Incorrectly Configured Cloud Storage Present at Over Half of Businesses
Oct19

Incorrectly Configured Cloud Storage Present at Over Half of Businesses

The findings of a recent report, carried out by cloud threat defense firm RedLock, has revealed that more than 50% of businesses have made critical mistakes during system configuration that have exposed sensitive data in cloud storage. The issue regarding incorrect configuration seems to be getting worse. RedLock’s last report in Q2 showed 40% of businesses had at least one improperly configured cloud storage service – Amazon Simple Storage Service (Amazon S3) for example. A new report, released with the recent Cloud Security Trends Report, shows that this figure jumped to 53% between June and September 2017. The RedLock report show many groups are not following recommended security best practices, such as using multi-factor authentication for all privileged account subscribers. Some...

Read More
HHS Withdraws Proposed Rule for Health Plans Certification of Compliance
Oct17

HHS Withdraws Proposed Rule for Health Plans Certification of Compliance

A new rule for certification of compliance for health plans was proposed by the HHS In January 2014, requiring all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate HIPAA compliance. The proposed rule ‘Administrative Simplification: Certification of Compliance for Health Plans’ was drafted to promote more consistent testing procedures for CHPs. The HHS has now dediced to withdraw the proposal. If the rule had been passed, CHPs would have been required to show adherence with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. Not complying with the new rule could have lead to...

Read More
Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership
Oct13

Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership

A new working relationship d between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS) will focus on helping advance medical device cybersecurity and improve patient data security. The two groups will cooperate to aid members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, teaching about the threats to device security, training members, and promoting data sharing. For the past three years, AEHIS has been assisting healthcare groups improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have availed of the education and networking...

Read More
Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices
Oct11

Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices

The Internet of Medical Things Resilience Partnership Act, aimed at establishing public-private stakeholder partnership which will be tasked with developing a cybersecurity framework to prevent data breaches, has been approved by the U.S. House of Representatives. The hope is that this framework will be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more secure from cyberattacks. The range of medical devices now being employed in the healthcare industry is considerable and the number is only likely to keep increasing. As more devices are developed, the risk of harm to patients grows. These devices are currently used in hospitals, worn by patients receving treatment, fitted surgically or used in the home. The devices...

Read More
HHS Withdraws Proposed Rule for Certification of Compliance for Health Plans
Oct10

HHS Withdraws Proposed Rule for Certification of Compliance for Health Plans

Early in 2014 the HHS proposed a new rule for certification of compliance for health plans that would have meant all those managing health plans (CHPs) to complete a range of documentation to HHS to show compliance with electronic transaction standards set by the HHS under HIPAA Rules. The proposed rule rule was aimed at to supporting more consistent testing processes for CHPs. The HHS has now revealed that the proposed rule has now been withdrawn from condiseration. Had it made it to the final rule stage, CHPs would have been asked to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status,and health care electronic funds transfers (EFT) and remittance guidance. The inability to...

Read More
Over Half of Cloud Storage Services are Misconfigured: Report
Oct09

Over Half of Cloud Storage Services are Misconfigured: Report

A recent report by cloud threat defense firm RedLock claims more than half of businesses have made errors that have exposed sensitive data to the general public vuia the cloud. The study shows many organizations are not adhering to established security best practices, such as using multi-factor authentication for all privileged account subscirbers. Worse again, many groups are failing to constantly review their cloud environments which means data is being exposed without detection. The issue seems to worsening as RedLock’s last review for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for onee. A new study, released in its most recent Cloud Security Trends Report, shows that percentage grew to 53%...

Read More
What is the Definition of a HIPAA Covered Entity?
Oct09

What is the Definition of a HIPAA Covered Entity?

The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and business associates, but what is the definition of a HIPAA covered entity and what are HIPAA business associates? Knowing the definition of a covered entity and business associate is essential. If you are classed as either, you must comply with HIPAA Rules. There are severe financial penalties for noncompliance with HIPAA and ignorance is not a valid defense. What is the Definition of a HIPAA Covered Entity? The definition of a HIPAA covered entity is a healthcare provider, health plan or healthcare clearinghouse that electronically transmits protected health information for transactions for which the Department of Health and Human Services has adopted standards. The above healthcare...

Read More
Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization
Oct06

Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization

After a seemingly prolonged period of inactivity, the hacking group TheDarkOverlord has revealed another attack on a U.S. healthcare supplier, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly happened on September 13, 2017, with the announcement of the data theft released by TDO on Twitter on Friday 22, 2017.  No details were given as to how access to the data was gained, although it was revealed to databreaches.net that the attack took advantage of the use of fragile passwords. The entire database of patients was reportedly obtained. Databreaches.net was provided with the patient database and has was able to  confirm that the attack was genuine. The database held a wide range of data on 16,428 patients, including contact information, dates of birth and Social Security...

Read More
Responding to a Cyberattack Advised Issued by OCR
Oct05

Responding to a Cyberattack Advised Issued by OCR

Recently, the Department of Health and Human Services’ Office for Civil Rights published new guide lines for covered organizations on the correct way to respond to a cyberattack. These guideline included a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of steps that should be taken. Preparation is key is a correct response. Covered entities must have response and mitigation procedures in place and contingency plans should implemented immediately following the identification of a cyberattack, malware or ransomware attack. The first step in a response is to take quick action to prevent any impermissible disclosure of electronic protected health data. If a network intrusion has occurred, unauthorized access to the...

Read More
128,000 Arkansas Patients Attacked by Ransomware
Oct05

128,000 Arkansas Patients Attacked by Ransomware

128,000 patients at the Arkansas Oral Facial Surgery Center in Fayetteville have had their private information potentially impacted following a a ransomware. Ransomware was believed to have been placed on its network between July 25 and 26, 2017. The attack was identified quickly, although not before files, x-ray images, and documents had been encrypted. The incident did not break through the encryption of its patient database, except for a ‘relatively limited’ set of patients who data related to their recent visits encrypted. Those patients had visited the center for medical services in the three weeks before to the ransomware attack. The ransomware attack is still under review, although to date, no proof of data theft has been located. Arkansas Oral Facial Surgery Center believes the...

Read More
Microsoft OneDrive: Does it adhere to HIPAA Compliance Rules?
Oct01

Microsoft OneDrive: Does it adhere to HIPAA Compliance Rules?

With the proliferation of cloud storage coming at the same time that HIPAA Compliance Rules have become increasingly strict in order to secure private data, organizations are beginning to examine if Microsoft OneDrive is OneDrive HIPAA compliant? A multitude of healthcare groups are already using Microsoft Office 365 Business Essentials, including Microsoft Exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a user friendly platform for storing and sharing information and files. There is certainly no issue with HIPAA-covered bodies using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without breaching HIPAA Rules. That said, before OneDrive – or any cloud service – can be implemented...

Read More
Dental Offices And HIPAA Compliance: What Needs to Be Addressed?
Sep29

Dental Offices And HIPAA Compliance: What Needs to Be Addressed?

Dr. Joseph Beck became the first ever dentist to be receive a HIPAA violation fine in 2014. This alerted dental offices to HIPAA compliance and the importance of it.  Until then, dental offices had not been subjected fines for noncompliance with HIPAA Rules. The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for what was believed to be the mishandling of the protected health information of 5,600 people. Since then, many settlements have been agreed with covered bodies for HIPAA violations. Dental office have not be subjected to further penalties since then, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing...

Read More
Cloud Computing Platforms and the Implications of HIPAA
Sep28

Cloud Computing Platforms and the Implications of HIPAA

Prior to cloud computing services being used by healthcare providers for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered bodies must ensure the services are kept in a secure manner. Even in case where a cloud computing platform provider has being given HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used to store ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is a vital element of HIPAA compliance for cloud computing services. After completing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§...

