Model Patient Request for Health Information Form Issued by AHIMA
Jul25

Model Patient Request for Health Information Form Issued by AHIMA

A model patient request for health information form has been issued by the American Health Information Management Association (AHIMA) that can be used by healthcare providers to give to patients who request copies of their health information. The HIPAA Privacy Rule permits patients to obtain copies of their health data from their providers, although at many hospitals the process is inefficient, lacks transparency and patients are...

Read More
Hows does HIPAA Affect Use of Google Drive?
Jul22

Hows does HIPAA Affect Use of Google Drive?

The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA.  The service does not breach HIPAA Rules, however users of the service may breach the rules themselves. G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is...

Read More
Study: Data Breaches by Ex Employees a Concern
Jul20

Study: Data Breaches by Ex Employees a Concern

A recent study carried out by OneLogin showed many groups are not doing enough to stop data violations by ex-employees. While access to computer systems and applications is a requirement during employment, many organizations are neglecting to block access to systems quickly when employees depart the company, even though ex-employees pose a significant data danger to security. Preventing access to networks and email accounts when an...

Read More
ONC Office of the Chief Privacy Officer Funding Stopping in 2018
Jul19

ONC Office of the Chief Privacy Officer Funding Stopping in 2018

The withdrawal of funding for the Office of the Chief Privacy Officer has resulted in ONC National Coordinator Don Rucker, M.D. confirming that the office will be closed during 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been acting as Acting Chief Privacy Officer until a permanent replacement to the role previously filled by Lucia Savage is identified, following her departure in January. It now seems...

Read More
HIPAA Compliance and Dropbox, What You Need to Know
Jul16

HIPAA Compliance and Dropbox, What You Need to Know

Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However,...

Read More
ONC Offers Tips to Improve Patient Data Access
Jul15

ONC Offers Tips to Improve Patient Data Access

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has given covered entities tips to improve patient data access, explaining how important it is for patients to be given access to their health information. In its report – Improving the Health Records Request Process for Patients – ONC explains that under HIPAA Rules, patients are given the right to access their records. Healthcare organisations must...

Read More
File Sharing Tools and Cloud Computing: OCR Highlights Risks
Jul05

File Sharing Tools and Cloud Computing: OCR Highlights Risks

File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information.  Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information. The Department of Health and Human Services’ Office for Civil Rights (OCR)  has...

Read More
Anthem Agrees Largest Ever Data Violation Settlement
Jun28

Anthem Agrees Largest Ever Data Violation Settlement

The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission. A breach of that size...

Read More
Healthcare Data Breach Resolution Costs Fall
Jun26

Healthcare Data Breach Resolution Costs Fall

Healthcare data breach resolution costs are still higher than all other industries, but the latest Ponemon Institute/IBM Security study has shown that for the first time ever, those costs have fallen year-over-year. For seven years, Ponemon/IBM have been conducting their cost of a data breach study, and each year the costs of resolving data breaches has risen. However, this year, average breach resolution costs fell by around 10%. The...

Read More
Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect
Jun24

Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect

The latest healthcare data breach report issued by Protenus, in conjunction with databreaches.net, shows healthcare data breaches increased in May, with 37 breaches reported compared to 34 the previous month.  The numbers of records exposed in those breaches was 255,108, although not all breach figures are known. That still represents a jump from last month when 232,060 healthcare records were known to have been exposed or stolen. One...

Read More
CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late
Jun21

CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late

A data breach that happened in the second half of 2015 should have seen targeted people warned within 2 months. However it took CoPilot Provider Support Services Inc., until January 2017 to send out official breach notifications. An administration portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That person also stole the data of 221,178 people. The stolen data included names, dates of birth,...

Read More
New York Attorney General Fines CoPilot for Delaying Breach Notifications
Jun19

New York Attorney General Fines CoPilot for Delaying Breach Notifications

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, covered entities must report data breaches within 60 days of the discovery of a breach. Affected individuals must also be notified within the same time frame. State legislation has been introduced that similarly requires organizations to issue notifications and report the incidents to state officials. Breach reports are also covered by other federal legislation...

Read More
HHS Looking Into OCR’s Wall of Shame Following Criticism
Jun17

HHS Looking Into OCR’s Wall of Shame Following Criticism

The Department of Health and Human Services’ Office for Civil Rights started publishing OCR’s ‘Wall of Shame’ – summaries of healthcare data breaches – on its website in 2009. The data breach list only includes a short synopsis of data breaches, including the name of the covered organization, the state in which the covered organization is based, covered organization type, date of notification, type of...

Read More
HHS Considers Making Changes to the OCR Wall of Shame
Jun16

HHS Considers Making Changes to the OCR Wall of Shame

Since the HITECH Act came into force in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing data breach summaries on its website. The website lists brief details of the type of data breach experienced by HIPAA-covered entities with information such as the cause of the breach, the devices that were involved, the number of individuals affected and the name of the company that experienced...

Read More
OCR Issues Guidance on the Correct Response After a Cyberattack
Jun09

OCR Issues Guidance on the Correct Response After a Cyberattack

The increase in hacking incidents in 2017 and major worldwide cyber incidents such has Wannacry ransomware attacks have prompted the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue new guidance on the correct response after a cyberattack. Yesterday, OCR sent a Quick Response Cyber Attack Checklist to its security and privacy list subscribers explaining the correct procedures to follow after a...

