Alex Azar Nominated for HHS Secretary by President Trump
Nov16

Alex Azar Nominated for HHS Secretary by President Trump

Alex Azar, the former Deputy Secretary of the Department of Health and Human Services, is now the favorite to take over the reins from former Secretary Tom Price after receiving the presidential nomination for the role by President Trump. During the Presidential term of George W. Bush, Azar served as general counsel to the HHS and Deputy Secretary President Trump confirmed, via his Twitter account, that he believes Azar is the best...

Read More
Hospitals System and Cook County Health Patientshave Patients
Nov15

Hospitals System and Cook County Health Patientshave Patients

Illinois-based Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County, has advised its patients of a possible breach of their protected health information. The breach was experienced at the offices of Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is utilized to calculate insurance eligibility and...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov14

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

The Risk Based Security (RBS) 2017 data breach report has shown there has been a 305% surge in the number of records exposed in data breaches in the last 12 months. For its latest breach report RBS, a provider of real time information and risk analysis tools, reviewed analyzed breach reports from the first three quarters of 2017. RBS explained in a recently published blog post, this year has been “yet another record breaker for data...

Read More
NY AG Brings in Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Nov08

NY AG Brings in Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

Aiming to protect New Yorkers from unwelcome breaches of their personal information, The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. It is hoped that this Act with ensure that those affected will be notified when such breaches are incurred. Sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian...

Read More
New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack
Nov03

New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack

A new variant of the WannaCry ransomware has been detected in a cyber attack on FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health provider. WannaCry ransomware came to global attention in cybers attacks in May 2017. In excess of 230,000 computers were infected within one day of the worldwide attacks starting. The ransomware variant had wormlike features and was capable of spreading quickly and affecting all...

Read More
Dental Offices And HIPAA Compliance: What Needs to Be Addressed?
Oct31

Dental Offices And HIPAA Compliance: What Needs to Be Addressed?

Dr. Joseph Beck became the first ever dentist to be receive a HIPAA violation fine in 2014. This alerted dental offices to HIPAA compliance and the importance of it.  Until then, dental offices had not been subjected fines for noncompliance with HIPAA Rules. The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000...

Read More
Consolidated Inc. Data Breach Impacts 21,856 People
Oct29

Consolidated Inc. Data Breach Impacts 21,856 People

Nebraska-based CBS Consolidated Inc., operating as Cornerstone Business & Management Solutions, completed a routine audit of system logs on July 10, 2017 and found an unfamiliar account on the server. Closer inspection of that account showed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 people who received durable medical...

Read More
3,725 Veterans Have Their PHI Exposed Due to Missing Laptop
Oct27

3,725 Veterans Have Their PHI Exposed Due to Missing Laptop

A laptop computer, no longer in use, owned by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has gone missing, potentially leading to the exposure of sensitive patient data. The laptop was linked to a hematology analyzer and held data related to hematology tests. The laptop was in operation between April 2013 and May 2016, but was put out of use when the device became unusable. The laptop, which had been purchased from...

Read More
Data Breaches Drop For Second Consecutive Month
Oct26

Data Breaches Drop For Second Consecutive Month

The latest report of the Breach Barometer from Protenus/Databreaches.net Healthcare shows that data violations have dropped for the second consecutive month, according to . In August, there were 33 reported healthcare data violations, down from 36 incidents in July and 56 in June. While the drop int he number of data breaches is encouraging, that is still more than one healthcare data breach per day. While it was the second best month...

Read More
New Service Streamlines Process of Finding HIPAA Compliant Vendors
Oct25

New Service Streamlines Process of Finding HIPAA Compliant Vendors

Finding HIPAA compliant vendors can be difficult for healthcare providers, health plans and other HIPAA covered entities. Any prospective vendor is required to comply with Health Insurance Portability and Accountability Act Rules. They must agree to implement robust security controls to safeguard any PHI that is supplied, comply with HIPAA Privacy Rule provisions, and agree to send notifications in the event of a PHI breach. Once a...

Read More
Multiple Security Weaknesses in Alabama’s Medicaid Management Information System OIG Identified
Oct24

Multiple Security Weaknesses in Alabama’s Medicaid Management Information System OIG Identified

The HHS’ Office of Inspector General (OIG) has completed an audit of Alabama’s Medicaid data and information systems to adetermine whether the state was in compliance with federal regulations. The review included the Medicaid Management Information System (MMIS) and associated policies and processes. OIG also carried out a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could...

Read More
HHS Withdraws Proposed Rule for Health Plans Certification of Compliance
Oct20

HHS Withdraws Proposed Rule for Health Plans Certification of Compliance

A new rule for certification of compliance for health plans was proposed by the HHS In January 2014, requiring all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate HIPAA compliance. The proposed rule ‘Administrative Simplification: Certification of Compliance for Health Plans’ was drafted to promote more consistent testing procedures for CHPs. The HHS has now dediced to withdraw the...

Read More
Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership
Oct17

Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership

A new working relationship d between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS) will focus on helping advance medical device cybersecurity and improve patient data security. The two groups will cooperate to aid members identify, mitigate, and prevent cybersecurity...

