US Court of Appeals Ruling Suggests Legal Action Possible for Privacy Breaches Under 14th Amendment
Jun30

US Court of Appeals Ruling Suggests Legal Action Possible for Privacy Breaches Under 14th Amendment

A ruling by the U.S. Court of Appeals for the Fourth Circuit suggests individuals whose privacy has been violated could potentially take legal action under the 14th amendment, but has confirmed that there is no private cause of action under the Health Insurance Portability and Accountability Act (HIPAA) when an individual’s privacy is violated as a result of an improper disclosure of their protected health information. The case...

Read More
HIPAA Right of Access Case Settled for $5,000 by Diabetes, Endocrinology & Lipidology Center
Jun08

HIPAA Right of Access Case Settled for $5,000 by Diabetes, Endocrinology & Lipidology Center

According to the HHS’ Office for Civil Rights (OCR), a settlement agreement has been negotiated with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) in relation to a possible HIPAA Right of Access breach. DELC is a West Virginia-based healthcare supplier that focuses on treating endocrine disorders. In August 2019, a complaint was submitted to OCR which claimed that DELC had breached HIPAA when it didn’t respond...

Read More
HIPAA Security Rule Violations Lead to $25,000 Settlement between Clinical Laboratory & OCR
May27

HIPAA Security Rule Violations Lead to $25,000 Settlement between Clinical Laboratory & OCR

The Department of Health and Human Services’ Office for Civil Rights (OCR) says a $25,000 HIPAA settlement has been agreed with Peachstate Health Management, LLC, dba AEON Clinical Laboratories, that resolves a HIPAA case involving several HIPAA Security Rule violations. CLIA-certified laboratory, Peachstate, supplies a variety of different services to HIPAA-covered entities, including clinical and genetic testing services through its...

Read More
HB 300 Training Requirements
Apr21

HB 300 Training Requirements

Information on the HB 300 training requirements for companies, organizations, and individuals that do business with Texas residents that requires access to protected health information and/or sensitive personal information. What is Texas HB 300? HB 300 – Texas House Bill 300 – was passed and signed into law by Texas Governor Rick Perry in June 2011 and took effect on September 1, 2012. The bill amended existing state laws such...

Read More
HIPAA Right of Access Case Involving Massachusetts Mental Health Clinic Settled for $65,000
Mar26

HIPAA Right of Access Case Involving Massachusetts Mental Health Clinic Settled for $65,000

Following a HIPAA Right of Action investigation by the HHS’ Office for Civil Rights (OCR), Arbour Hospital, a mental health clinic in Boston, MA, has agreed to pay a $65,000 HIPAA fine. OCR was made aware of a possible breach of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital claimed he had asked for a copy of his medical records from the hospital on May 7, 2019 but had not been given with those records inside...

Read More
How Often is HIPAA Training Required?
Mar25

How Often is HIPAA Training Required?

The Health Insurance Portability and Accountability Act (HIPAA) is an important law affecting the healthcare industry with many data privacy and security provisions. All individuals at HIPAA-covered entities and their business associates must comply with its provisions and employees must receive HIPAA training, but what training must be provided and how often is HIPAA training required? Considering the importance of the Act and the...

Read More
What are the HIPAA Password Requirements?
Mar18

What are the HIPAA Password Requirements?

Before answering the question what are the HIPAA password requirements, it is important to note that passwords are not a requirement of HIPAA if Covered Entities use an alternative authentication method to “verify that a person or entity seeking access to ePHI is the one claimed” (Security Rule Standard §164.312(d)). According to the Department of Human Services´ Guide to the Technical Security Standards there are three ways in which...

Read More
Six-month Prison Term for Whistleblower Who Falsely Claimed Nurse Violated HIPAA
Mar07

Six-month Prison Term for Whistleblower Who Falsely Claimed Nurse Violated HIPAA

A six-month prison-term and $1,200 fine has been handed down to a Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules. Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower in October 2019 and reported it HIPAA violations by an employee to the authorities. He claimed that there had been significant privacy breaches by a nurse at a Savannah, GA hospital,...

Read More
U.S. Healthcare Data Breach Report for January 2021
Feb24

U.S. Healthcare Data Breach Report for January 2021

January witnessed a 48% month-over-month drop in the number of large healthcare data breaches, down from 62 breach incidents in December to 32 in January, according to an analysis by HIPAA Journal. While this is well beneath the 38 data breaches that are reported on average each month, it is still more than 1 data breach every day. There would have been a major drop in the amount of breached records were it not for a major data breach...

Read More
Ransomware Fact Sheet Issued by the National Cyber Investigative Joint Task Force
Feb08

Ransomware Fact Sheet Issued by the National Cyber Investigative Joint Task Force

The National Cyber Investigative Joint Task Force (NCIJTF) has published a ransomware factsheet in order to increase awareness of the threat of ransomware attacks and provide more information which can be used to address and prevent ransomware attacks. The fact sheet was created by an interagency group of over fifteen government bodies and is primarily intended to be implemented by police and fire departments, state, local, tribal and...

Read More
Blackbaud Ransomware Attack Leads to Rady Children’s Hospital Class Action Lawsuit
Jan27

Blackbaud Ransomware Attack Leads to Rady Children’s Hospital Class Action Lawsuit

In May 2020, the cloud software group Blackbaud was targeted and attacked with ransomware. As is typical in human managed ransomware attacks, data was stolen before file encryption took place. A portion of the stolen data included the fundraising databases of its healthcare customers. One of the impacted healthcare clients was Rady Children’s Hospital-San Diego, the biggest children’s hospital in California. A class action lawsuit has...