Read More
Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents
Jun04

Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents

Ransomware, malware and unaddressed software weaknesses pose a danger to the confidentiality, integrity and access to PHI, although healthcare groups should put in place processes to deal with the threat internally. This year has seen a multitude of cases involving employees snooping and accessing medical records without permission. The HIPAA Security Rule 45 CFR §164.312(b) requires covered organizations to “Implement hardware,...

Read More
$387,000 HIPAA Penalty for Disclosing HIV Status to Employer
May26

$387,000 HIPAA Penalty for Disclosing HIV Status to Employer

Following a Department of Health and Human Services’ Office for Civil Rights (OCR) investigation of a complaint about a case of impermissible disclosure of PHI, St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations In September 2014, a complaint was submitted to the OCR about a possible privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint...

Read More
Egregious HIPAA Breach Punished with $378,000 Fine
May24

Egregious HIPAA Breach Punished with $378,000 Fine

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced yet another settlement to resolve HIPAA violations, this time for the careless handling of extremely sensitive health information. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $378,000 to resolve an impermissible disclosure of patients’ protected health information to their employers. A wide range of highly sensitive information...

Read More
Dept. of Health Sends Out Waring Regarding Ransomware
May21

Dept. of Health Sends Out Waring Regarding Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...

Read More
NIST Issues Guidance on Securing Drug Pumps
May17

NIST Issues Guidance on Securing Drug Pumps

Guidance on securing drug pumps has been issued by the National Institute of Standards and Technology (NIST) to help healthcare organizations mitigate the risk of cyberattacks that could cause patients to come to harm or allow sensitive data to be stolen. Over the past two years there has been concern raised about the lack of security on medical devices, with drug pumps a particularly serious concern. If threat actors are able to gain...

Read More
$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach
May12

$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach

A HIPAA breach arising from disclosure on a press release issued by Memorial Hermann Health System (MHHS) in September 2015 has led to the organization agreeing to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. MHHS is a 16-hospital health system which os located in Texas, treating patients in the Greater Houston area. In September, an...

Read More
Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI
May11

Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI

An unauthorized disclosure of a patient’s name has resulted in a Memorial Hermann Health System HIPAA fine. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle potential HIPAA Privacy Rule violations with Memorial Hermann Health System with the payment of a $2.4 million penalty. Memorial Hermann Health System must also adopt a corrective action plan to ensure HIPAA Rules are followed in...

Read More
New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court
May10

New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court

A New Mexico HIPAA violation lawsuit filed by the victim of a sexual assault whose identity was improperly disclosed has been referred to the Supreme Court to assess whether the claim has standing. The lawsuit was filed by the plaintiff ‘G.R.’ who suffered a sexual assault and sought treatment for her injuries at Gallup Indian Medical Center (GIMC) where she was employed. G.R. alleges that following treatment, details of the assault...

Read More
Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit
May09

Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit

A motion has been submitted to dismiss a MDLive HIPAA lawsuit that was filed b y a plaintiff who alleges the firm improperly disclosed protected health information to a third party without informing or obtaining consent from users of the telehealth platform. The MDLive HIPAA lawsuit was filed by plaintiff Joan Richards, who alleges MDLive takes screenshots of data entered on the app on multiple occasions during the first 15 minutes of...

Read More
Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum
May06

Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum

Over the next week, the HIMSS Privacy and Security Forum will be held in San Francisco. The two-day conference provides an chance for CISOs, CIOs and other healthcare professionals to obtain valuable guidance from security experts on the most recent cybersecurity threats, along with practical tips on how to limit the chance of damage being inflicted. In excess of 30 speakers will be present at the event and will provide talks on a...

Read More
Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive
Apr27

Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive

Claims that telemedicine company MDLive violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining official consent from patients have resulted in a class action lawsuit has being filed. App users must enter in a range of private information into the MDLive app; however, the complainant claims that during the first 15 minutes of use, the app takes an average of 60...

Read More
CardioNet Settles HIPAA Violations with OCR for $2.5 Million
Apr26

CardioNet Settles HIPAA Violations with OCR for $2.5 Million

Pensylvania-based CardioNet has agreed a $2.5 million settlement to resolve potential HIPAA violations. The provider of remote mobile monitoring and quick response services to patients in danger of suffering cardiac arrhythmias. Settlements have previously been agreed with healthcare suppliers, health plans, and business clients of covered organizations, but this is the first-time OCR has settled potential HIPAA breaches with a...

Read More
Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement
Apr25

Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement

Risk analysis and risk management errors have resulted in a $2.5 million HIPAA compliance penalty for CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk of cardiac arrhythmias. The Department of Health and Human Services’ Office for Civil Rights agreed to settle the potential HIPAA violations with no admission of liability. In addition to the substantial HIPAA settlement, CardioNet is...

Read More
CCDH agrees OCR Settlement for Potential Violations
Apr23

CCDH agrees OCR Settlement for Potential Violations

The OCR recently revealed it has agreed to settle potential breaches of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice located in Park Ridge, Illinois. On August 13, 2015, OCR completed a HIPAA compliance review of CCDH following an audit of FileFax Inc., which was contracted by CCDH to store inactive patient histories and...