Read More
Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices
Oct13

Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices

The Internet of Medical Things Resilience Partnership Act, aimed at establishing public-private stakeholder partnership which will be tasked with developing a cybersecurity framework to prevent data breaches, has been approved by the U.S. House of Representatives. The hope is that this framework will be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more secure from...

Read More
HHS Withdraws Proposed Rule for Certification of Compliance for Health Plans
Oct11

HHS Withdraws Proposed Rule for Certification of Compliance for Health Plans

Early in 2014 the HHS proposed a new rule for certification of compliance for health plans that would have meant all those managing health plans (CHPs) to complete a range of documentation to HHS to show compliance with electronic transaction standards set by the HHS under HIPAA Rules. The proposed rule rule was aimed at to supporting more consistent testing processes for CHPs. The HHS has now revealed that the proposed rule has now...

Read More
Over Half of Cloud Storage Services are Misconfigured: Report
Oct10

Over Half of Cloud Storage Services are Misconfigured: Report

A recent report by cloud threat defense firm RedLock claims more than half of businesses have made errors that have exposed sensitive data to the general public vuia the cloud. The study shows many organizations are not adhering to established security best practices, such as using multi-factor authentication for all privileged account subscirbers. Worse again, many groups are failing to constantly review their cloud environments...

Read More
Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization
Oct09

Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization

After a seemingly prolonged period of inactivity, the hacking group TheDarkOverlord has revealed another attack on a U.S. healthcare supplier, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly happened on September 13, 2017, with the announcement of the data theft released by TDO on Twitter on Friday 22, 2017.  No details were given as to how access to the data was gained, although it was revealed to databreaches.net...

Read More
What is the Definition of a HIPAA Covered Entity?
Oct09

What is the Definition of a HIPAA Covered Entity?

The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and business associates, but what is the definition of a HIPAA covered entity and what are HIPAA business associates? Knowing the definition of a covered entity and business associate is essential. If you are classed as either, you must comply with HIPAA Rules. There are severe financial penalties for noncompliance with HIPAA and ignorance is...

Read More
Catholic Charities of the Diocese of Albany Discovers Long-Term Malware Infection
Oct09

Catholic Charities of the Diocese of Albany Discovers Long-Term Malware Infection

Catholic Charities of the Diocese of Albany (CCDA) has discovered, during a software upgrade in August 2017, that malware  was installed on one of the computer servers used by its Glens Falls premise, which provides services in Saratoga, Warren and Washington Counties in New York. A quick response was taken to block access to the server and CCDA called in a computer security firm to carry out an investigation into the unauthorized...

Read More
Responding to a Cyberattack Advised Issued by OCR
Oct05

Responding to a Cyberattack Advised Issued by OCR

Recently, the Department of Health and Human Services’ Office for Civil Rights published new guide lines for covered organizations on the correct way to respond to a cyberattack. These guideline included a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of steps that should be taken. Preparation is key is a correct response. Covered entities must have response and...

Read More
128,000 Arkansas Patients Attacked by Ransomware
Oct05

128,000 Arkansas Patients Attacked by Ransomware

128,000 patients at the Arkansas Oral Facial Surgery Center in Fayetteville have had their private information potentially impacted following a a ransomware. Ransomware was believed to have been placed on its network between July 25 and 26, 2017. The attack was identified quickly, although not before files, x-ray images, and documents had been encrypted. The incident did not break through the encryption of its patient database, except...

Read More
Microsoft OneDrive: Does it adhere to HIPAA Compliance Rules?
Oct01

Microsoft OneDrive: Does it adhere to HIPAA Compliance Rules?

With the proliferation of cloud storage coming at the same time that HIPAA Compliance Rules have become increasingly strict in order to secure private data, organizations are beginning to examine if Microsoft OneDrive is OneDrive HIPAA compliant? A multitude of healthcare groups are already using Microsoft Office 365 Business Essentials, including Microsoft Exchange online for email. Office 365 Business Essentials includes OneDrive...

Read More
Cloud Computing Platforms and the Implications of HIPAA
Sep28

Cloud Computing Platforms and the Implications of HIPAA

Prior to cloud computing services being used by healthcare providers for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered bodies must ensure the services are kept in a secure manner. Even in case where a cloud computing platform provider has being given HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA...

Read More
HITRUST/AMA Begin Project to Assit Small Healthcare Firms with HIPAA Compliance
Sep28

HITRUST/AMA Begin Project to Assit Small Healthcare Firms with HIPAA Compliance

HITRUST has revealed it will be working with the American Medical Association (AMA) for a new project that will assist small healthcare companies with HIPAA compliance, cybersecurity and cyber risk management. Small healthcare providers can be more exposed to cyberattacks, as they usually lack the resources to dedicate to cybersecurity and do not tend to have the budgets at their disposal to employ skilled cybersecurity staff. This...

Read More
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep23

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

A partial waiver of HIPAA has been issued by the U.S. Department of Health and Human Services in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands, the thrid such waiver of 2017 following the has already issuing of waivers of HIPAA sanctions and penalties in areas affected by hurricanes earlier this year. The previous waivers were issued in relation to Hurricane Harvey and Hurricane Irma  and, as was the...