Read More
More Stringent Application of HIPAA Right of Access Rules by OCR Results in $200,000 Penalty
Jan15

More Stringent Application of HIPAA Right of Access Rules by OCR Results in $200,000 Penalty

There is further evidence of the increasingly stringent application of the HIPAA Right of Access Rules by the HHS’ Office for Civil Rights (OCR) on healthcare providers that are not providing patients with timely access to their medical records following the announcement that a settlement had been reached with Banner Health to bring a HIPAA Right of Access investigation to a conclusion for $200,000. Under the HIPAA Privacy Rule...

Read More
OCR Confirms HIPAA Rules on Disclosures of PHI to Health Information Exchanges
Dec21

OCR Confirms HIPAA Rules on Disclosures of PHI to Health Information Exchanges

The Department of Health and Human Services’ Office for Civil Rights has published guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules related to disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA). HIEs are organizations that facilitate the sharing of electronic PHI (ePHI) between more than two...

Read More
Researchers Find More than 45 Million Medical Images Stored on Unprotected Servers
Dec17

Researchers Find More than 45 Million Medical Images Stored on Unprotected Servers

More than 45 million medical images are currently exposed on unprotected servers and can be accessed freely over the internet without usernames or passwords. The medical images include metadata that includes personal and protected health information, which could be used for a variety of nefarious purposes. The unprotected images, which include MRIs, CT scans, and X-Rays were found by researchers at the CyberAngel Analyst Team, who...

Read More
Bill Passed by House Calling for HHS to Recognize Implementation of Cybersecurity Best Practices
Dec16

Bill Passed by House Calling for HHS to Recognize Implementation of Cybersecurity Best Practices

The House Energy and Commerce Committee has passed a new bill (HR 7898) which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been implemented by HIPAA-covered groups and business associates when making specific determinations, such as fines following security breaches or for other regulatory aims. The HIPAA Safe Harbor Bill, if passed into...

Read More
University of Cincinnati Medical Center HIPAA Right of Access Failure Results in $65,000 Fine
Nov22

University of Cincinnati Medical Center HIPAA Right of Access Failure Results in $65,000 Fine

The 18th HIPAA financial penalty of 2020,  the 12th fine under its HIPAA Right of Access enforcement initiative, has been revealed by HHS’ Office for Civil Rights. The most recent HIPAA fine of $65,000 was sanctioned against the University of Cincinnati Medical Center, LLC (UCMC) and grew out of a complaint submitted by OCR on May 30, 2019 from a patient who had issued a request to UCMC on February 22, 2019 seeking an electronic copy...

Read More
10th HIPAA Fine Under Right of Access Initiative Revealed by Office for Civil Rights
Nov08

10th HIPAA Fine Under Right of Access Initiative Revealed by Office for Civil Rights

The 10th financial penalty under its HIPAA Right of Access enforcement initiative has been revealed by the U.S. Department of Health and Human Services’ Office for Civil Rights. California-based Riverside Psychiatric Medical Group has committed to paying a financial penalty of $25,000 to settle a possible HIPAA Right of Access breach and will implement a corrective action plan to see to it that compliance with this provision of the...

Read More
Three Data Breaches Result in $1m HIPAA Penalty for Aetna
Oct29

Three Data Breaches Result in $1m HIPAA Penalty for Aetna

Aetna Life Insurance Company and the affiliated covered entity (Aetna) have settled a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights (OCR) and has agreed to pay a financial penalty of $1 million. OCR investigated Aetna after receiving three breach reports in 6 months in 2017 from the health insurer. The initial data breach was made known to OCR in June 2017 and was due to the the...

Read More
OCR HIPAA Right of Access Initiative Results in 9th Financial Penalty
Oct20

OCR HIPAA Right of Access Initiative Results in 9th Financial Penalty

The HHS’ Office for Civil Rights (OCR) is maintaining the pace in its crackdown on healthcare groups that are 1005 adhering to the HIPAA right of access. Recently, OCR revealed that it is sanctioning its ninth enforcement action against a HIPAA-covered group in relation to the failure to provide patients with timely access to their medical records at a reasonable price. HIPAA allocates patients permission to view or receive a copy of...

Read More
Updated Security Risk Assessment Tool Released by HHS
Sep12

Updated Security Risk Assessment Tool Released by HHS

An updated version the Department of Health and Human Services’ Office for Civil Rights (OCR) Security Risk Assessment (SRA) Tool has now been released. The Office of the National Coordinator for Health Information Technology (ONC) developed the tool with the assistance of OCR in order to help small- to medium-sized healthcare suppliers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers...

Read More
MHealth App Developers and Cloud Services Providers New Resources made Available by OCR
Sep08

MHealth App Developers and Cloud Services Providers New Resources made Available by OCR

New resources for mobile health app developers have been made available by the Department of Health and Human Services’ Office for Civil Rights (OCR). This comes with a planned update and rebranding of its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – supplies information for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they are relevant...

Read More
Citrix Endpoint Management/XenMobile Server Patches Released
Aug20

Citrix Endpoint Management/XenMobile Server Patches Released

Patches have been released to address two critical vulnerabilities in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated individual to access domain account credentials, take complete management of a XenMobile Server, and view VPN, email, and web applications and obtain sensitive corporate information. One of the flaws was discovered by Andrey Medov of Positive Technologies, who...

Read More
Ban on HHS Funding a National Patient Identifier System Removed by House of Representatives
Aug06

Ban on HHS Funding a National Patient Identifier System Removed by House of Representatives

The House of Representatives has voted to remove the ban on the Department of Health and Human Services using federal funds to create a national patient identifier system. The Health Insurance Portability and Accountability Act (HIPAA) mandated the creation of a national patient identifier system. As the name indicates, a national patient identifier system would see each person in the United States issued with a permanent, unique...