Read More
Supreme Court Ruling: Donor Network Must Disclose Patient Details
Apr23

Supreme Court Ruling: Donor Network Must Disclose Patient Details

A New York Supreme Court Judge has recently ruled that patient details recorded by the New York Organ Donor Network must be handed over to a plaintiff and that HIPAA does not give basis for denying this request. Patrick McMahon believes he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he filed about organ harvesting from four patients who were still displaying clear...

Read More
HIPAA Rules on Business Associate Agreements
Apr21

HIPAA Rules on Business Associate Agreements

This week, the HHS’ Office for Civil Rights (OCR) sent a warning to covered entities about the need to ensure HIPAA Rules on business associate agreements are followed. OCR announced a settlement had been reached with an Illinois healthcare provider for disclosing protected health information (PHI) without first obtaining a signed copy of a BAA. What is a Business Associate Agreement? Under HIPAA Rules, a business associate is classed...

Read More
$31,000 HIPAA Penalty for a Business Associate Agreement Violation
Apr21

$31,000 HIPAA Penalty for a Business Associate Agreement Violation

The Department of Health and Human Services’ Office for Civil Rights has issued a $31,000 HIPAA penalty for a business associate agreement violation to The Center for Children’s Digestive Health (CCDH), a for-profit 7-center Illinois pediatric healthcare provider. OCR discovered potential HIPAA violations during an investigation of the document storage solution provider FileFax. The investigation revealed that FileFax had obtained the...

Read More
Denver-Based Metro Community agree $400,000 HIPAA Penalty
Apr15

Denver-Based Metro Community agree $400,000 HIPAA Penalty

Metro Community Provider Network (MCPN), a Denver, CO-based federally-qualified health center (FQHC), has agreed to pay OCR $400,000 and implement a stringent corrective action plan to resolve all HIPAA compliance issues found during an OCR investigation into a a data breach that occurred in 2011. The incident that lead to the OCR investigation was a phishing attack that happened on December 5, 2011. A hacker sent phishing emails to...

Read More
Are HIPAA Rules Outdated and is an Update Overdue?
Apr13

Are HIPAA Rules Outdated and is an Update Overdue?

Are HIPAA Rules outdated? Is an update long overdue? An article recently published in the journal JAMIA explores potential updates to HIPAA to keep the legislation relevant. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996 at a time when the Internet was in its infancy. Now, almost two decades later, a lot has changed. The majority of healthcare organizations have now...

Read More
Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement
Apr13

Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a $400,000 settlement had been agreed with Metro Community Provider Network (MCPN) to resolve potential security management process HIPAA violations. The Denver, CO-based federally-qualified health center (FQHC) experienced a phishing attack in December 2011 that resulted in unauthorized access to the email accounts of employees. The...

Read More
Study Analyses Hospital Data Breach Risk
Apr06

Study Analyses Hospital Data Breach Risk

A recent study published in JAMA Internal Medicine looked at the hospital data breach risk and determined which organizations are most at risk of experiencing data breaches. The researchers discovered that hospital data breach risk is positively linked with the size of the hospital. Larger hospitals are more likely to experience data breaches, as are hospitals with a strong focus on teaching. Smaller hospitals may have smaller budgets...

Read More
40% of Second-Hand Devices Found to Contain PII
Mar30

40% of Second-Hand Devices Found to Contain PII

The danger of failing to ensure mobile devices have all data securely wiped before being recommissioned or resold has been highlighted by a recent study conducted by National Association for Information Destruction (NAID). In the largest study of its type to date, NAID analysed data on more than 250 devices that had been sold on the second-hand market. 40% of those devices were found to contain personally identifiable information. It...

Read More
Mecklenburg County HIPAA Violation Prompts Policy Update
Mar30

Mecklenburg County HIPAA Violation Prompts Policy Update

A recently discovered Mecklenbury County HIPAA violation has infuriated county officials. An investigation has now been conducted to determine how HIPAA Rules were so easily violated. The incident was discovered on Monday this week. A member of the Mecklenburg County staff received a freedom of information request from the media who were investigating how 185 female patients were not informed about abnormal PAP smear results. While...

Read More
Severino Appointed to Director of HHS’ Office for Civil Rights Role
Mar29

Severino Appointed to Director of HHS’ Office for Civil Rights Role

Former civil rights trial attorney Roger Severino has been appointed, by the Department of Health and Human Services’ Office for Civil Rights, to lead its HIPAA enforcement efforts. Mr Severino moves to the OCR from his role at the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he held the position of Director since May 2015. An official announcement about the...

Read More
New Resource Provides HIPAA Help for mHealth Developers
Mar29

New Resource Provides HIPAA Help for mHealth Developers

A new online tool has been released by the Connected Health Initiative providing HIPAA help for mHealth developers and healthcare providers. The new tool – called HIPAA Check – has been developed to aid understanding of the complexities of the HIPAA Privacy and Security Rules. Health apps now track a range of user metrics. Data collected by the apps are stored along with personally identifiable information. Much of the information...

Read More
ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security
Mar29

ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security

The Office of the National Coordinator for Health IT (ONC) has released updated versions of its SAFER Guides. The series of guides provide useful information to help covered entities make their EHRs more usable and safer and can be used by HIPAA-covered entities to assess potential vulnerabilities in their EHRs. Hackers search for vulnerabilities in EHRs that can be exploited to gain access to data. It is therefore essential that...