Read More
HITRUST/AMA Begin Project to Assit Small Healthcare Firms with HIPAA Compliance
Sep28

HITRUST/AMA Begin Project to Assit Small Healthcare Firms with HIPAA Compliance

HITRUST has revealed it will be working with the American Medical Association (AMA) for a new project that will assist small healthcare companies with HIPAA compliance, cybersecurity and cyber risk management. Small healthcare providers can be more exposed to cyberattacks, as they usually lack the resources to dedicate to cybersecurity and do not tend to have the budgets at their disposal to employ skilled cybersecurity staff. This week has highlighted the need for small practices to strengthen their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord. Recent ransomware attacks have also pointed to the fact that healthcare organizations of all sizes are likely to be attacked. Organizations, both big and...

Read More
3,725 Veterans Have Their PHI Exposed Due to Missing Laptop
Sep26

3,725 Veterans Have Their PHI Exposed Due to Missing Laptop

A laptop computer, no longer in use, owned by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has gone missing, potentially leading to the exposure of sensitive patient data. The laptop was linked to a hematology analyzer and held data related to hematology tests. The laptop was in operation between April 2013 and May 2016, but was put out of use when the device became unusable. The laptop, which had been purchased from a vendor, was replaced; however, an equipment inventory showed the device to be missing. The device should have been returned to the vendor it was purchased from, although the vendor has no record of the laptop ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab found the device was missing. A complete search of the medical center...

Read More
Multiple Security Weaknesses in Alabama’s Medicaid Management Information System OIG Identified
Sep26

Multiple Security Weaknesses in Alabama’s Medicaid Management Information System OIG Identified

The HHS’ Office of Inspector General (OIG) has completed an audit of Alabama’s Medicaid data and information systems to adetermine whether the state was in compliance with federal regulations. The review included the Medicaid Management Information System (MMIS) and associated policies and processes. OIG also carried out a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive information. The audit showed Alabama’s MMIS had multiple weaknesses that could possibly be exploited by hackers to gain access to its systems and Medicaid data. Alabama had implemented a security program for its MMIS, although several weaknesses had been allowed to continue. OIG stated in its...

Read More
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep23

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

A partial waiver of HIPAA has been issued by the U.S. Department of Health and Human Services in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands, the thrid such waiver of 2017 following the has already issuing of waivers of HIPAA sanctions and penalties in areas affected by hurricanes earlier this year. The previous waivers were issued in relation to Hurricane Harvey and Hurricane Irma  and, as was the case in those instances, the waiver only applies to covered groups in areas where a public health emergency has been declared, only for 72 hours following the beginning of the hospital’s disaster protocol and only for specific provisions of the HIPAA Privacy Rule: The requirements to receive a person’s agreement to speak with family members or friends involved...

Read More

Hurricane Maria Disaster Zone: Partial HIPAA Privacy Rule Waiver Issued by HHS

A third HIPAA waiver has been issued by the U.S. Department of Health and Human Services, following applying two earlier partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes previously in 2017. On this occasion the waiver is in relation to the Hurricane Maria disaster zone in Puerto Rico and the U.S. Virgin Islands. As with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered bodies in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster procedures, and only for specific provisions of the HIPAA Privacy Rule: The requirements to receive a patient’s agreement to speak with family members or friends involved in the patient’s...

Read More
Consolidated Inc. Data Breach Impacts 21,856 People
Sep23

Consolidated Inc. Data Breach Impacts 21,856 People

Nebraska-based CBS Consolidated Inc., operating as Cornerstone Business & Management Solutions, completed a routine audit of system logs on July 10, 2017 and found an unfamiliar account on the server. Closer inspection of that account showed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 people who received durable medical supplies from the group through their Medicare coverage have potentially been affected. The types of data taken by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was breached, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details...

Read More
Data Breaches Drop For Second Consecutive Month
Sep22

Data Breaches Drop For Second Consecutive Month

The latest report of the Breach Barometer from Protenus/Databreaches.net Healthcare shows that data violations have dropped for the second consecutive month, according to . In August, there were 33 reported healthcare data violations, down from 36 incidents in July and 56 in June. While the drop int he number of data breaches is encouraging, that is still more than one healthcare data breach per day. While it was the second best month of the year so for in terms of the number of reported incidents, it was the third worst in terms of the number of individuals impacted. 575,142 people were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise even more as two incidents were not included in that total since it is not yet...

Read More
Imperial Valley Passes OCR HIPAA Audit With Help From The Compliancy Group
Sep19

Imperial Valley Passes OCR HIPAA Audit With Help From The Compliancy Group

The Department of Health and Human Services’ Office for Civil Rights (OCR) has investigated a Californian Physician’s group following a reported breach of protected health information. Covered entities can implement policies and procedures to prevent data breaches, but security incidents are still likely to occur. Responding correctly to those breaches and ensuring HIPAA Rules are carefully followed will help to ensure financial penalties for HIPAA violations are avoided. As with all breaches that result in the protected health information of more than 500 individual being exposed, OCR launched an investigation of Imperial Valley Family Care Medical Group (IVFCMG) when the breach summary was submitted through its breach portal. The breach in question was the theft of a laptop computer...

Read More
Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver
Sep13

Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver

A  limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Hurricane Irma has been issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. Virgin Islands, Puerto Rico, and Florida. OCR says that the HIPAA Privacy and Security Rules are still in place and covered organizations must continue to obey HIPAA Rules; however, certain parts of the Privacy Rule have been temporarily waived in line Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. Should a hospital in the disaster zone not comply with the following stated aspects of the HIPAA Privacy Rule, penalties and sanctions will not be applicable: 45 CFR 164.510(b) – Obtain a patient’s agreement to consult with family members or...

Read More
OCR Warns Covered Bodies to Prepare for Natural Disasters
Sep09

OCR Warns Covered Bodies to Prepare for Natural Disasters

Medical Centers and Hospitals were recently stretched before and after Hurricane Harvey, in Texas and Louisiana, as they sought to provide medical services without breaching HIPAA Rules. Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights racted by issuing guidance to covered bodies on the HIPAA Privacy Rule and disclosures of patient health information in cases of emergency to assist healthcare groups protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document. Following quickly after Hurricane Harvey comes hurricanes Irma and...

Read More
Finding ‘Big, Juicy, Egregious’ HIPAA Breach Priority for OCR Head
Sep07

Finding ‘Big, Juicy, Egregious’ HIPAA Breach Priority for OCR Head

The main enforcement priority for 2017 of Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), is to find a “big, juicy, egregious” HIPAA breach to use as an example for other healthcare groups on the risks of failing to follow HIPAA Rules. When choosing which cases to pursue, OCR considers the chance to use such a case as an educational tool to warn covered groups of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino said “I have to balance that law enforcement instinct with the educational component that we do.” Severino added, “I really want to make sure people come into compliance without us having to enforce. I want to underscore...

Read More
Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions
Sep01

Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions

HHS Secretary Tom Price announced that OCRis issuing a partial waiver of sanctions and financial penalties for specific Privacy Rule breaches for hospitals in Texas and Louisiana in the Hurricane Harvey emergency zone. This partial waiver is only applicable to the provisions of the HIPAA Privacy Rule as outlined below: The obligations to recieve a patient’s agreement to talk with family members or friends involved in the patient’s treatment. See 45 CFR 164.510(b). The obligation to honor an opt out request in relation to the facility directory. See 45 CFR 164.510(a). The requirement to issue a public notice of privacy practices. See 45 CFR 164.520. The patient’s expressed right to request privacy restrictions. See 45 CFR 164.522(a). The patient’s right to request confidential...

Read More
HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey
Aug28

HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey

Secretary of the U.S. Department of Health and Human Services Tom Price has announced that certain HIPAA Privacy Rule violation penalties will be waived in the disaster area of Hurricane Harvey in Texas and Louisiana. Following any natural disaster, hospitals and health systems must operate in difficult circumstances. During such times, it can be a major challenge to provide treatment while complying with all aspects of HIPAA Rules. With resources stretched, HIPAA Privacy Rule violations can easily occur. In emergencies situations, such as when healthcare organizations are required to assist in disaster relief efforts, HIPAA Rules must still be followed. The HIPAA Privacy Rule is not suspended in such situations, although the HHS Secretary can waive certain provisions of the HIPAA...