Read More

Hurricane Maria Disaster Zone: Partial HIPAA Privacy Rule Waiver Issued by HHS

A third HIPAA waiver has been issued by the U.S. Department of Health and Human Services, following applying two earlier partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes previously in 2017. On this occasion the waiver is in relation to the Hurricane Maria disaster zone in Puerto Rico and the U.S. Virgin Islands. As with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver...

Read More
Imperial Valley Family Care Medical Group Passes HIPAA Audit
Sep20

Imperial Valley Family Care Medical Group Passes HIPAA Audit

The second round of HIPAA compliance audits was commenced late in 2018 by the Department of Health and Human Services’ Office for Civil Rights. The audit program will include of desk-based audits of HIPAA-covered companies, organizations and business associates followed by a round of complex audits incorporating site visits. The desk audits part of this round have been completed but with the site audits had been delayed but are now...

Read More
Imperial Valley Passes OCR HIPAA Audit With Help From The Compliancy Group
Sep19

Imperial Valley Passes OCR HIPAA Audit With Help From The Compliancy Group

The Department of Health and Human Services’ Office for Civil Rights (OCR) has investigated a Californian Physician’s group following a reported breach of protected health information. Covered entities can implement policies and procedures to prevent data breaches, but security incidents are still likely to occur. Responding correctly to those breaches and ensuring HIPAA Rules are carefully followed will help to ensure financial...

Read More
Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver
Sep13

Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver

A  limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Hurricane Irma has been issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. Virgin Islands, Puerto Rico, and Florida. OCR says that the HIPAA Privacy and Security Rules are still in place and covered organizations must continue to obey HIPAA Rules; however, certain parts of the Privacy Rule have...

Read More
OCR Warns Covered Bodies to Prepare for Natural Disasters
Sep09

OCR Warns Covered Bodies to Prepare for Natural Disasters

Medical Centers and Hospitals were recently stretched before and after Hurricane Harvey, in Texas and Louisiana, as they sought to provide medical services without breaching HIPAA Rules. Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for...

Read More
Finding ‘Big, Juicy, Egregious’ HIPAA Breach Priority for OCR Head
Sep07

Finding ‘Big, Juicy, Egregious’ HIPAA Breach Priority for OCR Head

The main enforcement priority for 2017 of Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), is to find a “big, juicy, egregious” HIPAA breach to use as an example for other healthcare groups on the risks of failing to follow HIPAA Rules. When choosing which cases to pursue, OCR considers the chance to use such a case as an educational tool to warn covered groups of the need to...

Read More
Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions
Sep01

Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions

HHS Secretary Tom Price announced that OCRis issuing a partial waiver of sanctions and financial penalties for specific Privacy Rule breaches for hospitals in Texas and Louisiana in the Hurricane Harvey emergency zone. This partial waiver is only applicable to the provisions of the HIPAA Privacy Rule as outlined below: The obligations to recieve a patient’s agreement to talk with family members or friends involved in the patient’s...

Read More
HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey
Aug28

HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey

Secretary of the U.S. Department of Health and Human Services Tom Price has announced that certain HIPAA Privacy Rule violation penalties will be waived in the disaster area of Hurricane Harvey in Texas and Louisiana. Following any natural disaster, hospitals and health systems must operate in difficult circumstances. During such times, it can be a major challenge to provide treatment while complying with all aspects of HIPAA Rules....

Read More
Noncompliance With HIPAA: Costs for Healthcare Organizations
Aug19

Noncompliance With HIPAA: Costs for Healthcare Organizations

Noncompliance with HIPAA can cost healthcare organizations dearly. If regulators discover willful violations of HIPAA Rules, multi-million-dollar fines are possible. Fines for Noncompliance with HIPAA Rules The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and investigates all data breaches that impact more than 500 individuals. When a data breach is experienced, the breached...

Read More
Getting Basics Correct Key to Avoiding Data Breaches
Aug16

Getting Basics Correct Key to Avoiding Data Breaches

Intrusion identification systems, next generation firewalls, insider threat management software and data encryption will all help healthcare groups recognize danger, cut out security violations, and identify attacks quickly when they happen. even with all of these measures it is still vitally important to address the security basics. The Office for Civil Rights Breach portal is filled with examples of HIPAA data breaches that have...

Read More
Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications
Aug12

Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that covered organizations to advise the HHS’ Office for Civil Rights of any violation of private health information and issue notification correspondence to affected people as soon as is unreasonable and no later than 60 days after the identification of the breach. July’s Breach Barometer reports from Protenus indicated that many covered organizations have had...

Read More
U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors
Aug07

U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors

Last week, the U.S. Senate passed new legislation – Jessie’s Law – that allows details of patients’ past drug abuse to be shared with physician’s if patients give their consent. At present, drug abuse histories are prohibited from being shared to protect the privacy of patients. That information is kept separate from a patient’s medical record. Unfortunately, the law can have terrible consequences, as was highlighted by a tragic...