Read More
Rhode Island Health System Hit with $1 Million Fine for Noncompliance with HIPAA Rules
Jul28

Rhode Island Health System Hit with $1 Million Fine for Noncompliance with HIPAA Rules

The Rhode Island non-profit health system, Lifespan Health System Affiliated Covered Entity (Lifespan), has been fined $1,040,000 by the Department of Health and Human Services’ Office for Civil Rights for violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. Had HIPAA Rules been followed, a data breach of 20,431 healthcare records would have been avoided. Lifespan was investigated by OCR following the...

Read More
Does Amazon Web Services Comply with HIPAA?
Jul16

Does Amazon Web Services Comply with HIPAA?

Under the Healthcare Insurance Portability and Accountability Act, all providers of a product or service that ‘touches’ PHI are deemed to be business associates and are required to comply with HIPAA Rules. That means appropriate safeguards must be implemented to ensure the confidentiality, integrity, and availability of any PHI that is available through their products or services. Any healthcare entity or vendor obligated to comply...

Read More
Lack of Encryption & Other HIPAA Breaches Leads to $1m HIPAA Penalty for Lifespan
Jul11

Lack of Encryption & Other HIPAA Breaches Leads to $1m HIPAA Penalty for Lifespan

The HHS’ Office for Civil Rights has sanctioned a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE)after identifying systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system located in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was submitted with OCR by Lifespan Corporation, the parent company and...

Read More
Philips Ultrasound Systems Vulnerability Discovered
Jun30

Philips Ultrasound Systems Vulnerability Discovered

An authentication bypass vulnerability affecting Philips Ultrasound Systems that could targeted by a hacker to view or modify data has been discovered. The flaw is caused by the presence of an alternative path or channel that can be implemented to bypass authentication controls.The flaw is tracked as CVE-2020-14477. This is a low severity flaw which has been assigned a CVSS v3 base score of 3.6 out of 10. To target the vulnerability,...

Read More
Information on Contacting COVID-19 Patients to Request Blood & Plasma Donations
Jun18

Information on Contacting COVID-19 Patients to Request Blood & Plasma Donations

Once patients contract an infectious respiratory disease like COVID-19, the immune system creates antibodies that supply protection if the pathogen appears again. The antibodies in the blood of patients who recover from an illness like this are key to fighting it. Those antibodies could also be used to treat other patients. Through the donation of blood and plasma two preparations can be created: Convalescent plasma and hyperimmune...

Read More
Safe Partner Inc. Confirmed as HIPAA Compliant
May22

Safe Partner Inc. Confirmed as HIPAA Compliant

Compliancy Group has revealed that Safe Partner Inc. has implemented an effective HIPAA compliance program and has successfully finished its proprietary 6-stage HIPAA risk analysis and remediation process. Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting firm that supplies a full range of software services, from design to development, implementation, and ongoing customer support. The company was...

Read More
Improved Compliance Revealed in Ciitizen HIPAA Right of Access Study
May15

Improved Compliance Revealed in Ciitizen HIPAA Right of Access Study

There has been a major improvement in compliance with the HIPAA Right of Access, according to the most recent Patient Record Scorecard Report from Ciitizen. To formulate the report, Ciitizen conducted a study of 820 healthcare suppliers to assess how well each responded to patient requests for copies of their healthcare data. A wide variety of healthcare suppliers were assessed for the study, from single physician practices to large,...

Read More
HIPAA Violations in Michigan and Illinois Lead to Healthcare Workers Being Fired
May08

HIPAA Violations in Michigan and Illinois Lead to Healthcare Workers Being Fired

A staff member at Ann & Robert H. Lurie Children’s Hospital of Chicago has been fired accessing the medical records of patients without the appropriate authorization over a period of 15 months. The privacy violations were discovered when, after reviewing access logs, the hospital found that a staff member had viewed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The range of...

Read More
Three Actively Exploited Flaws Patched by Microsoft
Apr15

Three Actively Exploited Flaws Patched by Microsoft

On April 2020 Patch Tuesday, Microsoft made available updates to fix 113 flaws in its operating systems and software solutions, 19 of which have been rated critical. This month’s group of updates includes fixes for 3 zero-day flaws that are being actively exploited in real world attacks.Two of the actively exploited flaws were revealed by Microsoft in March and Microsoft suggested workarounds to limit the chance of exploitation. The...

Read More
Waiver of HIPAA Penalties for Good Faith Operation of COVID-19 Community-Based Testing Sites
Apr11

Waiver of HIPAA Penalties for Good Faith Operation of COVID-19 Community-Based Testing Sites

The HHS has issued an additional Notice of Enforcement Discretion covering healthcare providers and business associates that manage some aspect of COVID-19 community-based testing sites. Under the terms of the Notice of Enforcement discretion, the HHS will not issue sanctions and penalties in relation to good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is...

Read More
PHI Disclosures for Public Health and Health Oversight Activities Allowed in Notice of Enforcement Discretion for Business Associates
Apr04

PHI Disclosures for Public Health and Health Oversight Activities Allowed in Notice of Enforcement Discretion for Business Associates

On April 2, 2020, the Department of Health and Human Services revealed that with immediate effect, it will be applying enforcement discretion and will not impose sanctions or fines against healthcare providers or their business associates for good faith uses and sharing of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health...

Read More
Coronavirus Pandemic Guidance on Telehealth & HIPAA Released by OCR
Mar19

Coronavirus Pandemic Guidance on Telehealth & HIPAA Released by OCR

After the announcement made by the HHS’ Office for Civil Rights that enforcement of HIPAA compliance linked to the good faith provision of telehealth services for the duration of the COVID-19 pandemic has been relaxed, OCR has published guidance on telehealth and remote communications. Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications...