Read More
Getting Basics Correct Key to Avoiding Data Breaches
Aug16

Getting Basics Correct Key to Avoiding Data Breaches

Intrusion identification systems, next generation firewalls, insider threat management software and data encryption will all help healthcare groups recognize danger, cut out security violations, and identify attacks quickly when they happen. even with all of these measures it is still vitally important to address the security basics. The Office for Civil Rights Breach portal is filled with examples of HIPAA data breaches that have been caused by the simplest of errors and security errors. Strong security begins the fundamentals. This was recently highlighted in a number of blog posts by the FTC. The posts are aimed at aiding businesses improve data security, prevent data violations and prevent regulatory fines. While the blog posts are not specifically targeted at healthcare groups, the...

Read More
Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications
Aug12

Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that covered organizations to advise the HHS’ Office for Civil Rights of any violation of private health information and issue notification correspondence to affected people as soon as is unreasonable and no later than 60 days after the identification of the breach. July’s Breach Barometer reports from Protenus indicated that many covered organizations have had difficulty in complying with the HIPAA Breach Notification Rule and have disclosed their violations to OCR after the deadline has expired. 2017 has seen a major reduction in average reporting times. The Protenus 2017 Breach Barometer Mid-Year Review outlines that between January and June, it took a mean time of 54.5 days from the identification of a breach to...

Read More
U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors
Aug07

U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors

Last week, the U.S. Senate passed new legislation – Jessie’s Law – that allows details of patients’ past drug abuse to be shared with physician’s if patients give their consent. At present, drug abuse histories are prohibited from being shared to protect the privacy of patients. That information is kept separate from a patient’s medical record. Unfortunately, the law can have terrible consequences, as was highlighted by a tragic incident involving a recovering addict Jessica Grubb. Jessica had been struggling with opioid addiction for several years, although after undergoing treatment, she had been sober for six months. Jessica had turned her life around and had taken up running, but suffered an injury that required surgery. Jessica was admitted to hospital. Her parents were at the...

Read More
2017 Healthcare Data Breach Trends Highlighted in Protenus Report
Aug04

2017 Healthcare Data Breach Trends Highlighted in Protenus Report

Protenus, working with Databreaches.net, has released its Breach Barometer mid-year review. The report includes all healthcare data violations reported over the past six months and gives important insights into the latest data breach trends. The Breach Barometer is a detailed review of healthcare data breaches, including not only the data breaches made known to the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also public media reports of incidents and public findings. Prior to being included in the report, all breaches must be independently confirmed as genuine by databreaches.net. The Breach Barometer reports look into the main factors causing data breaches suffered healthcare providers, health plans and their business associates. In a...

Read More
NotPetya Attack on Nuance Communications Decides Not Reported to OCR
Aug03

NotPetya Attack on Nuance Communications Decides Not Reported to OCR

The Department of Health and Human Services’ Office for Civil Rights has previously made it clear, in its ransomware guidance, if ePHI is encrypted ransomware attacks are usually HIPAA breaches and are always reportable violations. In the guidance on ransomware guidance OCR says that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” adding that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A ransomware attack is designated as a HIPAA breach because the actions of the hackers have lead to the acquisition of PHI, in the sense that unauthorized people have taken control...

Read More
HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update
Jul28

HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update

In June 2017, the Department of Health and Human Services announced it was considering an update to its data breach portal, normally called the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act states that the OCR must maintain a public list of breaches of protected health information that have affected more than 500 individuals. All 500+ record data breaches submitted or made known to OCR since 2009 are listed on the breach portal. The data breach list contacts a wide variety of violation, many of which happened through no fault of the covered organization and involved no breaches of HIPAA Rules. OCR has been criticized for its breach portal due to this, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current...

Read More
33% of Patients Access Their Health Data on Patient Portals
Jul28

33% of Patients Access Their Health Data on Patient Portals

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow people to view information regarding their health stored by their providers. However, as revealed in a recent U.S. Government Accountability Office (GAO) report, few patients are actually exercising this right using the provided patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare organizations to move from paper to electronic medical records and now almost 90% of subscribers to participating providers have access to patient portals where they can view their health data. Even though patients have been given the access, fewer than a 33% of patients are accessing patient portals to view their health information. GAO viewed patient health information access from the...

Read More
Data Breach Reporting Tool Updated by OCR
Jul25

Data Breach Reporting Tool Updated by OCR

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights developed its data breach reporting tool to allow HIPAA-covered entities to easily submit reports of data breaches. A summary of data breach reports is published via the data breach reporting tool and is viewable by the public. The data breach list – which is commonly known as OCR’s Wall of Shame – details all reported healthcare data breaches that impact more than 500 individuals. While there have been updates to the data breach reporting tool since its release, the format of the data breach list has changed little over the years. An update to the portal, and how the information is displayed, was long overdue. Recently there have been calls for OCR to change the...

Read More
Model Patient Request for Health Information Form Issued by AHIMA
Jul25

Model Patient Request for Health Information Form Issued by AHIMA

A model patient request for health information form has been issued by the American Health Information Management Association (AHIMA) that can be used by healthcare providers to give to patients who request copies of their health information. The HIPAA Privacy Rule permits patients to obtain copies of their health data from their providers, although at many hospitals the process is inefficient, lacks transparency and patients are often left in the dark about what is happening after they have submitted their requests, according to a recent report from the ONC. Under HIPAA Rules, patients must be provided with copies of their health information within 30 days of the request being submitted. Patients are also permitted to request their information in paper or electronic form, although ONC...

Read More
Hows does HIPAA Affect Use of Google Drive?
Jul22

Hows does HIPAA Affect Use of Google Drive?

The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA.  The service does not breach HIPAA Rules, however users of the service may breach the rules themselves. G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is configured correctly and standard security practices are in place. The use of any software or cloud storage service in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) before the service is used with any PHI. Google provides a BAA for Google Drive (including Docs, Sheets,...

Read More
Study: Data Breaches by Ex Employees a Concern
Jul20

Study: Data Breaches by Ex Employees a Concern

A recent study carried out by OneLogin showed many groups are not doing enough to stop data violations by ex-employees. While access to computer systems and applications is a requirement during employment, many organizations are neglecting to block access to systems quickly when employees depart the company, even though ex-employees pose a significant data danger to security. Preventing access to networks and email accounts when an member of staff is terminated or otherwise leaves the company expose by failing to complete one of the most basic security measures, yet all too often the process is delayed. 600 IT employees who had some responsibility for security in their organization were questioned for the study and around half of respondents said they do not immediately cut ex-employees’...

Read More
ONC Office of the Chief Privacy Officer Funding Stopping in 2018
Jul19

ONC Office of the Chief Privacy Officer Funding Stopping in 2018

The withdrawal of funding for the Office of the Chief Privacy Officer has resulted in ONC National Coordinator Don Rucker, M.D. confirming that the office will be closed during 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been acting as Acting Chief Privacy Officer until a permanent replacement to the role previously filled by Lucia Savage is identified, following her departure in January. It now seems unlikely that a permanent replacement will be recruited. One of the key duties of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is properly protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies in relation to electronic health...

Read More
HIPAA Compliance and Dropbox, What You Need to Know
Jul16

HIPAA Compliance and Dropbox, What You Need to Know

Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However, healthcare groups can use Dropbox to share or store files containing protected health data without breaching HIPAA Rules. The Health Insurance Portability and Accountability Act requires covered organizations to complete a business associate agreement (BAA) with an organization before any protected health data (PHI) is shared. Dropbox is classified as a business...

Read More
ONC Offers Tips to Improve Patient Data Access
Jul15

ONC Offers Tips to Improve Patient Data Access

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has given covered entities tips to improve patient data access, explaining how important it is for patients to be given access to their health information. In its report – Improving the Health Records Request Process for Patients – ONC explains that under HIPAA Rules, patients are given the right to access their records. Healthcare organisations must provide patients with copies of their health information within 30 days of the request being received. However, in many cases, patients are not fully aware of their rights and patients are not given much information on the process. While patients can request electronic copies of their medical records, some healthcare organizations are only providing paper...