Read More
2017 Healthcare Data Breach Trends Highlighted in Protenus Report
Aug04

2017 Healthcare Data Breach Trends Highlighted in Protenus Report

Protenus, working with Databreaches.net, has released its Breach Barometer mid-year review. The report includes all healthcare data violations reported over the past six months and gives important insights into the latest data breach trends. The Breach Barometer is a detailed review of healthcare data breaches, including not only the data breaches made known to the Department of Health and Human Services’ Office for Civil Rights’...

Read More
NotPetya Attack on Nuance Communications Decides Not Reported to OCR
Aug03

NotPetya Attack on Nuance Communications Decides Not Reported to OCR

The Department of Health and Human Services’ Office for Civil Rights has previously made it clear, in its ransomware guidance, if ePHI is encrypted ransomware attacks are usually HIPAA breaches and are always reportable violations. In the guidance on ransomware guidance OCR says that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” adding that the definition of a...

Read More
47% of Healthcare Orgs Have Had a HIPAA Data Breach in the Past 24 Months
Aug01

47% of Healthcare Orgs Have Had a HIPAA Data Breach in the Past 24 Months

A recent survey conducted by KMPG has revealed that 47% of healthcare organizations have experienced a HIPAA data breach in the past 24 months. The last time the KPMG Cyber Healthcare and Life Sciences Survey was conducted in 2015, 37% of respondents confirmed they had experienced a data breach over the same time period. 70% of respondents said they had experienced at least one security breach due to an unplugged vulnerability being...

Read More
HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update
Jul28

HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update

In June 2017, the Department of Health and Human Services announced it was considering an update to its data breach portal, normally called the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act states that the OCR must maintain a public list of breaches of protected health information that have affected more than 500 individuals. All 500+ record data breaches submitted or made known to OCR since 2009 are listed on the breach...

Read More
33% of Patients Access Their Health Data on Patient Portals
Jul28

33% of Patients Access Their Health Data on Patient Portals

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow people to view information regarding their health stored by their providers. However, as revealed in a recent U.S. Government Accountability Office (GAO) report, few patients are actually exercising this right using the provided patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare organizations to move from...

Read More
Data Breach Reporting Tool Updated by OCR
Jul25

Data Breach Reporting Tool Updated by OCR

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights developed its data breach reporting tool to allow HIPAA-covered entities to easily submit reports of data breaches. A summary of data breach reports is published via the data breach reporting tool and is viewable by the public. The data breach list – which is commonly known as OCR’s Wall of Shame – details all reported...

Read More
Model Patient Request for Health Information Form Issued by AHIMA
Jul25

Model Patient Request for Health Information Form Issued by AHIMA

A model patient request for health information form has been issued by the American Health Information Management Association (AHIMA) that can be used by healthcare providers to give to patients who request copies of their health information. The HIPAA Privacy Rule permits patients to obtain copies of their health data from their providers, although at many hospitals the process is inefficient, lacks transparency and patients are...

Read More
Hows does HIPAA Affect Use of Google Drive?
Jul22

Hows does HIPAA Affect Use of Google Drive?

The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA.  The service does not breach HIPAA Rules, however users of the service may breach the rules themselves. G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is...

Read More
Study: Data Breaches by Ex Employees a Concern
Jul20

Study: Data Breaches by Ex Employees a Concern

A recent study carried out by OneLogin showed many groups are not doing enough to stop data violations by ex-employees. While access to computer systems and applications is a requirement during employment, many organizations are neglecting to block access to systems quickly when employees depart the company, even though ex-employees pose a significant data danger to security. Preventing access to networks and email accounts when an...

Read More
ONC Office of the Chief Privacy Officer Funding Stopping in 2018
Jul19

ONC Office of the Chief Privacy Officer Funding Stopping in 2018

The withdrawal of funding for the Office of the Chief Privacy Officer has resulted in ONC National Coordinator Don Rucker, M.D. confirming that the office will be closed during 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been acting as Acting Chief Privacy Officer until a permanent replacement to the role previously filled by Lucia Savage is identified, following her departure in January. It now seems...

Read More
HHS Announces Closing Out of Office of the Chief Privacy Officer
Jul17

HHS Announces Closing Out of Office of the Chief Privacy Officer

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) will be closing out the Office of the Chief Privacy Officer in FY 2018 due to cuts to its budget. The budget cuts are intended to make the ONC more accountable and a much leaner organization. The ONC will have to operate with $22 million less funding in FY 2018, and the Office of the Chief Privacy Officer is one of...

Read More
HIPAA Compliance and Dropbox, What You Need to Know
Jul16

HIPAA Compliance and Dropbox, What You Need to Know

Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However,...

Read More
ONC Offers Tips to Improve Patient Data Access
Jul15

ONC Offers Tips to Improve Patient Data Access

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has given covered entities tips to improve patient data access, explaining how important it is for patients to be given access to their health information. In its report – Improving the Health Records Request Process for Patients – ONC explains that under HIPAA Rules, patients are given the right to access their records. Healthcare organisations must...

Read More
File Sharing Tools and Cloud Computing: OCR Highlights Risks
Jul05

File Sharing Tools and Cloud Computing: OCR Highlights Risks

File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information.  Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information. The Department of Health and Human Services’ Office for Civil Rights (OCR)  has...