Read More
HIPAA Compliance Achieved at SAR Technology Group Thanks to Compliancy Group
Mar10

HIPAA Compliance Achieved at SAR Technology Group Thanks to Compliancy Group

SAR Technology Group has been revealed as having achieved HIPAA compliance after completing Compliancy Group’s proprietary 6-Stage HIPAA Risk Analysis and remediation process.The regulatory standards of the Health Insurance Portability and Accountability Act ensure the confidentiality, integrity, and availability of healthcare data is safeguarded and the privacy of patients is protected. Vendors that supply healthcare clients must...

Read More
Google’s Response to Senators Questions About Ascension Partnership Deemed Incomplete
Mar03

Google’s Response to Senators Questions About Ascension Partnership Deemed Incomplete

After it became public that a massive amount of patient data had been shared with Google by the Catholic health system Ascension, the second biggest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google asking for answers about the nature of the agreement and the data the company received. Ascension manages 150...

Read More
Manchester Ophthalmology & UnitedHealthcare Impacted by Data Breaches
Feb22

Manchester Ophthalmology & UnitedHealthcare Impacted by Data Breaches

Manchester Ophthalmology in Connecticut has suffered a cyberattack in which the hackers may have gained access to patient data.  The eye care supplier became aware of the cyberattack on November 25, 2019 when employees identified suspicious activity on the network. Assisted by an external technology firm, it was determined later that day that hackers had gained access to its systems and tried to deploy ransomware. Access was first...

Read More
2020 Healthcare Data Breach Report
Feb20

2020 Healthcare Data Breach Report

Protenus has released its 2020 healthcare data breach report which shows the past 12 months have been the worst ever in terms of the number of reported breaches. For its 2020 Breach Barometer report, Protenus, in conjunction with databreaches.net, identified more than 572 healthcare data breaches of 500 or more records in 2019, up 48.6% compared to 2018. The number of data breaches affecting the healthcare industry has increased...

Read More
Partially Completed Prescriptions of Schedule II Drugs Must be Tracked: HHS
Feb15

Partially Completed Prescriptions of Schedule II Drugs Must be Tracked: HHS

The Department of Health and Human Services has released a final rule changing the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that obligates pharmacies to record partially completed prescriptions for Schedule II drugs. The modification is part of HHS efforts to manage opioid abuse in the United States and will supply a greater quantum of data that may help control impermissible refills...

Read More
HIPAA Compliance Confirmed for Center for Counseling & Family Relationships
Feb13

HIPAA Compliance Confirmed for Center for Counseling & Family Relationships

A large counseling private practice located in Fort Worth, Texas has revealed that it has demonstrated compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules after completing Compliancy Group’s 6-Stage HIPAA risk analysis and remediation process. The Center for Counseling & Family Relationships (CCFAM) used Compliancy Group’s proprietary HIPAA compliance tracking solution The Guard and, helped by its...

Read More
Novel Coronavirus Outbreak Prompts HHS Covered Entity HIPAA Data Sharing Warning
Feb03

Novel Coronavirus Outbreak Prompts HHS Covered Entity HIPAA Data Sharing Warning

In response to the 2019 Novel Coronavirus outbreak, the Department of Health and Human Services has released a bulletin to make HIPAA-covered entities aware of the allowable methods for sharing patient information during outbreaks of infectious disease and other emergency situations, In the news release, the HHS confirmed that at such times, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must...

Read More
Does HIPAA Apply to Schools?
Jan20

Does HIPAA Apply to Schools?

In most cases, HIPAA is not applicable to education institutions as they are not deemed HIPAA covered entities, but in some instances a school can be classified as a covered entity if healthcare services are given to students. At such times, HIPAA may still not apply because any student health information obtained would be included in the students’ education records and education records are not governed by the HIPAA Privacy Rule as...

Read More
Can Gmail be HIPAA Compliant?
Jan13

Can Gmail be HIPAA Compliant?

In order for Gmail to be deemed HIPAA compliant, Google would have to see to it that the email service is 100% safe and satisfies the basic standards for security as stated in the HIPAA Security Rule. A covered entity would also be obligated to obtain a signed business associate agreement from Google that incorporates Gmail, as Google would be deemed a business associate under the HIPAA Rules. While encryption for email is not an...

Read More
Survey: Cost of Healthcare Data Breaches Predicted to Reach $4 Billion in 2020
Jan04

Survey: Cost of Healthcare Data Breaches Predicted to Reach $4 Billion in 2020

Healthcare sector data breaches are taking place at an unprecedented level. The healthcare data breach figures for 2019 have yet to be drawn up, but so far 494 data breaches of more than 500 records have been made known to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst year on record for healthcare data breaches and the second...

Read More
2019 HIPAA Enforcement
Jan02

2019 HIPAA Enforcement

2019 was another period with stringent HIPAA enforcement evident. Action taken by the Department of Health and Human Services’ Office for Civil Right (OCR) lead to has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 witnessed two civil monetary penalties sanctioned and settlements were agreed with eight groups, one less than 2018. In 2019, the average fine applied was...

Read More
Rep. Jayapal Questions Google & Alphabet Ascension Partnership
Dec20

Rep. Jayapal Questions Google & Alphabet Ascension Partnership

Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, has written to Google and Alphabet in relation to their Ascension partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI. The partnership between Google and...

Read More
HIPAA Compliance for Amazon Lex
Dec09

HIPAA Compliance for Amazon Lex

Amazon has revealed that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare groups without breaching Health Insurance Portability and Accountability Act Rules. Amazon Lex is a service that permits customers to create conversational interfaces into applications using text and voice. It permits the creation of chatbots that use lifelike, natural language to engage with clients, submit questions,...