Read More
File Sharing Tools and Cloud Computing: OCR Highlights Risks
Jul05

File Sharing Tools and Cloud Computing: OCR Highlights Risks

File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information.  Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information. The Department of Health and Human Services’ Office for Civil Rights (OCR)  has recently issued a release to covered groups. clients and business associates of the potential weaknesses associated with file sharing and collaboration tools, explaining the danger these tools can introduce and how covered companies can use these tools and remain in compliance with HIPAA Rules. While file sharing services and cloud computing may incorporate all...

Read More
Anthem Agrees Largest Ever Data Violation Settlement
Jun28

Anthem Agrees Largest Ever Data Violation Settlement

The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission. A breach of that size inevitably resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years later, Anthem has agreed to settle the litigation for $115 million. If the settlement is approved, it will be the largest data breach settlement ever – much higher than $18.5 million settlement agreed by...

Read More
Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect
Jun24

Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect

The latest healthcare data breach report issued by Protenus, in conjunction with databreaches.net, shows healthcare data breaches increased in May, with 37 breaches reported compared to 34 the previous month.  The numbers of records exposed in those breaches was 255,108, although not all breach figures are known. That still represents a jump from last month when 232,060 healthcare records were known to have been exposed or stolen. One of the breaches reported in May involved the theft of 140,000 records. That was a hacking incident which involved data being stolen and a ransom demand being issued. The ransom was not paid and the records were dumped online. Hacking was the leading cause of healthcare data breaches in April, but in May it was insiders once again that caused the most...

Read More
CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late
Jun21

CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late

A data breach that happened in the second half of 2015 should have seen targeted people warned within 2 months. However it took CoPilot Provider Support Services Inc., until January 2017 to send out official breach notifications. An administration portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That person also stole the data of 221,178 people. The stolen data included names, dates of birth, phone numbers, addresses and medical insurance information. The person believed to have accessed the website and downloading data was a former worker at CoPilot. The company contacted the FBI in February 2016 to receive assistance with the breach investigation and establish the identity of the unauthorized person. However, breach notifications were not issued...

Read More
New York Attorney General Fines CoPilot for Delaying Breach Notifications
Jun19

New York Attorney General Fines CoPilot for Delaying Breach Notifications

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, covered entities must report data breaches within 60 days of the discovery of a breach. Affected individuals must also be notified within the same time frame. State legislation has been introduced that similarly requires organizations to issue notifications and report the incidents to state officials. Breach reports are also covered by other federal legislation and typically require organizations to issue breach notifications to affected individuals in a timely manner. Most organizations report data breaches promptly, although recently there have been some notable exceptions. OCR has recently fined one healthcare organization for waiting a month past the HIPAA deadline before issuing notifications. Presense Health...

Read More
HHS Looking Into OCR’s Wall of Shame Following Criticism
Jun17

HHS Looking Into OCR’s Wall of Shame Following Criticism

The Department of Health and Human Services’ Office for Civil Rights started publishing OCR’s ‘Wall of Shame’ – summaries of healthcare data breaches – on its website in 2009. The data breach list only includes a short synopsis of data breaches, including the name of the covered organization, the state in which the covered organization is based, covered organization type, date of notification, type of violation, location of breach information, whether a business associate was involved and the number of people/subcrivers affected. The list includes all officially submitted data breaches, including those which occurred due to no fault of the healthcare body. The list is not a complete record of HIPAA violations. Those are determined during OCR...

Read More
HHS Considers Making Changes to the OCR Wall of Shame
Jun16

HHS Considers Making Changes to the OCR Wall of Shame

Since the HITECH Act came into force in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing data breach summaries on its website. The website lists brief details of the type of data breach experienced by HIPAA-covered entities with information such as the cause of the breach, the devices that were involved, the number of individuals affected and the name of the company that experienced the data breach. HITECH requires OCR to publish breach summaries; however, this element of HITECH has been criticized recently. While some privacy proponents suggest that the site does not go into enough detail on the breach and provides little useful information for the general public, others claim the permanent listing of breached entities on the site is...

Read More
OCR Issues Guidance on the Correct Response After a Cyberattack
Jun09

OCR Issues Guidance on the Correct Response After a Cyberattack

The increase in hacking incidents in 2017 and major worldwide cyber incidents such has Wannacry ransomware attacks have prompted the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue new guidance on the correct response after a cyberattack. Yesterday, OCR sent a Quick Response Cyber Attack Checklist to its security and privacy list subscribers explaining the correct procedures to follow after a cyberattack is discovered. In addition to a checklist, OCR has produced an infographic detailing the most important steps to take after a ransomware attack or cyber-related security incident. Respond, Report Crime, Report Threat, Assess Breach The first step to take following a cyberattack is to implement response and mitigation procedures and contingency plans. The...

Read More
Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents
Jun04

Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents

Ransomware, malware and unaddressed software weaknesses pose a danger to the confidentiality, integrity and access to PHI, although healthcare groups should put in place processes to deal with the threat internally. This year has seen a multitude of cases involving employees snooping and accessing medical records without permission. The HIPAA Security Rule 45 CFR §164.312(b) requires covered organizations to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or useelectronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered organizations to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security...

Read More
$387,000 HIPAA Penalty for Disclosing HIV Status to Employer
May26

$387,000 HIPAA Penalty for Disclosing HIV Status to Employer

Following a Department of Health and Human Services’ Office for Civil Rights (OCR) investigation of a complaint about a case of impermissible disclosure of PHI, St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations In September 2014, a complaint was submitted to the OCR about a possible privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint that was submitted, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the person’s employer. The information contained in the fax was highly sensitive, including the patient’s sexual preference, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse...

Read More
Egregious HIPAA Breach Punished with $378,000 Fine
May24

Egregious HIPAA Breach Punished with $378,000 Fine

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced yet another settlement to resolve HIPAA violations, this time for the careless handling of extremely sensitive health information. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $378,000 to resolve an impermissible disclosure of patients’ protected health information to their employers. A wide range of highly sensitive information including patients’ HIV statuses, sexual orientation, sexual diseases, mental health diagnosis, medications, history of physical abuse, and details of medical care provided were impermissibly disclosed. The disclosures violated the HIPAA Privacy Rule. The disclosures were made by the Spencer Cox Center – now St. Luke’s Institute for Advanced Medicine, one of seven...

Read More
Dept. of Health Sends Out Waring Regarding Ransomware
May21

Dept. of Health Sends Out Waring Regarding Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and...

Read More
NIST Issues Guidance on Securing Drug Pumps
May17

NIST Issues Guidance on Securing Drug Pumps

Guidance on securing drug pumps has been issued by the National Institute of Standards and Technology (NIST) to help healthcare organizations mitigate the risk of cyberattacks that could cause patients to come to harm or allow sensitive data to be stolen. Over the past two years there has been concern raised about the lack of security on medical devices, with drug pumps a particularly serious concern. If threat actors are able to gain access to drug pumps they could alter drug dosages to cause patients serious harm. Increasing or decreasing drug doses via the pumps could be life threatening for patients. Federal agencies called on NIST to provide additional guidance on securing drug pumps, not only to improve patient safety, but also to ensure that cyberattacks on the devices do not...

Read More
$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach
May12

$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach

A HIPAA breach arising from disclosure on a press release issued by Memorial Hermann Health System (MHHS) in September 2015 has led to the organization agreeing to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. MHHS is a 16-hospital health system which os located in Texas, treating patients in the Greater Houston area. In September, an individual visited a MHHS clinic and presented a fake identification card to hospital workers. The fraudulent ID card was identified as such by workers at the hospital, law enforcement agencies were notified and the patient was apprehended. The hospital released the identification of the patient to law enforcement agencies, which is permitted as per HIPAA...

Read More
Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI
May11

Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI

An unauthorized disclosure of a patient’s name has resulted in a Memorial Hermann Health System HIPAA fine. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle potential HIPAA Privacy Rule violations with Memorial Hermann Health System with the payment of a $2.4 million penalty. Memorial Hermann Health System must also adopt a corrective action plan to ensure HIPAA Rules are followed in the future. MHHS is a not-for-profit, 16-hospital health system based in Southeast Texas. OCR launched an investigation following complaints made about an unauthorized disclosure of a patient’s name to the media in September 2015. In September 2015, a patient attempted to use a fraudulent ID card to obtain medical services at a MHHS hospital. The fraudulent...