Read More
Anthem Agrees Largest Ever Data Violation Settlement
Jun28

Anthem Agrees Largest Ever Data Violation Settlement

The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission. A breach of that size...

Read More
Healthcare Data Breach Resolution Costs Fall
Jun26

Healthcare Data Breach Resolution Costs Fall

Healthcare data breach resolution costs are still higher than all other industries, but the latest Ponemon Institute/IBM Security study has shown that for the first time ever, those costs have fallen year-over-year. For seven years, Ponemon/IBM have been conducting their cost of a data breach study, and each year the costs of resolving data breaches has risen. However, this year, average breach resolution costs fell by around 10%. The...

Read More
Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect
Jun24

Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect

The latest healthcare data breach report issued by Protenus, in conjunction with databreaches.net, shows healthcare data breaches increased in May, with 37 breaches reported compared to 34 the previous month.  The numbers of records exposed in those breaches was 255,108, although not all breach figures are known. That still represents a jump from last month when 232,060 healthcare records were known to have been exposed or stolen. One...

Read More
CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late
Jun21

CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late

A data breach that happened in the second half of 2015 should have seen targeted people warned within 2 months. However it took CoPilot Provider Support Services Inc., until January 2017 to send out official breach notifications. An administration portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That person also stole the data of 221,178 people. The stolen data included names, dates of birth,...

Read More
New York Attorney General Fines CoPilot for Delaying Breach Notifications
Jun19

New York Attorney General Fines CoPilot for Delaying Breach Notifications

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, covered entities must report data breaches within 60 days of the discovery of a breach. Affected individuals must also be notified within the same time frame. State legislation has been introduced that similarly requires organizations to issue notifications and report the incidents to state officials. Breach reports are also covered by other federal legislation...

Read More
HHS Looking Into OCR’s Wall of Shame Following Criticism
Jun17

HHS Looking Into OCR’s Wall of Shame Following Criticism

The Department of Health and Human Services’ Office for Civil Rights started publishing OCR’s ‘Wall of Shame’ – summaries of healthcare data breaches – on its website in 2009. The data breach list only includes a short synopsis of data breaches, including the name of the covered organization, the state in which the covered organization is based, covered organization type, date of notification, type of...

Read More
HHS Considers Making Changes to the OCR Wall of Shame
Jun16

HHS Considers Making Changes to the OCR Wall of Shame

Since the HITECH Act came into force in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing data breach summaries on its website. The website lists brief details of the type of data breach experienced by HIPAA-covered entities with information such as the cause of the breach, the devices that were involved, the number of individuals affected and the name of the company that experienced...

Read More
OCR Issues Guidance on the Correct Response After a Cyberattack
Jun09

OCR Issues Guidance on the Correct Response After a Cyberattack

The increase in hacking incidents in 2017 and major worldwide cyber incidents such has Wannacry ransomware attacks have prompted the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue new guidance on the correct response after a cyberattack. Yesterday, OCR sent a Quick Response Cyber Attack Checklist to its security and privacy list subscribers explaining the correct procedures to follow after a...

Read More
Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents
Jun04

Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents

Ransomware, malware and unaddressed software weaknesses pose a danger to the confidentiality, integrity and access to PHI, although healthcare groups should put in place processes to deal with the threat internally. This year has seen a multitude of cases involving employees snooping and accessing medical records without permission. The HIPAA Security Rule 45 CFR §164.312(b) requires covered organizations to “Implement hardware,...

Read More
$387,000 HIPAA Penalty for Disclosing HIV Status to Employer
May26

$387,000 HIPAA Penalty for Disclosing HIV Status to Employer

Following a Department of Health and Human Services’ Office for Civil Rights (OCR) investigation of a complaint about a case of impermissible disclosure of PHI, St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations In September 2014, a complaint was submitted to the OCR about a possible privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint...

Read More
Egregious HIPAA Breach Punished with $378,000 Fine
May24

Egregious HIPAA Breach Punished with $378,000 Fine

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced yet another settlement to resolve HIPAA violations, this time for the careless handling of extremely sensitive health information. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $378,000 to resolve an impermissible disclosure of patients’ protected health information to their employers. A wide range of highly sensitive information...

Read More
Dept. of Health Sends Out Waring Regarding Ransomware
May21

Dept. of Health Sends Out Waring Regarding Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...

Read More
NIST Issues Guidance on Securing Drug Pumps
May17

NIST Issues Guidance on Securing Drug Pumps

Guidance on securing drug pumps has been issued by the National Institute of Standards and Technology (NIST) to help healthcare organizations mitigate the risk of cyberattacks that could cause patients to come to harm or allow sensitive data to be stolen. Over the past two years there has been concern raised about the lack of security on medical devices, with drug pumps a particularly serious concern. If threat actors are able to gain...

Read More
$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach
May12

$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach

A HIPAA breach arising from disclosure on a press release issued by Memorial Hermann Health System (MHHS) in September 2015 has led to the organization agreeing to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. MHHS is a 16-hospital health system which os located in Texas, treating patients in the Greater Houston area. In September, an...