Read More
Roger Severino to Lead OCR’s HIPAA Enforcement Efforts
Mar27

Roger Severino to Lead OCR’s HIPAA Enforcement Efforts

The Department of Health and Human Services’ Office for Civil Rights has a new Director to lead its HIPAA enforcement efforts. Late last week, the Trump Administration quietly installed Roger Severino as the new head of OCR filling the position left vacant following the departure of Jocelyn Samuels. No official announcement about the appointment has been made by the Trump Administration, although an OCR spokesperson has confirmed that...

Read More
Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?
Mar23

Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?

A criminal investigation of a HIPAA breach is launched when health data are stolen for malicious purposes, but what about cases involving curious employees? Healthcare data breaches are often discovered during routine audits of ePHI access logs. Healthcare providers discover that rogue employees have accessed patients’ data with no legitimate work reason for doing so. In such cases, the employees are disciplined and often lose their...

Read More
Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation
Mar22

Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation

An employee at the Dr. O Medical and Wellness Center in San Antonio, Texas as been sanctioned by the Texas Medical Board after allegedly retaliating against a patient by posting a video on Facebook and YouTube of them wearing only underwear. The doctor’s actions appear to be a clear violation of the HIPAA Privacy Rule. The patient in question, Clara Aragon-Delk, underwent a number of cosmetic surgery procedures beginning in 2015....

Read More
Doctor Sanctioned Over Social Media HIPAA Violations
Mar21

Doctor Sanctioned Over Social Media HIPAA Violations

A San Antonio, TX-based doctor has been sanctioned by the Texas Medical Board for social media HIPAA violations after retaliating against a patient by posting a video testimonial of the patient on Facebook and YouTube. The video of the patient in her underwear clearly showed the patient’s face, allowing her to be identified. However, prior permission to use the video had not obtained from the patient. Dr. Tinuade Olusegun-Gbadehan...

Read More
Data Breach Notification Laws in New Mexico Passed by Senate Committee
Mar15

Data Breach Notification Laws in New Mexico Passed by Senate Committee

There are currently no data breach notification laws in New Mexico, but that is likely to change soon. New Mexico is one of three states that have yet to implement data breach notification laws, the other two being Arkansas and South Dakota. All three states are now in the advanced stages of introducing laws that will require companies to notify consumers in the event that their personal information is exposed or stolen. Currently...

Read More
Device Theft Highlights Importance of Encrypting HIPAA-Covered Data
Mar14

Device Theft Highlights Importance of Encrypting HIPAA-Covered Data

Encrypting HIPAA-covered data is not mandatory. The Health Insurance Portability and Accountability Act does cover the use of encryption to safeguard the protected health information of patients and health plan members, but encryption is only an addressable issue. However, that does not mean that encryption can simply be ignored. HIPAA-covered entities are required to conduct a risk analysis to identify all potential risks to the...

Read More
New Security Framework for Small Healthcare Providers
Mar14

New Security Framework for Small Healthcare Providers

A security framework for small healthcare providers has been released by the Health Information Trust Alliance (HITRUST). The security framework is a revised version of the HITRUST common security framework (HITRUST CSF) and can be used to create, access, store and exchange healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA). The HITRUST CSF is the most widely adopted security framework for the...

Read More
AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit
Mar10

AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit

The American Health Information Management Association has released a new toolkit to help covered entities prepare for a HIPAA compliance audit. The Department of Health and Human Services’ Office for Civil Rights commenced the much delayed second phase of the Health Insurance Portability and Accountability Act audit program in the last quarter of 2016.  Those audits started with ‘desk audits’ of HIPAA-covered entities. The desk...

Read More
AHIMA Released Updated HIPAA Compliance Audit Toolkit
Mar08

AHIMA Released Updated HIPAA Compliance Audit Toolkit

The second phase of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits has begun. Towards the end of 2017, covered organizations were selected for desk audits and the initial round of audits have now been finished. Now OCR has progressed to auditing business associates of covered organizations. Speaking at HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were...

Read More
Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach
Mar08

Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach

The importance of conducting internal audits of PHI access logs has been highlighted by a recent HIPAA breach discovered by Chadron Community Hospital in Nebraska. On January 3, 2017, the hospital discovered a former employee had improperly accessed the protected health information of patients. The investigation into the privacy breach revealed that the former employee had been accessing the PHI of patients without authorization for...

Read More
Guidance on Cyber Threats Issued to Healthcare Organizations by OCR
Mar08

Guidance on Cyber Threats Issued to Healthcare Organizations by OCR

The U.S. Department of Health and Human Services’ Office of Civil Rights has issued new guidance on cyber threats, advising HIPAA-covered entities to obtain the latest intelligence on new cyber threats that could potentially allow cybercriminals to gain access to the protected health information of patients and health plan members. Threat intelligence is issued by many organizations, although OCR recommends in its guidance on cyber...

Read More
HIPAA Noncompliance Penalties Likely to Increase
Mar03

HIPAA Noncompliance Penalties Likely to Increase

The Department of Health and Human Services’ Office for Civil Rights is expected to issue more HIPAA noncompliance penalties over the coming year. While OCR assists HIPAA-covered entities with their compliance efforts by issuing guidance, 2017 is likely to see OCR crackdown on non-compliance. Organizations found to have violated HIPAA Rules can expect to have to dig deep and pay for their failure to comply with the HIPAA Privacy,...