Read More
New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court
May10

New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court

A New Mexico HIPAA violation lawsuit filed by the victim of a sexual assault whose identity was improperly disclosed has been referred to the Supreme Court to assess whether the claim has standing. The lawsuit was filed by the plaintiff ‘G.R.’ who suffered a sexual assault and sought treatment for her injuries at Gallup Indian Medical Center (GIMC) where she was employed. G.R. alleges that following treatment, details of the assault and her injuries were disclosed to her co-workers. The sharing of that information resulted in the patient being humiliated and suffering further trauma. The patient had spent one month off work due to the assuault, and a further two months off work as a result of the disclosure. G.R felt there was no alternative but to leave her job as a direct result to...

Read More
Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit
May09

Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit

A motion has been submitted to dismiss a MDLive HIPAA lawsuit that was filed b y a plaintiff who alleges the firm improperly disclosed protected health information to a third party without informing or obtaining consent from users of the telehealth platform. The MDLive HIPAA lawsuit was filed by plaintiff Joan Richards, who alleges MDLive takes screenshots of data entered on the app on multiple occasions during the first 15 minutes of use. During that time, users enter in sensitive data into the app in order to find a local healthcare provider. The plaintiff alleges that those screenshots are sent to a third party – an Israel-based company called Test Fairy. The lawsuit alleges Test Fairy is provided with the screenshots to track users’ experiences and search for bugs in the app....

Read More
Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum
May06

Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum

Over the next week, the HIMSS Privacy and Security Forum will be held in San Francisco. The two-day conference provides an chance for CISOs, CIOs and other healthcare professionals to obtain valuable guidance from security experts on the most recent cybersecurity threats, along with practical tips on how to limit the chance of damage being inflicted. In excess of 30 speakers will be present at the event and will provide talks on a wide range of healthcare cybersecurity topics, including securing IoT devices, stopping phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management. The conference boasts keynote presentations from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane...

Read More
Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive
Apr27

Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive

Claims that telemedicine company MDLive violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining official consent from patients have resulted in a class action lawsuit has being filed. App users must enter in a range of private information into the MDLive app; however, the complainant claims that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are transmitted to an Israeli company called Test Fairy, which carries out quality control tests for MDLive. The lawsuit claims patients are not told that their information is disclosed to a third-party company, and that all data entered into the app can be seen by MDLive employees, even though there is no valid reason for...

Read More
CardioNet Settles HIPAA Violations with OCR for $2.5 Million
Apr26

CardioNet Settles HIPAA Violations with OCR for $2.5 Million

Pensylvania-based CardioNet has agreed a $2.5 million settlement to resolve potential HIPAA violations. The provider of remote mobile monitoring and quick response services to patients in danger of suffering cardiac arrhythmias. Settlements have previously been agreed with healthcare suppliers, health plans, and business clients of covered organizations, but this is the first-time OCR has settled potential HIPAA breaches with a wireless health services supplier. While OCR has not fined a wireless health services provider for violating HIPAA Rules on a previous occasion, the same cannot be said of the violations found. Numerous settlements have previously been agreed with covered organizations after OCR found risk analysis and risk management failures. In this instance, the settlement...

Read More
Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement
Apr25

Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement

Risk analysis and risk management errors have resulted in a $2.5 million HIPAA compliance penalty for CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk of cardiac arrhythmias. The Department of Health and Human Services’ Office for Civil Rights agreed to settle the potential HIPAA violations with no admission of liability. In addition to the substantial HIPAA settlement, CardioNet is required to adopt a corrective action plan to address HIPAA failures that contributed to a 2011 data breach. OCR investigated CardioNet following receipt of a breach report in January 2012. An employee of CardioNet took a laptop computer home and left the device in a vehicle overnight. The device was stolen, resulting in the unauthorised disclosure of 1,391...

Read More
CCDH agrees OCR Settlement for Potential Violations
Apr23

CCDH agrees OCR Settlement for Potential Violations

The OCR recently revealed it has agreed to settle potential breaches of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice located in Park Ridge, Illinois. On August 13, 2015, OCR completed a HIPAA compliance review of CCDH following an audit of FileFax Inc., which was contracted by CCDH to store inactive patient histories and details. The FileFax investigation showed the company had not completed a business associate agreement before being supplied with patients’ PHI. The following compliance review of CCDH similarly showed that no signed business associate agreement was in place. CCDH had therefore impermissibly supplied patients’ PHI to FileFax in violation of HIPAA Rules....

Read More
Supreme Court Ruling: Donor Network Must Disclose Patient Details
Apr23

Supreme Court Ruling: Donor Network Must Disclose Patient Details

A New York Supreme Court Judge has recently ruled that patient details recorded by the New York Organ Donor Network must be handed over to a plaintiff and that HIPAA does not give basis for denying this request. Patrick McMahon believes he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he filed about organ harvesting from four patients who were still displaying clear signs of life and had not been deemed legally dead. The New York Organ Donor Network argues the plaintiff was fired for poor work performance while he was still a probationary member of staff. The claims about the procurement of organs have been denied. McMahon asked the New York Organ Donor Network hand over the medical data of the four patients as they are...

Read More
HIPAA Rules on Business Associate Agreements
Apr21

HIPAA Rules on Business Associate Agreements

This week, the HHS’ Office for Civil Rights (OCR) sent a warning to covered entities about the need to ensure HIPAA Rules on business associate agreements are followed. OCR announced a settlement had been reached with an Illinois healthcare provider for disclosing protected health information (PHI) without first obtaining a signed copy of a BAA. What is a Business Associate Agreement? Under HIPAA Rules, a business associate is classed as an entity or person that performs functions or activities on behalf of the covered entity that requires access to PHI. Prior to being provided with access to ePHI or physical records, a signed copy of a HIPAA-compliant business associate agreement must be obtained by the covered entity. A business associate agreement is a contract between a covered...

Read More
$31,000 HIPAA Penalty for a Business Associate Agreement Violation
Apr21

$31,000 HIPAA Penalty for a Business Associate Agreement Violation

The Department of Health and Human Services’ Office for Civil Rights has issued a $31,000 HIPAA penalty for a business associate agreement violation to The Center for Children’s Digestive Health (CCDH), a for-profit 7-center Illinois pediatric healthcare provider. OCR discovered potential HIPAA violations during an investigation of the document storage solution provider FileFax. The investigation revealed that FileFax had obtained the protected health information of patients, yet could not produce a HIPAA-compliant business associate agreement. The findings of the investigation prompted OCR to conduct a HIPAA compliance review of CCDH on August 13, 2015. OCR investigators asked CCDH to produce a signed copy of the business associate agreement it had obtained from FileFax prior to...

Read More
Denver-Based Metro Community agree $400,000 HIPAA Penalty
Apr15

Denver-Based Metro Community agree $400,000 HIPAA Penalty

Metro Community Provider Network (MCPN), a Denver, CO-based federally-qualified health center (FQHC), has agreed to pay OCR $400,000 and implement a stringent corrective action plan to resolve all HIPAA compliance issues found during an OCR investigation into a a data breach that occurred in 2011. The incident that lead to the OCR investigation was a phishing attack that happened on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which allowed that person that to gain access to employees’ email accounts. Those accounts stored the electronic protected health information of 3,200 patients. OCR looks into all data breaches involving more than 500 patient records to determine whether healthcare organizations have experienced a violation as a direct...

Read More
Are HIPAA Rules Outdated and is an Update Overdue?
Apr13

Are HIPAA Rules Outdated and is an Update Overdue?

Are HIPAA Rules outdated? Is an update long overdue? An article recently published in the journal JAMIA explores potential updates to HIPAA to keep the legislation relevant. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996 at a time when the Internet was in its infancy. Now, almost two decades later, a lot has changed. The majority of healthcare organizations have now switched from paper records and films to electronic forms of protected health information. ePHI is now being used and shared in ways that could not have been predicted in 1996, and the security risks to the confidentiality, integrity, and availability of ePHI and risks of patient privacy being violated have increased considerably. If HIPAA Rules were written...