Read More
Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI
May11

Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI

An unauthorized disclosure of a patient’s name has resulted in a Memorial Hermann Health System HIPAA fine. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle potential HIPAA Privacy Rule violations with Memorial Hermann Health System with the payment of a $2.4 million penalty. Memorial Hermann Health System must also adopt a corrective action plan to ensure HIPAA Rules are followed in...

Read More
New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court
May10

New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court

A New Mexico HIPAA violation lawsuit filed by the victim of a sexual assault whose identity was improperly disclosed has been referred to the Supreme Court to assess whether the claim has standing. The lawsuit was filed by the plaintiff ‘G.R.’ who suffered a sexual assault and sought treatment for her injuries at Gallup Indian Medical Center (GIMC) where she was employed. G.R. alleges that following treatment, details of the assault...

Read More
Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit
May09

Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit

A motion has been submitted to dismiss a MDLive HIPAA lawsuit that was filed b y a plaintiff who alleges the firm improperly disclosed protected health information to a third party without informing or obtaining consent from users of the telehealth platform. The MDLive HIPAA lawsuit was filed by plaintiff Joan Richards, who alleges MDLive takes screenshots of data entered on the app on multiple occasions during the first 15 minutes of...

Read More
Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum
May06

Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum

Over the next week, the HIMSS Privacy and Security Forum will be held in San Francisco. The two-day conference provides an chance for CISOs, CIOs and other healthcare professionals to obtain valuable guidance from security experts on the most recent cybersecurity threats, along with practical tips on how to limit the chance of damage being inflicted. In excess of 30 speakers will be present at the event and will provide talks on a...

Read More
Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive
Apr27

Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive

Claims that telemedicine company MDLive violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining official consent from patients have resulted in a class action lawsuit has being filed. App users must enter in a range of private information into the MDLive app; however, the complainant claims that during the first 15 minutes of use, the app takes an average of 60...

Read More
CardioNet Settles HIPAA Violations with OCR for $2.5 Million
Apr26

CardioNet Settles HIPAA Violations with OCR for $2.5 Million

Pensylvania-based CardioNet has agreed a $2.5 million settlement to resolve potential HIPAA violations. The provider of remote mobile monitoring and quick response services to patients in danger of suffering cardiac arrhythmias. Settlements have previously been agreed with healthcare suppliers, health plans, and business clients of covered organizations, but this is the first-time OCR has settled potential HIPAA breaches with a...

Read More
Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement
Apr25

Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement

Risk analysis and risk management errors have resulted in a $2.5 million HIPAA compliance penalty for CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk of cardiac arrhythmias. The Department of Health and Human Services’ Office for Civil Rights agreed to settle the potential HIPAA violations with no admission of liability. In addition to the substantial HIPAA settlement, CardioNet is...

Read More
CCDH agrees OCR Settlement for Potential Violations
Apr23

CCDH agrees OCR Settlement for Potential Violations

The OCR recently revealed it has agreed to settle potential breaches of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice located in Park Ridge, Illinois. On August 13, 2015, OCR completed a HIPAA compliance review of CCDH following an audit of FileFax Inc., which was contracted by CCDH to store inactive patient histories and...

Read More
Supreme Court Ruling: Donor Network Must Disclose Patient Details
Apr23

Supreme Court Ruling: Donor Network Must Disclose Patient Details

A New York Supreme Court Judge has recently ruled that patient details recorded by the New York Organ Donor Network must be handed over to a plaintiff and that HIPAA does not give basis for denying this request. Patrick McMahon believes he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he filed about organ harvesting from four patients who were still displaying clear...

Read More
HIPAA Rules on Business Associate Agreements
Apr21

HIPAA Rules on Business Associate Agreements

This week, the HHS’ Office for Civil Rights (OCR) sent a warning to covered entities about the need to ensure HIPAA Rules on business associate agreements are followed. OCR announced a settlement had been reached with an Illinois healthcare provider for disclosing protected health information (PHI) without first obtaining a signed copy of a BAA. What is a Business Associate Agreement? Under HIPAA Rules, a business associate is classed...

Read More
$31,000 HIPAA Penalty for a Business Associate Agreement Violation
Apr21

$31,000 HIPAA Penalty for a Business Associate Agreement Violation

The Department of Health and Human Services’ Office for Civil Rights has issued a $31,000 HIPAA penalty for a business associate agreement violation to The Center for Children’s Digestive Health (CCDH), a for-profit 7-center Illinois pediatric healthcare provider. OCR discovered potential HIPAA violations during an investigation of the document storage solution provider FileFax. The investigation revealed that FileFax had obtained the...

Read More
Denver-Based Metro Community agree $400,000 HIPAA Penalty
Apr15

Denver-Based Metro Community agree $400,000 HIPAA Penalty

Metro Community Provider Network (MCPN), a Denver, CO-based federally-qualified health center (FQHC), has agreed to pay OCR $400,000 and implement a stringent corrective action plan to resolve all HIPAA compliance issues found during an OCR investigation into a a data breach that occurred in 2011. The incident that lead to the OCR investigation was a phishing attack that happened on December 5, 2011. A hacker sent phishing emails to...