Read More
Privacy Protections for Consumer Health Data to be Enhanced by Smartwatch Data Act
Dec04

Privacy Protections for Consumer Health Data to be Enhanced by Smartwatch Data Act

Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) have introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. This new legislation will ensure that health data gathered through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent. The Health Insurance Portability and Accountability Act (HIPAA) applies to health data...

Read More
Sentara Hospitals Agrees to $2.175M HIPAA Settlement for Breach Notification Rule and BAA Failures
Dec04

Sentara Hospitals Agrees to $2.175M HIPAA Settlement for Breach Notification Rule and BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued its eighth HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle possible breaches of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to remedy areas of noncompliance. Sentara runs 12 acute care hospitals in Virginia and North Carolina and has more than...

Read More

Timothy Noonan Revealed as New Deputy Director for Health Information Privacy at Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights (OCR) has appointed Timothy Noonan Deputy Director for Health Information Privacy. The position of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and police the HIPAA Privacy, Security,...

Read More
Range of HIPAA Breaches Result in $2.15 Million Civil Monetary Penalty for Jackson Health System
Oct25

Range of HIPAA Breaches Result in $2.15 Million Civil Monetary Penalty for Jackson Health System

The Department of Health and Human Services’ Office for Civil Rights has sanctioned a $2.15 million civil monetary penalty against the Miami, FL-located nonprofit academic medical system, Jackson Health System (JHS), for a slew of breaches of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of many media reports in which the PHI of a patient was impermissibly shared. The person was a...

Read More
PHI Disclosures on Yelp Lead to $10,000 Fine for Dental Practice
Oct08

PHI Disclosures on Yelp Lead to $10,000 Fine for Dental Practice

The Department of Health and Human Services’ Office for Civil Rights has agreed to a HIPAA settlement for a violation case with Elite Dental Associates in relation to the impermissible disclosure of a number of patients’ protected health information (PHI) when answering patient reviews on the Yelp review website. Elite Dental Associates is a Dallas, TX-based privately-owned dental clinic that provides general, implant and cosmetic...

Read More
National Patient Identifier Repeal Act Introduced  by Senator Rand Paul
Oct01

National Patient Identifier Repeal Act Introduced by Senator Rand Paul

Sen. Rand Paul, M.D., (R-Kentucky) has brought in  a new bill that aims to have the national patient identifier provision of HIPAA permanently deleted due to privacy concerns over the configuration of such a system. At present, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the first HIPAA legislation of 1996 as a measure to facilitate data...

Read More
Flaws Discovered in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors
Sep21

Flaws Discovered in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Two flaws have been discovered in Philips IntelliVue WLAN firmware which impact certain IntelliVue MP monitors. The flaws could be exploited by hackers to download malicious firmware which could affect data flow and lead to an inoperable condition warning at the device and Central Station. Philips was made aware of the flaws by security expert Shawn Loveric of Finite State, Inc. and proactively released a security advisory to allow...

Read More
NCCoE Releases Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices
Sep20

NCCoE Releases Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices

The National Cybersecurity Center of Excellence (NCCoE) has published new draft NIST mobile device security guidance to help groups address the risks created by corporate-owned personally enabled (COPE) devices. Mobile devices permit staff members to access resources vital for their work duties, no matter where those individuals are based. As such, the devices allow groups to enhance efficiency and productivity, but the devices bring...

Read More
Unsecured Online PACS Makes 400 Million Medical Images Freely Accessible
Sep11

Unsecured Online PACS Makes 400 Million Medical Images Freely Accessible

Following a recently completed investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis company, Greenbone Networks has stated that 24.3 million medical images included in image storage systems are freely accessible on the Internet and require no authentication to view or install the images. Those images, which include X-rays, MRI, and CT scans, are held in picture archiving and...

Read More
Kaspersky Lab Survey: No Cybersecurity Training for 32% of Healthcare Workers
Aug28

Kaspersky Lab Survey: No Cybersecurity Training for 32% of Healthcare Workers

There have been a minimum of 200 breaches of greater than 500 records reported since January and 2019 looks set to be another record-breaking 12 months for healthcare data breaches. The ongoing rise in data breaches lead to Kaspersky Lab completing a survey to ascertain more about the state of cybersecurity in healthcare. Kaspersky Lab has now released the second part of its report from the survey of 1,758 healthcare workers in the...

Read More
HIPAA Compliance & iCloud
Aug25

HIPAA Compliance & iCloud

Cloud storage services are a useful way of sharing and saving information. As data uploaded to the cloud can be accessed from a number of different devices in any location with an Internet connection, information is always at hand when it is required. There are many providers of cloud storage services to opt for, many of which are suitable for use by healthcare providers for saving and sharing ePHI. They include strong access and...

Read More
Emergency Notifications Systems & Business HIPAA-Compliance
Aug04

Emergency Notifications Systems & Business HIPAA-Compliance

Emergency notification systems for business are software services that are often implemented to alert personnel to the risk of danger. Situation that they are used include incoming hurricanes, chemical spills, active shooter events, and fires; and therefore it would be unusual  rare for Protected Health information (PHI) to be shared in the context of an emergency alert. In addition, outside of the healthcare and healthcare insurance...

Read More
Amazon CloudFront & HIPAA Compliance
Jul16

Amazon CloudFront & HIPAA Compliance

Amazon CloudFront is a web service that enables users to optimize the speed of their web content delivery via the Internet and for website hosting. Normally, when a website is viewed, the visitor experiences some latency loading static and dynamic content. The reason for this is viewers will not make a direct connection to the content, instead they will be directed through a path to reach the server where the content can be seen. The...