Read More
Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement
Apr13

Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a $400,000 settlement had been agreed with Metro Community Provider Network (MCPN) to resolve potential security management process HIPAA violations. The Denver, CO-based federally-qualified health center (FQHC) experienced a phishing attack in December 2011 that resulted in unauthorized access to the email accounts of employees. The incident was reported to OCR as access to the email accounts allowed the attacker to view the protected health information of patients. In total, 3,200 patients were impacted by the incident and had their sensitive information exposed. OCR conducted an investigation into the breach which revealed a number of security management process HIPAA violations had...

Read More
40% of Second-Hand Devices Found to Contain PII
Mar30

40% of Second-Hand Devices Found to Contain PII

The danger of failing to ensure mobile devices have all data securely wiped before being recommissioned or resold has been highlighted by a recent study conducted by National Association for Information Destruction (NAID). In the largest study of its type to date, NAID analysed data on more than 250 devices that had been sold on the second-hand market. 40% of those devices were found to contain personally identifiable information. It appears that companies are increasingly aware of the data security requirements regarding desktop computers, servers, and cloud computing platforms, they are still paying attention to mobile devices. While it is perhaps reasonable to expect some users to fail to securely erase data on personal devices due to a lack of security awareness, NAID found that it...

Read More
Mecklenburg County HIPAA Violation Prompts Policy Update
Mar30

Mecklenburg County HIPAA Violation Prompts Policy Update

A recently discovered Mecklenbury County HIPAA violation has infuriated county officials. An investigation has now been conducted to determine how HIPAA Rules were so easily violated. The incident was discovered on Monday this week. A member of the Mecklenburg County staff received a freedom of information request from the media who were investigating how 185 female patients were not informed about abnormal PAP smear results. While information should have been provided as requested, a member of staff accidentally sent the media a spreadsheet containing the protected health information of more than 1,200 health department patients. The spreadsheet had been compiled for state officials who were conducting an audit. Two media outlets received the spreadsheet. The error was made by a staff...

Read More
Severino Appointed to Director of HHS’ Office for Civil Rights Role
Mar29

Severino Appointed to Director of HHS’ Office for Civil Rights Role

Former civil rights trial attorney Roger Severino has been appointed, by the Department of Health and Human Services’ Office for Civil Rights, to lead its HIPAA enforcement efforts. Mr Severino moves to the OCR from his role at the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he held the position of Director since May 2015. An official announcement about the appointment of the new OCR Director has yet to be released; however, the Heritage Foundation has stated that Severino is no longer on the staff and his name has been added to the HHS website. A representative for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to list his new position as...

Read More
New Resource Provides HIPAA Help for mHealth Developers
Mar29

New Resource Provides HIPAA Help for mHealth Developers

A new online tool has been released by the Connected Health Initiative providing HIPAA help for mHealth developers and healthcare providers. The new tool – called HIPAA Check – has been developed to aid understanding of the complexities of the HIPAA Privacy and Security Rules. Health apps now track a range of user metrics. Data collected by the apps are stored along with personally identifiable information. Much of the information collected, stored and transmitted by these apps is classed as protected health information (PHI) under HIPAA Rules. However, since these apps were not available in 1996 when HIPAA was initially enacted, no provisions are included in HIPAA Rules for the technology. OCR has previously provided HIPAA help for mHealth developers, although many mHealth app...

Read More
ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security
Mar29

ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security

The Office of the National Coordinator for Health IT (ONC) has released updated versions of its SAFER Guides. The series of guides provide useful information to help covered entities make their EHRs more usable and safer and can be used by HIPAA-covered entities to assess potential vulnerabilities in their EHRs. Hackers search for vulnerabilities in EHRs that can be exploited to gain access to data. It is therefore essential that healthcare organizations assess their EHRs for vulnerabilities. The SAFER Guides can help in this regard. ONC says its SAFER Guides “provide an easy-to-use template for voluntary provider self-assessment of EHR safety-related vulnerabilities.” The SAFER Guides consist of compilations of expert-recommended, evidence-based best practices that can be adopted to...

Read More
Roger Severino to Lead OCR’s HIPAA Enforcement Efforts
Mar27

Roger Severino to Lead OCR’s HIPAA Enforcement Efforts

The Department of Health and Human Services’ Office for Civil Rights has a new Director to lead its HIPAA enforcement efforts. Late last week, the Trump Administration quietly installed Roger Severino as the new head of OCR filling the position left vacant following the departure of Jocelyn Samuels. No official announcement about the appointment has been made by the Trump Administration, although an OCR spokesperson has confirmed that Roger Severino has taken the position. Severino has also updated his LinkedIn profile to include his new role. OCR is the primary HIPAA enforcer and is responsible for ensuring covered entities comply with HIPAA Rules. The role of director includes overseeing the issuing of guidance for covered entities on various aspects of HIPAA compliance, providing...

Read More
Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?
Mar23

Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?

A criminal investigation of a HIPAA breach is launched when health data are stolen for malicious purposes, but what about cases involving curious employees? Healthcare data breaches are often discovered during routine audits of ePHI access logs. Healthcare providers discover that rogue employees have accessed patients’ data with no legitimate work reason for doing so. In such cases, the employees are disciplined and often lose their jobs as a result, but should the matter be reported to law enforcement if a healthcare provider is satisfied that the actions of employees were not malicious, just misguided? One incident came to light this week where a healthcare organization discovered an employee had been accessing the medical records of patients without authorization. The incident was...

Read More
Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation
Mar22

Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation

An employee at the Dr. O Medical and Wellness Center in San Antonio, Texas as been sanctioned by the Texas Medical Board after allegedly retaliating against a patient by posting a video on Facebook and YouTube of them wearing only underwear. The doctor’s actions appear to be a clear violation of the HIPAA Privacy Rule. The patient in question, Clara Aragon-Delk, underwent a number of cosmetic surgery procedures beginning in 2015. Non-invasive laser treatments were carried out by Dr. Tinuade Olusegun-Gbadehan, and while consent was given by the patient to have photographs and videos recorded, permission was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’ The images and video showed full face shots of the patient. Rather than securing the...

Read More
Doctor Sanctioned Over Social Media HIPAA Violations
Mar21

Doctor Sanctioned Over Social Media HIPAA Violations

A San Antonio, TX-based doctor has been sanctioned by the Texas Medical Board for social media HIPAA violations after retaliating against a patient by posting a video testimonial of the patient on Facebook and YouTube. The video of the patient in her underwear clearly showed the patient’s face, allowing her to be identified. However, prior permission to use the video had not obtained from the patient. Dr. Tinuade Olusegun-Gbadehan from the Dr. O Medical and Wellness Center had been given authorization to record the video and use it for “the purposes of medical audit, education, and promotion,” but only anonymously. Use of the video without first deidentifying the patient was a breach of HIPAA Rules. The patient, Clara Aragon-Delk, filed a complaint with the Texas Medical Board against...

Read More
Data Breach Notification Laws in New Mexico Passed by Senate Committee
Mar15

Data Breach Notification Laws in New Mexico Passed by Senate Committee

There are currently no data breach notification laws in New Mexico, but that is likely to change soon. New Mexico is one of three states that have yet to implement data breach notification laws, the other two being Arkansas and South Dakota. All three states are now in the advanced stages of introducing laws that will require companies to notify consumers in the event that their personal information is exposed or stolen. Currently there is no federal law covering data breach notifications for all businesses, only for certain regulated industries such as finance and healthcare. Instead it is up to individual states to introduce laws to protect consumers in the event that their sensitive personally identifiable information is stolen. This week, data breach notification laws in New Mexico...