Read More
Are HIPAA Rules Outdated and is an Update Overdue?
Apr13

Are HIPAA Rules Outdated and is an Update Overdue?

Are HIPAA Rules outdated? Is an update long overdue? An article recently published in the journal JAMIA explores potential updates to HIPAA to keep the legislation relevant. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996 at a time when the Internet was in its infancy. Now, almost two decades later, a lot has changed. The majority of healthcare organizations have now...

Read More
Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement
Apr13

Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a $400,000 settlement had been agreed with Metro Community Provider Network (MCPN) to resolve potential security management process HIPAA violations. The Denver, CO-based federally-qualified health center (FQHC) experienced a phishing attack in December 2011 that resulted in unauthorized access to the email accounts of employees. The...

Read More
Study Analyses Hospital Data Breach Risk
Apr06

Study Analyses Hospital Data Breach Risk

A recent study published in JAMA Internal Medicine looked at the hospital data breach risk and determined which organizations are most at risk of experiencing data breaches. The researchers discovered that hospital data breach risk is positively linked with the size of the hospital. Larger hospitals are more likely to experience data breaches, as are hospitals with a strong focus on teaching. Smaller hospitals may have smaller budgets...

Read More
40% of Second-Hand Devices Found to Contain PII
Mar30

40% of Second-Hand Devices Found to Contain PII

The danger of failing to ensure mobile devices have all data securely wiped before being recommissioned or resold has been highlighted by a recent study conducted by National Association for Information Destruction (NAID). In the largest study of its type to date, NAID analysed data on more than 250 devices that had been sold on the second-hand market. 40% of those devices were found to contain personally identifiable information. It...

Read More
Mecklenburg County HIPAA Violation Prompts Policy Update
Mar30

Mecklenburg County HIPAA Violation Prompts Policy Update

A recently discovered Mecklenbury County HIPAA violation has infuriated county officials. An investigation has now been conducted to determine how HIPAA Rules were so easily violated. The incident was discovered on Monday this week. A member of the Mecklenburg County staff received a freedom of information request from the media who were investigating how 185 female patients were not informed about abnormal PAP smear results. While...

Read More
Severino Appointed to Director of HHS’ Office for Civil Rights Role
Mar29

Severino Appointed to Director of HHS’ Office for Civil Rights Role

Former civil rights trial attorney Roger Severino has been appointed, by the Department of Health and Human Services’ Office for Civil Rights, to lead its HIPAA enforcement efforts. Mr Severino moves to the OCR from his role at the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he held the position of Director since May 2015. An official announcement about the...

Read More
New Resource Provides HIPAA Help for mHealth Developers
Mar29

New Resource Provides HIPAA Help for mHealth Developers

A new online tool has been released by the Connected Health Initiative providing HIPAA help for mHealth developers and healthcare providers. The new tool – called HIPAA Check – has been developed to aid understanding of the complexities of the HIPAA Privacy and Security Rules. Health apps now track a range of user metrics. Data collected by the apps are stored along with personally identifiable information. Much of the information...

Read More
ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security
Mar29

ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security

The Office of the National Coordinator for Health IT (ONC) has released updated versions of its SAFER Guides. The series of guides provide useful information to help covered entities make their EHRs more usable and safer and can be used by HIPAA-covered entities to assess potential vulnerabilities in their EHRs. Hackers search for vulnerabilities in EHRs that can be exploited to gain access to data. It is therefore essential that...

Read More
Roger Severino to Lead OCR’s HIPAA Enforcement Efforts
Mar27

Roger Severino to Lead OCR’s HIPAA Enforcement Efforts

The Department of Health and Human Services’ Office for Civil Rights has a new Director to lead its HIPAA enforcement efforts. Late last week, the Trump Administration quietly installed Roger Severino as the new head of OCR filling the position left vacant following the departure of Jocelyn Samuels. No official announcement about the appointment has been made by the Trump Administration, although an OCR spokesperson has confirmed that...

Read More
Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?
Mar23

Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?

A criminal investigation of a HIPAA breach is launched when health data are stolen for malicious purposes, but what about cases involving curious employees? Healthcare data breaches are often discovered during routine audits of ePHI access logs. Healthcare providers discover that rogue employees have accessed patients’ data with no legitimate work reason for doing so. In such cases, the employees are disciplined and often lose their...

Read More
Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation
Mar22

Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation

An employee at the Dr. O Medical and Wellness Center in San Antonio, Texas as been sanctioned by the Texas Medical Board after allegedly retaliating against a patient by posting a video on Facebook and YouTube of them wearing only underwear. The doctor’s actions appear to be a clear violation of the HIPAA Privacy Rule. The patient in question, Clara Aragon-Delk, underwent a number of cosmetic surgery procedures beginning in 2015....

Read More
Doctor Sanctioned Over Social Media HIPAA Violations
Mar21

Doctor Sanctioned Over Social Media HIPAA Violations

A San Antonio, TX-based doctor has been sanctioned by the Texas Medical Board for social media HIPAA violations after retaliating against a patient by posting a video testimonial of the patient on Facebook and YouTube. The video of the patient in her underwear clearly showed the patient’s face, allowing her to be identified. However, prior permission to use the video had not obtained from the patient. Dr. Tinuade Olusegun-Gbadehan...