Read More

One-Year Prison Sentence for TermPatient Care Coordinator Following HIPAA Violation

A former patient care coordinator based at University of Pittsburgh Medical Center (UPMC) has been given a one-year prisons sentence for accessing the medical records of patients and using that information to cause malicious damage. Sue Kalina, 62, of Butler, PA, had previously been employed at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while a staff member with UPMC,...

Read More

HIPAA Compliance & IBM Cloud

IBM provides a cloud platform to help groups create their mobile and web services, build native cloud apps, and host their infrastructure along with a wide variety of cloud-based services for the capture, analysis, and processing of data. The platform has already been configured by many healthcare suppliers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their...

Read More
Phishing Attack Impacts PHI of 10,893 Summa Health Patients
Jul07

Phishing Attack Impacts PHI of 10,893 Summa Health Patients

It was discovered on on May 1 that up to four employee email accounts containing patients’ protected health information (PHI) have been infiltrated at Akron, Ohio-based Summa Health after an an unauthorized person obtained access. Summa Health noticed the breach  and launched an investigation that found two email accounts were infiltrated during August 2018, and a further two accounts between March 11, 2019 and March 29, 2019. All...

Read More
Compliance with HIPAA Regulations Demonstrated by Selarom
Jul06

Compliance with HIPAA Regulations Demonstrated by Selarom

Selarom is a specialist cybersecurity company that supplies services to healthcare groups organizations to help them secure their sensitive data and adhere with HIPAA Rules. The company –  which is based in El Monte, California – now offers a ‘HIPAA Compliance Complete Solution’ and provides a thorough security package for both the managerial and technical sides of groups. Ensuring sensitive information stays private and...

Read More
HIPAA Enforcement Safe Harbor Called for in HELP Committee Bill
Jun30

HIPAA Enforcement Safe Harbor Called for in HELP Committee Bill

There may be some implications for HIPAA-covered entities after the Senate Health, Education, Labor and Pensions (HELP) Committee approved the Lower Health Care Costs (LHCC) Act of 2019. One of the main targets of the bill is to enhance the transparency of healthcare expenses and service quality. The bill aims to bring a finish to surprise health bills and make sure patients are kept updated about healthcare costs. The LHCC Act...

Read More
Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care Clarified by OCR
Jun28

Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care Clarified by OCR

The Department of Health and Human Services’ Office for Civil Rights has released new HIPAA guidance for health plans on how protected health information can be sent to support care coordination and continuity of care. The new material, which has been published in an FAQ format, addresses two questions commonly asked by health plans: Can PHI be shared with another health plan for care coordination reasons? OCR has said that the HIPAA...

Read More
Webinar – Email Archiving for your Business: Improve Compliance, Save Money & Enhance Efficiency
Jun20

Webinar – Email Archiving for your Business: Improve Compliance, Save Money & Enhance Efficiency

Galway,IE-based cybersecurity firm TitanHQ is running a webinar to raise awareness of the importance of email archiving for businesses. In the webinar, the benefits of cloud-based email achieving services will be discussed and attendees will find out more about the fundamentals of email archiving, deploying an email archiving solution, and important factors to consider when choosing a service provider. The webinar is an educational...

Read More
Sensitive Information of 11.9 Million Quest Diagnostics Patients Compromised
Jun04

Sensitive Information of 11.9 Million Quest Diagnostics Patients Compromised

Quest Diagnostics, one of the leading medical laboratories and blood testing companies in the United States, has been affected by a data breach at one of its vendors. That breach has resulted in the exposure and potential theft of almost 12 million individuals’ personal, medical, and financial information. According to a recent U.S. Securities and Exchange Commission (SEC) filing, Quest Diagnostics was notified of a data breach at the...

Read More
Medical Informatics Engineering Settles HIPAA Violation Cases for $1 Million
May28

Medical Informatics Engineering Settles HIPAA Violation Cases for $1 Million

The electronic medical record software company Medical Informatics Engineering (MIE) has agreed to settle its HIPAA violation case with the U.S. Department of Health and Human Services’ Office for Civil Rights for $100,000 and has agreed to pay $900,000 to resolve a multi-state action filed by state attorneys general over a 2015 data breach. MIE experienced a data breach on May 7, 2015 when hackers gained access to a server used by...

Read More
Healthcare Data Breach Report for April 2019
May21

Healthcare Data Breach Report for April 2019

April 2019 was the worst month recorded, to date, for healthcare data breaches. More data breaches were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) during April than other other month since healthcare data breach reports were first reported in October 2009. In April, 46 healthcare data breaches were made known to OCR, which is a 48% increase from March and 67% higher than the average number...

Read More
Legal Action: Court Told Hospital Worker Shared Patient Information
May16

Legal Action: Court Told Hospital Worker Shared Patient Information

A legal action has been submitted against Atchison Hospital in Kansas by a rape victim who claims an x-ray technician at the hospital got in touch with her attacker and disclosed sensitive data about the treatment she received at the hospital. According to a report in the Kansas City Star, after being raped, the woman sought treatment at the hospital. She was given a rape kit examination, and allegedly made it clear to the hospital...

Read More
Bodybuilding.com Data Breach Impacts 3,193 Employees
May10

Bodybuilding.com Data Breach Impacts 3,193 Employees

The bodybuilding and personal fitness website Bodybuilding.com has revealed it has had to deal with a security incident that may have lead to the information of customers and employees being accessed by unauthorized people. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office...

Read More
Delayed Breach Response Costs Tennessee Medical Imaging Firm $3 Million
May08

Delayed Breach Response Costs Tennessee Medical Imaging Firm $3 Million

It is not possible to prevent all healthcare data breaches, but when a breach is experienced it must be investigated and mitigated promptly. Delaying the breach response and notifications can prove extremely costly, as the Tennessee medical imaging firm Touchstone Medical imaging discovered. On May 9, 2014, Touchstone Medical Imaging was notified by the FBI that an FTP server had been left unsecured. At the same time, the HHS’ Office...