Read More
New Simplified HITRUST CSF for Small Healthcare Providers
Mar03

New Simplified HITRUST CSF for Small Healthcare Providers

This week, HITRUST announced it has created a new, simplified HITRUST CSF for small healthcare providers to help them with their compliance and risk management programs. A New HITRUST CSF for Small Healthcare Providers The HITRUST CSF is a certifiable framework that was developed to help healthcare organizations manage risk and comply with industry regulations such as HIPAA. The framework is flexible and can be tailored to suit...

Read More
HIPAA Privacy Rule Compliance: Patient Copies of Health Information
Mar02

HIPAA Privacy Rule Compliance: Patient Copies of Health Information

An important element of HIPAA Privacy Rule compliance is ensuring patient copies of health information are provided on request. The Health Insurance Portability and Accountability Act requires HIPAA-covered entities to provide either electronic or paper copies of patient health records to the patient, or their nominated representative, if they are specifically requested. This week, the American Health Information Management...

Read More
Deadline for Small Healthcare Data Breach Notification is March 1
Feb27

Deadline for Small Healthcare Data Breach Notification is March 1

The Health Insurance Portability and Accountability Act’s Breach Notification Rule stated that all covered organizations must make violations of unsecured electronic protected health information known to the Department of Health and Human Services’ Office for Civil Rights (OCR). While large scale data violations – those affecting 500 or more individuals – must be reported to OCR within 60 days of the the breach being found, covered...

Read More
Texting, Social Media, & Case Walkthrough HIPAA Guidance to be Published in 2017
Feb24

Texting, Social Media, & Case Walkthrough HIPAA Guidance to be Published in 2017

Recently at HIMSS17, OCR’s Deven McGraw outlined the HIPAA guidance OCR expects to publish in 2017. OCR may be busy reviewing the findings of the HIPAA compliance desk audits of healthcare groups and their business associates, but a flurry of new HIPAA guidance documentation is set to be published this year. In 2016, the Joint Commission cancelled the ban on the use of text messages for making orders, although within weeks of the...

Read More
HIPAA Breach Notification Deadline for 2016 Data Breaches Fast Approaching
Feb22

HIPAA Breach Notification Deadline for 2016 Data Breaches Fast Approaching

The HIPAA breach notification deadline for HIPAA-covered entities is fast approaching. Covered entities have until March 1, 2017 to submit their 2016 data breach reports to the Department of Health and Human Services’ Office for Civil Rights. HIPAA covered entities that have experienced a breach of the protected health information of patients or plan members are required by the HIPAA Breach Notification Rule to send a report of the...

Read More
New OCR HIPAA Compliance Guidance on the Way
Feb21

New OCR HIPAA Compliance Guidance on the Way

At this year’s Health Information and Management Systems Society (HIMSS) annual meeting, OCR officials have explained that 2017 will see a swathe of new OCR HIPAA compliance guidance issued. While there have been no changes to HIPAA Rules for a number of years, the pace at which technology is progressing has seen many gaps appear in HIPAA legislation. New medical devices have come to market, wearable technology has been adopted by...

Read More
Onsite HIPAA Compliance Audits Will be Delayed
Feb21

Onsite HIPAA Compliance Audits Will be Delayed

The Office for Civil Rights’ onsite HIPAA compliance audits that were scheduled to take place in the first quarter of 2017 are to be delayed, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw. In an interview at HIMSS17, McGraw explained to Information Security Media Group that the decision to delay the onsite HIPAA compliance audits was taken to allow OCR time to process the reports from the desk audits....

Read More
Horizon BCBS of New Jersey HIPAA Fine of $1.1 Million Announced
Feb20

Horizon BCBS of New Jersey HIPAA Fine of $1.1 Million Announced

A Horizon BCBS of New Jersey HIPAA fine has been announced by the New Jersey Division of Consumer Affairs. In addition to a $1.1 million financial settlement, Horizon BCBS of New Jersey is required to adopt a corrective action plan to ensure that the electronic protected health information (ePHI) of its policyholders is appropriately secured. Horizon BCBS of New Jersey HIPAA Fine Resolves Multiple Privacy and Security Rule Violations...

Read More
$5.5 Million Memorial Healthcare HIPAA Fine Agreed
Feb17

$5.5 Million Memorial Healthcare HIPAA Fine Agreed

The Department of Health and Human Services’ Office for Civil Rights has announced a massive settlement has been reached with Florida-based Memorial Healthcare System. The Memorial Healthcare HIPAA fine of $5.5 million settles potential violations of the HIPAA Privacy and Security Rules spanning several years. The settlement is the joint largest ever HIPAA fine issued to a single covered entity. The Memorial Healthcare HIPAA fine...

Read More
Children’s Health HIPAA Fine: $3.2 Million Paid to OCR to Resolve Multiple HIPAA Violations
Feb03

Children’s Health HIPAA Fine: $3.2 Million Paid to OCR to Resolve Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights has announced the first Civil Monetary Penalty of the year: The Children’s Health HIPAA fine of $3.2 million is one of the largest penalties to date for a single HIPAA-covered entity. The size of the CMP reflects the number of violations discovered and the length of time that the HIPAA violations were allowed to persist before Children’s Health eventually complied...