Read More
Data Breach Notification Laws in New Mexico Passed by Senate Committee
Mar15

Data Breach Notification Laws in New Mexico Passed by Senate Committee

There are currently no data breach notification laws in New Mexico, but that is likely to change soon. New Mexico is one of three states that have yet to implement data breach notification laws, the other two being Arkansas and South Dakota. All three states are now in the advanced stages of introducing laws that will require companies to notify consumers in the event that their personal information is exposed or stolen. Currently...

Read More
Device Theft Highlights Importance of Encrypting HIPAA-Covered Data
Mar14

Device Theft Highlights Importance of Encrypting HIPAA-Covered Data

Encrypting HIPAA-covered data is not mandatory. The Health Insurance Portability and Accountability Act does cover the use of encryption to safeguard the protected health information of patients and health plan members, but encryption is only an addressable issue. However, that does not mean that encryption can simply be ignored. HIPAA-covered entities are required to conduct a risk analysis to identify all potential risks to the...

Read More
New Security Framework for Small Healthcare Providers
Mar14

New Security Framework for Small Healthcare Providers

A security framework for small healthcare providers has been released by the Health Information Trust Alliance (HITRUST). The security framework is a revised version of the HITRUST common security framework (HITRUST CSF) and can be used to create, access, store and exchange healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA). The HITRUST CSF is the most widely adopted security framework for the...

Read More
AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit
Mar10

AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit

The American Health Information Management Association has released a new toolkit to help covered entities prepare for a HIPAA compliance audit. The Department of Health and Human Services’ Office for Civil Rights commenced the much delayed second phase of the Health Insurance Portability and Accountability Act audit program in the last quarter of 2016.  Those audits started with ‘desk audits’ of HIPAA-covered entities. The desk...

Read More
AHIMA Released Updated HIPAA Compliance Audit Toolkit
Mar08

AHIMA Released Updated HIPAA Compliance Audit Toolkit

The second phase of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits has begun. Towards the end of 2017, covered organizations were selected for desk audits and the initial round of audits have now been finished. Now OCR has progressed to auditing business associates of covered organizations. Speaking at HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were...

Read More
Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach
Mar08

Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach

The importance of conducting internal audits of PHI access logs has been highlighted by a recent HIPAA breach discovered by Chadron Community Hospital in Nebraska. On January 3, 2017, the hospital discovered a former employee had improperly accessed the protected health information of patients. The investigation into the privacy breach revealed that the former employee had been accessing the PHI of patients without authorization for...

Read More
Guidance on Cyber Threats Issued to Healthcare Organizations by OCR
Mar08

Guidance on Cyber Threats Issued to Healthcare Organizations by OCR

The U.S. Department of Health and Human Services’ Office of Civil Rights has issued new guidance on cyber threats, advising HIPAA-covered entities to obtain the latest intelligence on new cyber threats that could potentially allow cybercriminals to gain access to the protected health information of patients and health plan members. Threat intelligence is issued by many organizations, although OCR recommends in its guidance on cyber...

Read More
HIPAA Noncompliance Penalties Likely to Increase
Mar03

HIPAA Noncompliance Penalties Likely to Increase

The Department of Health and Human Services’ Office for Civil Rights is expected to issue more HIPAA noncompliance penalties over the coming year. While OCR assists HIPAA-covered entities with their compliance efforts by issuing guidance, 2017 is likely to see OCR crackdown on non-compliance. Organizations found to have violated HIPAA Rules can expect to have to dig deep and pay for their failure to comply with the HIPAA Privacy,...

Read More
New Simplified HITRUST CSF for Small Healthcare Providers
Mar03

New Simplified HITRUST CSF for Small Healthcare Providers

This week, HITRUST announced it has created a new, simplified HITRUST CSF for small healthcare providers to help them with their compliance and risk management programs. A New HITRUST CSF for Small Healthcare Providers The HITRUST CSF is a certifiable framework that was developed to help healthcare organizations manage risk and comply with industry regulations such as HIPAA. The framework is flexible and can be tailored to suit...

Read More
HIPAA Privacy Rule Compliance: Patient Copies of Health Information
Mar02

HIPAA Privacy Rule Compliance: Patient Copies of Health Information

An important element of HIPAA Privacy Rule compliance is ensuring patient copies of health information are provided on request. The Health Insurance Portability and Accountability Act requires HIPAA-covered entities to provide either electronic or paper copies of patient health records to the patient, or their nominated representative, if they are specifically requested. This week, the American Health Information Management...

Read More
Deadline for Small Healthcare Data Breach Notification is March 1
Feb27

Deadline for Small Healthcare Data Breach Notification is March 1

The Health Insurance Portability and Accountability Act’s Breach Notification Rule stated that all covered organizations must make violations of unsecured electronic protected health information known to the Department of Health and Human Services’ Office for Civil Rights (OCR). While large scale data violations – those affecting 500 or more individuals – must be reported to OCR within 60 days of the the breach being found, covered...

Read More