Read More
Court Rules that Negligence Claim Based on HIPAA Violation can Proceed in Arizona
May04

Court Rules that Negligence Claim Based on HIPAA Violation can Proceed in Arizona

An Arizona man who submitted a legal action against Costco in relation to a privacy violation and had the lawsuit thrown out by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence in relation to a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question took place in 2016. The man had was sent a...

Read More

HHS Reforms HITECH Act Penalties for HIPAA Breaches

The Department of Health and Human Services has published a notification of enforcement discretion in relation to the civil monetary penalties that are applied when breaches of HIPAA Rules are identified and will be bringing down reducing the maximum financial penalty for three of the four penalty levels. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 raised the penalties for HIPAA breaches....

Read More
Can SparkPost be Deemed HIPAA Compliant?
Mar22

Can SparkPost be Deemed HIPAA Compliant?

SparkPost is a widely-used email delivery and analytics platform that is implemented by many enterprises to send information to customers Healthcare bodies are required to adhere with HIPAA Rules, so to determine is SparkPost supports HIPAA compliance and whether its platform can be used in a HIPAA compliant manner we have considered the following. SparkPost is the largest global email delivery and analytics platform and is used to...

Read More
Is the Use of Mandrill by Healthcare Organizations HIPAA Compliant?
Mar10

Is the Use of Mandrill by Healthcare Organizations HIPAA Compliant?

The leading automated email marketing platform Mandrill is a transactional email service that MailChimp provides. This software allows companies to automatically broadcast emails to customers and people that interact with their web apps and links to MailChimp via an API. Transactional emails are the same as marketing emails in that they are programmed to be initiated by events including password resets, confirmation of placement of...

Read More
Is it HIPAA Compliant to Use Marketo?
Mar02

Is it HIPAA Compliant to Use Marketo?

Marketo is an automated software solution for managing lead management and email marketing that was recently purchased by Adobe. Healthcare groups seeking a marketing automation platform need to be certain that the platform provider adheres with HIPAA regulations if the platform is to be used in connection with electronic protected health data. Healthcare groups can use marketing automation platforms for a variety of purposes without...

Read More
Proposal to Pay Patients to Share Their Healthcare Data Included in Oregon Health Information Property Act
Feb13

Proposal to Pay Patients to Share Their Healthcare Data Included in Oregon Health Information Property Act

The Oregon Health Information Property Act proposes that healthcare patients should be permitted to legally authorize their healthcare suppliers to sell their health data and for them to paid if their health information is sold to a third party. At present, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule restricts the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered bodies...

Read More

$3m HIPAA Settlement Agreed Between Cottage Health and OCR

A HIPAA penalty settlement of $3,000,000 has been agreed between the Department of Health and Human Services’ Office for Civil Rights (OCRand the Santa Barbara, CA-based healthcare provider Cottage Health in relation to a HIPAA breach. Cottage Health runs four different hospitals in California, including Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In...

Read More
Industry-Wide Effort to Accelerate Interoperability Urged by Hospital Associations
Feb02

Industry-Wide Effort to Accelerate Interoperability Urged by Hospital Associations

Seven major hospital associations, including the American Hospital Association (AHA), are leading pleas for an industry-wide effort to enhance data sharing. The new report is seeking public and private stakeholder support to speed up interoperability and help remove the obstacles to data sharing. In order to achieve the full potential of the nation’s healthcare system, health data must flow without obstruction. Only then will it be...

Read More
Warning About DNS Hijacking Issued by DHS
Jan25

Warning About DNS Hijacking Issued by DHS

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has released an emergency warning regarding DNS hijacking campaigns. All government agencies have been told to review their DNS settings over the next 10 days. CISA reports that cyber criminals have been targeting government agencies and changing their Domain Name System records. DNS records are used to determine the IP address of a website...

Read More
Criminal HIPAA Violation Leads to Probation for Physician
Jan20

Criminal HIPAA Violation Leads to Probation for Physician

Following pleading guilty to a criminal violation of HIPAA Rules, a physician has received 6 months’ probation as an alternative to a jail term and financial penalty for the wrongful disclosure of patients’ PHI to a pharmaceutical company. The Department of Justice in Massachusetts heard the legal case in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary...

Read More
Vulnerabilities Identified in LabKey Server Community Edition
Jan02

Vulnerabilities Identified in LabKey Server Community Edition

Security specialists at Tenable Research have identified a number of flaws in LabKey Server Community Edition 18.2-60106.64 which could be targeted to obtain user credentials, access medical data, and run arbitrary code via the Labkey browser. LabKey Server is an open source collaboration tool that enables scientists to integrate, analyze, and distribute biomedical research data. While the platform acts as a secure data repository,...

Read More
Anthem Data Breach Settlement of $16 Million Agreed with OCR
Oct16

Anthem Data Breach Settlement of $16 Million Agreed with OCR

The largest ever healthcare data breach in the United States has attracted the largest ever fine for noncompliance with HIPAA Rules. The Anthem data breach settlement of $16 million eclipses the previous highest HIPAA fine of $5.55 million and reflects not only the severity of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen, but also the extent of noncompliance with HIPAA...

Read More
Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million
Jun19

Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million

The Department of Health and Human Services’ Office for Civil Rights has announced its third HIPAA financial penalty of 2018. The $4.34 million civil monetary penalty is the fourth largest HIPAA penalty ever issued to resolve HIPAA violations. While most covered entities and business associates agree to settle HIPAA violations and pay the penalty, on rare occasions the penalties are contested, and the case goes before an...