Read More
MAPFRE Life HIPAA Settlement: $2.2 Million for Impermissible Disclosure of ePHI
Jan19

MAPFRE Life HIPAA Settlement: $2.2 Million for Impermissible Disclosure of ePHI

MAPFRE Life Insurance Company of Puerto Rico has settled potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with the Department of Health and Human Services’ Office for Civil Rights. MAPFRE Life HIPAA Settlement of $2.2 Million Agreed with OCR According to the resolution agreement, MAPFRE Life will pay OCR $2,204,182 and must adopt a corrective action plan to address multiple noncompliance issues...

Read More
2016 Healthcare Data Breach Report Published
Jan18

2016 Healthcare Data Breach Report Published

The 2016 healthcare data breach report from cybersecurity company Protenus shows that 2016 was a record-breaking year for healthcare data breaches. In 2016, more than one healthcare data breach occurred every day on average. Those breaches resulted in the theft or exposure of 27 million individuals’ confidential information. In total, 450 breach incidents were reported by healthcare organizations – healthcare providers, health plans,...

Read More
$475,000 Presense Healthcare HIPAA Settlement Agreed with OCR
Jan10

$475,000 Presense Healthcare HIPAA Settlement Agreed with OCR

The Department of Health and Human Services’ Office for Civil Rights has announced a $475,000 Presense Healthcare HIPAA settlement has been agreed. This is the first HIPAA enforcement action of 2017 and the first time OCR has settled a case solely based on the delayed issuing of breach notifications to individuals impacted by a protected health information breach. In 2013, Presense St. Joseph Medical Center, a hospital run by...

Read More
63% Increase in Healthcare Data Breaches in 2016
Dec22

63% Increase in Healthcare Data Breaches in 2016

There has been a 63% increase in major healthcare data breaches in 2016, according to the 2016 Healthcare Cyber Breach Report from cybersecurity firm TrapX. The report, which covers healthcare data breaches in 2016 from January 1 to December 12, shows that while the total number of healthcare records exposed in 2016 was considerably lower than last year, the number of incidents increased substantially. In 2015, 111,812,172 records...

Read More
November 2016 Breach Barometer Report: Worst Month for Health Data Breaches
Dec16

November 2016 Breach Barometer Report: Worst Month for Health Data Breaches

The November 2016 Breach Barometer Report from Protenus provides a snapshot of the state of healthcare data security, cataloging the health data breaches that occurred last month. The report is released each month and provides a useful record of HIPAA breaches throughout the year. While the total number of health records exposed or stolen in November fell from the previous month, and November figures are the seventh lowest of the...

Read More
2015 Ashley Madison Data Breach Results in $1.75 Million Fines
Dec15

2015 Ashley Madison Data Breach Results in $1.75 Million Fines

The 2015 Ashley Madison data breach that exposed the credentials of more than 37 million would-be adulterers has resulted in fines of $17.5 million being issued to Ruby Corp., the organization that owns Ashley Madison. The fines were announced this week by both the Federal Trade Commission and the New York attorney general. The fines were issued due to poor security practices which contributed to the cyberattack, but also for...

Read More
$650,000 UMass HIPAA Settlement Announced by OCR
Nov23

$650,000 UMass HIPAA Settlement Announced by OCR

The University of Massachusetts Amherst (UMass) has agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $650,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The UMass HIPAA settlement could have been much higher, although OCR took into consideration the financial position of the University, which had operated at a financial loss last year. OCR...

Read More
$1 Million Settlement for 2013 Adobe Systems Data Breach
Nov11

$1 Million Settlement for 2013 Adobe Systems Data Breach

Connecticut Attorney General George Jepsen has announced that a settlement has been reached for the 2013 Adobe Systems data breach that affected more than half a million individuals in 15 states. The 2013 Adobe Systems data breach first came to light on September 17, 2013 when the company received an alert that one of its servers was approaching capacity. The response to that alert revealed that an unauthorized individual was...

Read More
Guidance on HIPAA and the FTC Act
Oct25

Guidance on HIPAA and the FTC Act

The Federal Trade Commission (FTC) in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued guidance on HIPAA and the FTC Act explaining it is not sufficient to only consider HIPAA regulations when sharing health data. Organizations must also ensure they comply with the Federal Trade Commission Act (FTC Act). The guidance on HIPAA and the FTC Act was issued to ensure that organizations...

Read More
$2.14 Million St. Joseph Health HIPAA Settlement Announced
Oct19

$2.14 Million St. Joseph Health HIPAA Settlement Announced

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $2.14 million St. Joseph Health HIPAA settlement after a data breach investigation uncovered serious violations of the HIPAA Security Rule. St Joseph Health, which is sponsored by the St. Joseph Health Ministry, operates 14 acute care hospitals in California, New Mexico, and Texas, in addition to many skilled nursing facilities, hospices, home...

Read More
Healthcare Lawyers Increasingly Involved in Cybersecurity Matters
Oct17

Healthcare Lawyers Increasingly Involved in Cybersecurity Matters

A recent survey conducted by Bloomberg Law and the American Health Lawyers Association (AHLA) asked more than 300 healthcare attorneys from across the United States about their involvement in cybersecurity matters and their opinions on their future involvement in data breaches and cyber-attacks. The survey revealed the extent to which healthcare attorneys are being called upon to deal with cybersecurity matters and showed attorneys...