Read More
Device Theft Highlights Importance of Encrypting HIPAA-Covered Data
Mar14

Device Theft Highlights Importance of Encrypting HIPAA-Covered Data

Encrypting HIPAA-covered data is not mandatory. The Health Insurance Portability and Accountability Act does cover the use of encryption to safeguard the protected health information of patients and health plan members, but encryption is only an addressable issue. However, that does not mean that encryption can simply be ignored. HIPAA-covered entities are required to conduct a risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI. Following the risk analysis, HIPAA-covered entities must decide how best to manage and mitigate risks. Once such measure is the use of encryption technologies to safeguard ePHI at rest and in motion. HIPAA-covered entities must consider the use of encryption; however, an alternative safeguard can be adopted if...

Read More
New Security Framework for Small Healthcare Providers
Mar14

New Security Framework for Small Healthcare Providers

A security framework for small healthcare providers has been released by the Health Information Trust Alliance (HITRUST). The security framework is a revised version of the HITRUST common security framework (HITRUST CSF) and can be used to create, access, store and exchange healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA). The HITRUST CSF is the most widely adopted security framework for the healthcare industry in the United States. The framework is comprehensive, scalable, and certifiable, and has been used by many healthcare organizations as part of their HIPAA compliance and risk management programs. While the full HITRUST CSF can be adopted by healthcare organizations of all sizes, smaller healthcare organizations typically do not have the...

Read More
AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit
Mar10

AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit

The American Health Information Management Association has released a new toolkit to help covered entities prepare for a HIPAA compliance audit. The Department of Health and Human Services’ Office for Civil Rights commenced the much delayed second phase of the Health Insurance Portability and Accountability Act audit program in the last quarter of 2016.  Those audits started with ‘desk audits’ of HIPAA-covered entities. The desk audits involved documentation checks to determine whether HIPAA Rules were being followed. The audits of covered entities have now been completed and the results are now starting to be sent to the audited healthcare organizations for comment. OCR has now moved on to desk audits of HIPAA business associates. When those audits are completed, and the results of both...

Read More
AHIMA Released Updated HIPAA Compliance Audit Toolkit
Mar08

AHIMA Released Updated HIPAA Compliance Audit Toolkit

The second phase of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits has begun. Towards the end of 2017, covered organizations were selected for desk audits and the initial round of audits have now been finished. Now OCR has progressed to auditing business associates of covered organizations. Speaking at HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially scheduled in for Q1, 2017, are to be delayed. This gives covered organizations more time to prepare for the second phase. The phase 2 HIPAA compliance desk audits were more thorough than the initial phase of audits completed in 2011/2012. The desk audits included a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules,...

Read More
Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach
Mar08

Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach

The importance of conducting internal audits of PHI access logs has been highlighted by a recent HIPAA breach discovered by Chadron Community Hospital in Nebraska. On January 3, 2017, the hospital discovered a former employee had improperly accessed the protected health information of patients. The investigation into the privacy breach revealed that the former employee had been accessing the PHI of patients without authorization for more than five years. The privacy violations started in September 2011 and continued until November 2016. During that time, the PHI of 702 patients was inappropriately accessed. It is not clear why the information was accessed. Healthcare employees may choose to breach hospital and HIPAA regulations out of curiosity, but in many cases information is accessed...

Read More
Guidance on Cyber Threats Issued to Healthcare Organizations by OCR
Mar08

Guidance on Cyber Threats Issued to Healthcare Organizations by OCR

The U.S. Department of Health and Human Services’ Office of Civil Rights has issued new guidance on cyber threats, advising HIPAA-covered entities to obtain the latest intelligence on new cyber threats that could potentially allow cybercriminals to gain access to the protected health information of patients and health plan members. Threat intelligence is issued by many organizations, although OCR recommends in its guidance on cyber threats to regularly check the website the United States Computer Emergency Readiness Team (US-CERT) and to sign up for email updates. US-CERT is part of the Department of Homeland Security, and has access to intelligence from many sources. US-CERT is responsible for analyzing all the gathered threat intelligence and issuing updates to businesses and the...

Read More
HIPAA Noncompliance Penalties Likely to Increase
Mar03

HIPAA Noncompliance Penalties Likely to Increase

The Department of Health and Human Services’ Office for Civil Rights is expected to issue more HIPAA noncompliance penalties over the coming year. While OCR assists HIPAA-covered entities with their compliance efforts by issuing guidance, 2017 is likely to see OCR crackdown on non-compliance. Organizations found to have violated HIPAA Rules can expect to have to dig deep and pay for their failure to comply with the HIPAA Privacy, Security and Breach Notification Rules. OCR investigates all PHI breaches that impact more than 500 individuals. While OCR prefers to resolve noncompliance with HIPAA Rules with voluntary compliance and by issuing technical guidance, HIPAA penalties are increasing. Last year saw a record number of settlements reached with OCR to resolve HIPAA compliance...

Read More
New Simplified HITRUST CSF for Small Healthcare Providers
Mar03

New Simplified HITRUST CSF for Small Healthcare Providers

This week, HITRUST announced it has created a new, simplified HITRUST CSF for small healthcare providers to help them with their compliance and risk management programs. A New HITRUST CSF for Small Healthcare Providers The HITRUST CSF is a certifiable framework that was developed to help healthcare organizations manage risk and comply with industry regulations such as HIPAA. The framework is flexible and can be tailored to suit healthcare organizations of all types and sizes. The HITRUST CSF has been widely adopted and it is now the most commonly used security framework in the healthcare industry in the United States. However, smaller healthcare providers have struggled with the framework as they typically lack both the expertise and staff to meet the program’s requirements. To improve...

Read More
HIPAA Privacy Rule Compliance: Patient Copies of Health Information
Mar02

HIPAA Privacy Rule Compliance: Patient Copies of Health Information

An important element of HIPAA Privacy Rule compliance is ensuring patient copies of health information are provided on request. The Health Insurance Portability and Accountability Act requires HIPAA-covered entities to provide either electronic or paper copies of patient health records to the patient, or their nominated representative, if they are specifically requested. This week, the American Health Information Management Association (AHIMA) has published a slideshow and a blog post explaining the rights of patients to obtain copies of their health information, the reasons why this HIPAA right should be exercised, and what patients can expect when asking their healthcare providers for copies of their medical records. Obtaining copies of health information is important for a number of...

Read More
Deadline for Small Healthcare Data Breach Notification is March 1
Feb27

Deadline for Small Healthcare Data Breach Notification is March 1

The Health Insurance Portability and Accountability Act’s Breach Notification Rule stated that all covered organizations must make violations of unsecured electronic protected health information known to the Department of Health and Human Services’ Office for Civil Rights (OCR). While large scale data violations – those affecting 500 or more individuals – must be reported to OCR within 60 days of the the breach being found, covered organizations can delay the reporting of smaller scale data breaches. While all patients must be made aware of any breach of their ePHI within a time period of 60 days – regardless of the number of people made vulnerable by the breach – notifications of security incidents are not demanded by OCR until 60 days after the end of the calendar year in which the...

Read More
Texting, Social Media, & Case Walkthrough HIPAA Guidance to be Published in 2017
Feb24

Texting, Social Media, & Case Walkthrough HIPAA Guidance to be Published in 2017

Recently at HIMSS17, OCR’s Deven McGraw outlined the HIPAA guidance OCR expects to publish in 2017. OCR may be busy reviewing the findings of the HIPAA compliance desk audits of healthcare groups and their business associates, but a flurry of new HIPAA guidance documentation is set to be published this year. In 2016, the Joint Commission cancelled the ban on the use of text messages for making orders, although within weeks of the announcement the ban was reinstated. Late in 2017, the Joint Commission partially lifted the ban, saying the use of a secure text messaging service was acceptable for doctors when communicating with each other, although the usage of text messages – regardless of whether a safe, HIPAA-compliant platform was implemented – remained banned. OCR receives many queries...

