by healthcare organizations of all sizes, smaller healthcare organizations typically do not have the...

Read More
AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit
Mar10

AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit

The American Health Information Management Association has released a new toolkit to help covered entities prepare for a HIPAA compliance audit. The Department of Health and Human Services’ Office for Civil Rights commenced the much delayed second phase of the Health Insurance Portability and Accountability Act audit program in the last quarter of 2016.  Those audits started with ‘desk audits’ of HIPAA-covered entities. The desk audits involved documentation checks to determine whether HIPAA Rules were being followed. The audits of covered entities have now been completed and the results are now starting to be sent to the audited healthcare organizations for comment. OCR has now moved on to desk audits of HIPAA business associates. When those audits are completed, and the results of both...

Read More
AHIMA Released Updated HIPAA Compliance Audit Toolkit
Mar08

AHIMA Released Updated HIPAA Compliance Audit Toolkit

The second phase of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits has begun. Towards the end of 2017, covered organizations were selected for desk audits and the initial round of audits have now been finished. Now OCR has progressed to auditing business associates of covered organizations. Speaking at HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially scheduled in for Q1, 2017, are to be delayed. This gives covered organizations more time to prepare for the second phase. The phase 2 HIPAA compliance desk audits were more thorough than the initial phase of audits completed in 2011/2012. The desk audits included a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules,...

Read More
Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach
Mar08

Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach

The importance of conducting internal audits of PHI access logs has been highlighted by a recent HIPAA breach discovered by Chadron Community Hospital in Nebraska. On January 3, 2017, the hospital discovered a former employee had improperly accessed the protected health information of patients. The investigation into the privacy breach revealed that the former employee had been accessing the PHI of patients without authorization for more than five years. The privacy violations started in September 2011 and continued until November 2016. During that time, the PHI of 702 patients was inappropriately accessed. It is not clear why the information was accessed. Healthcare employees may choose to breach hospital and HIPAA regulations out of curiosity, but in many cases information is accessed...

Read More
Guidance on Cyber Threats Issued to Healthcare Organizations by OCR
Mar08

Guidance on Cyber Threats Issued to Healthcare Organizations by OCR

The U.S. Department of Health and Human Services’ Office of Civil Rights has issued new guidance on cyber threats, advising HIPAA-covered entities to obtain the latest intelligence on new cyber threats that could potentially allow cybercriminals to gain access to the protected health information of patients and health plan members. Threat intelligence is issued by many organizations, although OCR recommends in its guidance on cyber threats to regularly check the website the United States Computer Emergency Readiness Team (US-CERT) and to sign up for email updates. US-CERT is part of the Department of Homeland Security, and has access to intelligence from many sources. US-CERT is responsible for analyzing all the gathered threat intelligence and issuing updates to businesses and the...

Read More
HIPAA Noncompliance Penalties Likely to Increase
Mar03

HIPAA Noncompliance Penalties Likely to Increase

The Department of Health and Human Services’ Office for Civil Rights is expected to issue more HIPAA noncompliance penalties over the coming year. While OCR assists HIPAA-covered entities with their compliance efforts by issuing guidance, 2017 is likely to see OCR crackdown on non-compliance. Organizations found to have violated HIPAA Rules can expect to have to dig deep and pay for their failure to comply with the HIPAA Privacy, Security and Breach Notification Rules. OCR investigates all PHI breaches that impact more than 500 individuals. While OCR prefers to resolve noncompliance with HIPAA Rules with voluntary compliance and by issuing technical guidance, HIPAA penalties are increasing. Last year saw a record number of settlements reached with OCR to resolve HIPAA compliance...

Read More
New Simplified HITRUST CSF for Small Healthcare Providers
Mar03

New Simplified HITRUST CSF for Small Healthcare Providers

This week, HITRUST announced it has created a new, simplified HITRUST CSF for small healthcare providers to help them with their compliance and risk management programs. A New HITRUST CSF for Small Healthcare Providers The HITRUST CSF is a certifiable framework that was developed to help healthcare organizations manage risk and comply with industry regulations such as HIPAA. The framework is flexible and can be tailored to suit healthcare organizations of all types and sizes. The HITRUST CSF has been widely adopted and it is now the most commonly used security framework in the healthcare industry in the United States. However, smaller healthcare providers have struggled with the framework as they typically lack both the expertise and staff to meet the program’s requirements. To improve...

Read More