Read More
OCR Issues Cloud Computing Guidance for HIPAA Covered Entities
Oct07

OCR Issues Cloud Computing Guidance for HIPAA Covered Entities

Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued cloud computing guidance for HIPAA covered entities. The new guidance was issued in response to numerous questions that had been asked by covered entities and their business associates about how cloud services could be adopted without falling afoul of HIPAA Rules. The new cloud computing guidance for HIPAA covered entities can also be used by...

Read More
Business Associate HIPAA Audits Now Imminent
Oct01

Business Associate HIPAA Audits Now Imminent

The business associate HIPAA audits are scheduled to commence this month, The business associate HIPAA compliance audits are not expected to result in punitive action being taken if HIPAA violations are discovered. The audits provide a snapshot of the state of compliance and are intended to identify common compliance issues which will be used to direct future guidance. OCR may prefer to resolve noncompliance with voluntary actions and...

Read More
Data Breach Notification Law in California Updated
Sep30

Data Breach Notification Law in California Updated

Data breach notification law in California has been updated again, further strengthening the already stringent laws in the state. Data breach notification law in California is already the strongest in the country. The latest update is intended to further protect state residents whose personal information is compromised. The latest update closes a gap in the data breach notification law in California, which has previously not required...

Read More
HHS Privacy and Security Guidance is not in Line with Federal Guidelines, says GAO
Sep28

HHS Privacy and Security Guidance is not in Line with Federal Guidelines, says GAO

The Government Accountability Office (GAO) has released a damning report on the Department of Health and Human Services (HHS), criticizing its lack of oversight and privacy and security guidance for HIPAA covered entities. The GAO determined that the privacy and security guidance issued by the HHS failed to meet federal guidelines and did not cover all of the elements of the Cybersecurity Framework issued by the National Institute of...

Read More
ONC Report Confirms Most Hospitals Allow Patients to Access Their EHRs
Sep13

ONC Report Confirms Most Hospitals Allow Patients to Access Their EHRs

Significant progress has been made toward providing all patients with access to their ePHI, according to a recent report issued by the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC). Back in 2012, only 24% of non-acute care hospitals allowed patients to view their ePHI. The percentage of hospitals now allowing access to ePHI has risen to 95%; an increase of 4% since...

Read More
OCR Data Breach Investigations to Be Increased for Sub-500 Record Breaches
Aug18

OCR Data Breach Investigations to Be Increased for Sub-500 Record Breaches

The Department of Health and Human Services’ Office for Civil Right is the main enforcer of HIPAA Rules. All complaints about potential violations of HIPAA Rules are followed up, and OCR data breach investigations are initiated for all breaches if they impact more than 500 individuals. That is not to say that data breaches involving the exposure or theft of fewer than 500 records are never investigated, only that with limited funding...

Read More
Walgreens HIPAA Violations Do Not Result in Financial Penalty
Aug12

Walgreens HIPAA Violations Do Not Result in Financial Penalty

Walgreens HIPAA violations discovered by reporters from WTHR 13 in 2006 have not resulted in any punitive action being taken by the Department of Health and Human Services’ Office for Civil Rights (OCR). According to a recent WTHR 13 report, the case against Walgreens has now been closed. Potential Walgreens HIPAA violations were uncovered by WTHR 13 reporters in 2006 following an investigation into the suspected dumping of protected...

Read More
Largest Ever HIPAA Penalty: Advocate Health Agrees to $5.55 Million Settlement
Aug05

Largest Ever HIPAA Penalty: Advocate Health Agrees to $5.55 Million Settlement

This week, the HHS’ Office for Civil Rights announced it has issued the largest ever HIPAA penalty to a single covered entity. Advocate Health will pay a penalty of $5.55 million to OCR to settle the case, which involved multiple potential HIPAA violations some of which spanned several years. OCR reports that some violations of the Health Insurance Portability and Accountability Act date back to when the HIPAA Security Rule was first...

Read More
37 Months’ Imprisonment for Criminal HIPAA Violations
Aug04

37 Months’ Imprisonment for Criminal HIPAA Violations

A former customer service representative at Tampa General Hospital has been sentenced to 37 months’ imprisonment for criminal HIPAA violations and tax fraud. Shanakia Benton abused her data access rights while employed at the hospital and accessed and stole patient data with intent to commit fraud. Benton was provided with access to the data in order to perform work duties. According to the court documents, Benton had previously...

Read More
Medical Students Potentially Violating HIPAA by Tracking Patients using EHRs
Jul29

Medical Students Potentially Violating HIPAA by Tracking Patients using EHRs

A recent study published in JAMA Internal Medicine suggests medical students may be violating HIPAA regulations by tracking patients using EHRs. A survey was conducted in an academic health center to determine the extent to which medical students were tracking patients using EHRs. The survey was conducted in August 2013 on 169 fourth year students. Little research had previously been conducted and the extent to which students were...