Read More
HIPAA Breach Notification Deadline for 2016 Data Breaches Fast Approaching
Feb22

HIPAA Breach Notification Deadline for 2016 Data Breaches Fast Approaching

The HIPAA breach notification deadline for HIPAA-covered entities is fast approaching. Covered entities have until March 1, 2017 to submit their 2016 data breach reports to the Department of Health and Human Services’ Office for Civil Rights. HIPAA covered entities that have experienced a breach of the protected health information of patients or plan members are required by the HIPAA Breach Notification Rule to send a report of the breach to OCR the within 60 days of the discovery of the breach, if the breach impacts 500 or more individuals. Covered entities are given some leeway when it comes to reporting breaches of fewer than 500 healthcare records. Those breaches must still be reported to OCR, although covered entities do not have to issue breach reports until 60 days following the...

Read More
New OCR HIPAA Compliance Guidance on the Way
Feb21

New OCR HIPAA Compliance Guidance on the Way

At this year’s Health Information and Management Systems Society (HIMSS) annual meeting, OCR officials have explained that 2017 will see a swathe of new OCR HIPAA compliance guidance issued. While there have been no changes to HIPAA Rules for a number of years, the pace at which technology is progressing has seen many gaps appear in HIPAA legislation. New medical devices have come to market, wearable technology has been adopted by many healthcare providers, text messaging platforms are now being used to communicate ePHI, and more breaches of protected health information are now occurring than at any time in the long history of HIPAA. Consequently, covered entities need further information on how HIPAA Rules applies to the new technologies. With respect to data breaches, questions have...

Read More
Onsite HIPAA Compliance Audits Will be Delayed
Feb21

Onsite HIPAA Compliance Audits Will be Delayed

The Office for Civil Rights’ onsite HIPAA compliance audits that were scheduled to take place in the first quarter of 2017 are to be delayed, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw. In an interview at HIMSS17, McGraw explained to Information Security Media Group that the decision to delay the onsite HIPAA compliance audits was taken to allow OCR time to process the reports from the desk audits. 166 desk audits of covered entities took place last year. Those audits involved a review of covered entities’ HIPAA documentation. All information has now been collected, collated, and assessed and OCR is expecting to start notifying covered entities of the findings of the audits later this week/next week. The process of conducting desk audits of business...

Read More
Horizon BCBS of New Jersey HIPAA Fine of $1.1 Million Announced
Feb20

Horizon BCBS of New Jersey HIPAA Fine of $1.1 Million Announced

A Horizon BCBS of New Jersey HIPAA fine has been announced by the New Jersey Division of Consumer Affairs. In addition to a $1.1 million financial settlement, Horizon BCBS of New Jersey is required to adopt a corrective action plan to ensure that the electronic protected health information (ePHI) of its policyholders is appropriately secured. Horizon BCBS of New Jersey HIPAA Fine Resolves Multiple Privacy and Security Rule Violations The Horizon BCBS of New Jersey HIPAA fine resolves violations of the HIPAA Privacy and Security Rules that contributed to a breach of the ePHI of almost 690,000 policyholders in November 2013. Two laptop computers were stolen from Horizon BCBS of New Jersey’s offices over the course of a weekend when construction work was taking place. The laptop computers...

Read More
$5.5 Million Memorial Healthcare HIPAA Fine Agreed
Feb17

$5.5 Million Memorial Healthcare HIPAA Fine Agreed

The Department of Health and Human Services’ Office for Civil Rights has announced a massive settlement has been reached with Florida-based Memorial Healthcare System. The Memorial Healthcare HIPAA fine of $5.5 million settles potential violations of the HIPAA Privacy and Security Rules spanning several years. The settlement is the joint largest ever HIPAA fine issued to a single covered entity. The Memorial Healthcare HIPAA fine matches last year’s settlement with Advocate Health – which was also $5.5 million and resolved multiple HIPAA violations. The Memorial Healthcare HIPAA fine resolves HIPAA violations that were discovered by OCR during an investigation into a large data breach that was reported in 2012. In total, 115, 143 individuals’ protected health information was...

Read More
Children’s Health HIPAA Fine: $3.2 Million Paid to OCR to Resolve Multiple HIPAA Violations
Feb03

Children’s Health HIPAA Fine: $3.2 Million Paid to OCR to Resolve Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights has announced the first Civil Monetary Penalty of the year: The Children’s Health HIPAA fine of $3.2 million is one of the largest penalties to date for a single HIPAA-covered entity. The size of the CMP reflects the number of violations discovered and the length of time that the HIPAA violations were allowed to persist before Children’s Health eventually complied with Health Insurance Portability and Accountability Act Rules in 2013. The Children’s Health HIPAA fine resolves violations of HIPAA Rules dating back to at least 2007. OCR became aware of the violations during an investigation of a breach of electronic protected health information (ePHI) that was reported in 2010. That incident involved the loss of a...

Read More
2015 Ashley Madison Data Breach Results in $1.75 Million Fines
Dec15

2015 Ashley Madison Data Breach Results in $1.75 Million Fines

The 2015 Ashley Madison data breach that exposed the credentials of more than 37 million would-be adulterers has resulted in fines of $17.5 million being issued to Ruby Corp., the organization that owns Ashley Madison. The fines were announced this week by both the Federal Trade Commission and the New York attorney general. The fines were issued due to poor security practices which contributed to the cyberattack, but also for misleading customers about the security protections that had been put in place. The site also created fake female profiles to attract more customers. The 2015 Ashley Madison data breach exposed customers’ names, addresses, credit card details, and user information such as their sexual preferences. The breach resulted in many customers coming to harm, either...

Read More
$1 Million Settlement for 2013 Adobe Systems Data Breach
Nov11

$1 Million Settlement for 2013 Adobe Systems Data Breach

Connecticut Attorney General George Jepsen has announced that a settlement has been reached for the 2013 Adobe Systems data breach that affected more than half a million individuals in 15 states. The 2013 Adobe Systems data breach first came to light on September 17, 2013 when the company received an alert that one of its servers was approaching capacity. The response to that alert revealed that an unauthorized individual was attempting to decrypt customer payment card numbers on an application server. While Adobe managed to stop the decryption process and block access by shutting down the server, action was not taken in time to prevent the theft of customer data. Stolen data included names, addresses, telephone numbers, usernames and encrypted passwords, password hints in plain text,...

Read More
Guidance on HIPAA and the FTC Act
Oct25

Guidance on HIPAA and the FTC Act

The Federal Trade Commission (FTC) in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued guidance on HIPAA and the FTC Act explaining it is not sufficient to only consider HIPAA regulations when sharing health data. Organizations must also ensure they comply with the Federal Trade Commission Act (FTC Act). The guidance on HIPAA and the FTC Act was issued to ensure that organizations are aware of their responsibilities under both HIPAA and the FTC Act. The failure to comply with both legislative acts can see the organization face stiff financial penalties. One of the primary requirements of the Health Insurance Portability and Accountability Act is to ensure health data remains private. HIPAA-covered entities – typically healthcare...

Read More
$2.14 Million St. Joseph Health HIPAA Settlement Announced
Oct19

$2.14 Million St. Joseph Health HIPAA Settlement Announced

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $2.14 million St. Joseph Health HIPAA settlement after a data breach investigation uncovered serious violations of the HIPAA Security Rule. St Joseph Health, which is sponsored by the St. Joseph Health Ministry, operates 14 acute care hospitals in California, New Mexico, and Texas, in addition to many skilled nursing facilities, hospices, home health agencies, and community clinics. St Joseph Health participated in the Meaningful Use Program and transitioned to electronic health records; however, as part of that process, the electronic protected health information (ePHI) of 31,800 patients was accidentally exposed. In early 2012, St. Joseph Health discovered a data sharing application on one of its...

Read More
OCR Issues Cloud Computing Guidance for HIPAA Covered Entities
Oct07

OCR Issues Cloud Computing Guidance for HIPAA Covered Entities

Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued cloud computing guidance for HIPAA covered entities. The new guidance was issued in response to numerous questions that had been asked by covered entities and their business associates about how cloud services could be adopted without falling afoul of HIPAA Rules. The new cloud computing guidance for HIPAA covered entities can also be used by cloud services providers (CSPs) to learn about their obligations under HIPAA Rules when contracted to work with healthcare organizations. The cloud offers many benefits to covered entities and a wide range of cloud services are now available, from data storage to housing electronic health record systems. However, before any cloud services are used, a covered...

Read More