Read More
Cloud Tool Reduces AWS Costs by 60%
May10

Cloud Tool Reduces AWS Costs by 60%

Healthcare groups are, increasingly, implementing cloud-based systems to meet their IT requirements, but while there are multiple reasons for moving applications, infrastructure and data center operations to the cloud, the high cloud costs make it an unattractive possibility. Many healthcare groups purchase AWS EC2 instances for to implement this on their servers. While this particular platform meets their requirements, the...

Read More
582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services
Apr27

582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services

A recent survey carried out with hackers, incident responders, and penetration testers has showed that most can gain access to a targeted system in around 15 hours, but 54% of hackers take under five hours to gain access to a system, and identify and obtain sensitive data. The data comes from the second yearly Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were located in the United States. Those...

Read More
Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacting 30,000 Individuals
Apr26

Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacting 30,000 Individuals

Inogen, a manufacturer of portable oxygen concentrators, has found that an unauthorized individual has obtained the credentials of a employees and has used them to access to the staff member’s email account. Phishing and other credentials theft incidents are commonplace in the healthcare industry, although what makes this incident unusual is the number of people affected by the attack. The compromised email account includeed the...

Read More
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Apr24

Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

Illinoie-based physiatry organization Integrated Rehab Consultants is broadcasting notification correspondence to some patients alerting them to the exposure of some of their protected health information, in line with HIPAA regulations. However, the breach was not discovered within the past 60 days. Integrated Rehab Consultants (IRC) initially became aware of the exposure of PHI on December 2, 2016 – 16 months previously. The...

Read More
Des Moines Crisis Observation Center Discovers Inappropriate Dissemination of Patient Data
Apr23

Des Moines Crisis Observation Center Discovers Inappropriate Dissemination of Patient Data

1,071 patients who were treated at the Des Moines Crisis Observation Center managed by Polk County Health Services Inc., have been contacted to advise them that some of their protected health information has been “accidentally and unknowingly disseminated” at some point in the last 3.5 years. The breach was first identified on February 14, 2018, although the inquiry revealed that information was first disclosed on June 1, 2014 and the...

Read More
Misconfigured Security Settings Results in63,500 Middletown Medical Patients Having PHI Exposed
Apr19

Misconfigured Security Settings Results in63,500 Middletown Medical Patients Having PHI Exposed

A security setting that was not configured properly on a radiology system has lead to  the patients’ protected health information of tens of thousands of patients of Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, The breach was first discovered on January 29, 2018. On January 30 the interface was realigned that any unauthorized individuals could no longer obtain patient information. The length of time...

Read More
Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients
Apr18

Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients

A former worker at Baptist Health’s West Kendall Baptist Hospital based  in Miami, FL illegally obtained the credit card details of patients and used the information to complete fraudulent transactions. The misuse of credit cards was identified by Baptist Health on March 9, 2018 and the matter was then made known to Miami-Dade law enforcement and the employee was removed from their position. Baptist Health has not made it known...

Read More
Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack
Apr17

Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack

It has been discovered that the email accounts of several employees of UnityPoint Health hhave been compromised and accessed by unauthorized people. Access to the staff email accounts was first obtained on November 1, 2017 and went on for a period of three months until February 7, 2018, when the phishing attack was noticed and access to the compromised email accounts was turned off. When the phishing attack was first noticed,...

Read More
Almost 14,000 Affected by SAMBA Privacy Breach
Apr13

Almost 14,000 Affected by SAMBA Privacy Breach

14,000 individuals are being alerted about a February 2018 breach of protected health information at the Special Agents Mutual Benefit Association (SAMBA). The data breach affects eligible family members of plan members who were covered by the Federal Employees Health Benefits Plan during 2017. It is an Internal Revenue Service (IRS) obligation for SAMBA to send a copy of Form 1095-B to all plan members every tax year. The form in...

Read More
Data Breach Notification and Information Security Laws Updated in Oregon
Apr12

Data Breach Notification and Information Security Laws Updated in Oregon

Data breach notification laws in Oregon have been updated to enhance security  for state residents whose personal data is accessible to the public during a data breach. Kate Brown, the State governor, signed the Senate Bill (SB 1551) last month, which updates several parts of the legislation, particularly Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become...

Read More
Arc of Erie County New York Reports 3,751 Patients’ PHI Was Exposed on Internet over 30-Month Period
Apr11

Arc of Erie County New York Reports 3,751 Patients’ PHI Was Exposed on Internet over 30-Month Period

A provider of person-centered services to individuals with developmental disabilities, The Arc of Erie County New York (The Arc), has reported that two spreadsheets listing the protected health information of 3,751 patients were open to the public via the Internet without the need for authentication for a time period of longer than 30 months from July 2015 to February 2018. The two spreadsheets in question could be seen through the...

Read More
Missing Hard Drives from Chesapeake Regional Healthcare Contained PHI of 2,100 Patients
Apr09

Missing Hard Drives from Chesapeake Regional Healthcare Contained PHI of 2,100 Patients

Chesapeake, Virginia based Chesapeake Regional Healthcare has reported that two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from their Chesapeake Regional Medical Center campus at that location. The private health information stored on the devices in question relates to patients who participated in research at its Sleep Center between April 2015 and February 2018. it is...

Read More
Improper Disposal of PHI is Common According to JAMA Study
Apr05

Improper Disposal of PHI is Common According to JAMA Study

A recently completed study (published in JAMA) has emphasized  just how often hospitals are disposing of PHI in an unsafe fashion. While the study was completed in Canada, which is not subject to HIPAA, the results emphasize a critical area of PHI security that is often neglected. Incorrect Destruction of PHI is More Commonplace than Previously Thought Researchers at St. Michael’s Hospital in Toronto reviewed recycled paperwork at...

Read More