Read More
OIG Assesses HIPAA Standards for EHR Contingency Planning
Jul26

OIG Assesses HIPAA Standards for EHR Contingency Planning

The Department of Health and Human Services’ Office of Inspector General has conducted a survey to investigate whether HIPAA standards for EHR contingency planning were being met by U.S. hospitals. 400 hospitals were asked questions about EHR contingency planning and whether their plans had been put into practice. While a majority of hospitals had developed EHR contingency plans and had largely complied with HIPAA regulations, only...

Read More
University of Mississippi Medical Center HIPAA Settlement Announced
Jul22

University of Mississippi Medical Center HIPAA Settlement Announced

The failure to comply with HIPAA Rules can prove costly, as the University of Mississippi Medical Center HIPAA settlement clearly shows. Following an investigation into a breach of 500 patient records, the Department of Health and Human Services’ Office for Civil Rights (OCR) discovered multiple violations of Health Insurance Portability and Accountability Act Rules. The University of Mississippi Medical Center HIPAA settlement...

Read More
OCR Announces $2.7 million OHSU HIPAA Violation Settlement
Jul19

OCR Announces $2.7 million OHSU HIPAA Violation Settlement

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Oregon Health & Science University (OHSU) has agreed to settle multiple potential HIPAA violations which contributed to the potential disclosure of protected health information on a number of occasions. The OHSU HIPAA violation settlement is one of the largest of 2016. OHSU is required to make a monetary payment of $2.7 million to the...

Read More
167 HIPAA Covered Entities Selected for a Compliance Audit
Jul12

167 HIPAA Covered Entities Selected for a Compliance Audit

The long awaited second phase of HIPAA compliance audits started earlier this year with the sending of emails to covered entities requesting contact information. From the responses, the Department of Health and Human Services’ Office for Civil Rights (OCR) formed a pool of eligible covered entities which would be eligible for a HIPAA compliance audit. The OCR announced this week that 167 covered entities have been selected for a “desk...

Read More
OCR Releases Ransomware Guidance for HIPAA Covered Entities
Jul11

OCR Releases Ransomware Guidance for HIPAA Covered Entities

The Department of Health and Human Services’ Office for Civil Rights (OCR) has released new guidance for covered entities to help them protect their organizations from ransomware attacks, and deal with attacks if they should occur. The new guidance also clarifies how HIPAA Rules apply to healthcare ransomware infections. Earlier this year, Deputy Director for Health Information Privacy Deven McGraw announced that new guidance on...

Read More
Business Associate Agrees to $650,000 Settlement for HIPAA Failures
Jun30

Business Associate Agrees to $650,000 Settlement for HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has agreed to settle the case against Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for $650,000. CHCS has agreed to a corrective action plan and will pay the financial penalty to the OCR to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), without admission of liability. In...

Read More
HIPAA Minimum Necessary Standard Discussed at NCVHS Hearing
Jun20

HIPAA Minimum Necessary Standard Discussed at NCVHS Hearing

Melissa Martin, the President of the American Health Information Management Association (AHIMA) gave a testimony at a recent National Committee on Vital and Health Statistics’ (NCVHS) meeting regarding the HIPAA minimum necessary standard. The NCVHS subcommittee on privacy, confidentiality, and security held the hearing to discuss whether changes need to be made to the HIPAA minimum necessary standard, and whether HIPAA covered...

Read More
ONC Releases New Tools Explaining Consumers’ Rights to Access Health Information
Jun06

ONC Releases New Tools Explaining Consumers’ Rights to Access Health Information

The HHS’ Office of the National Coordinator for Health IT has released a new set of tools explaining consumers’ rights to access health information under HIPAA. Earlier this year the HHS’ Office for Civil Rights released new guidance for healthcare providers and other covered entities explaining how the HIPAA Privacy Rule requires covered entities to provide consumers with a copy of their electronic protected health information (ePHI)...

Read More
Healthcare Professionals Committing HIPAA Violations on Yelp
May31

Healthcare Professionals Committing HIPAA Violations on Yelp

A recent ProPublica report has revealed that many healthcare professionals are committing HIPAA violations on Yelp and other review sites when responding to bad feedback from patients. A response to a negative comment may be viewed as a good way of mitigating some of the damage caused, but this can all too easily backfire. When physicians or other healthcare professionals see a bad review, they have to exercise much greater caution...

Read More
Beware of HIPAA Violations When Responding to Yelp Reviews
May28

Beware of HIPAA Violations When Responding to Yelp Reviews

Online reviews of patients’ experiences with healthcare providers can be an invaluable way to gain feedback from patients. Some healthcare providers even encourage patients to write reviews of their experiences, while others are wary as poor reviews can be bad for business. Concern about the latter has led some healthcare providers to respond to comments about the poor treatment of patients, and by doing they have violated one of the...

Read More
OCR Updates HIPAA Guidance for Health App Developers
May25

OCR Updates HIPAA Guidance for Health App Developers

The Department of Health and Human Services’ Office for Civil Rights (OCR) has updated its HIPAA guidance for health app developers to make it easier for developers of health apps to obtain answers to questions about the Health Insurance Portability and Accountability Act Rules. Last year, the OCR was criticized by the app industry for doing too little to help health app developers understand the complexities of HIPAA Rules. The OCR...

Read More
How Much Can Covered Entities Charge for PHI Access? HHS Issues Clarification
May24

How Much Can Covered Entities Charge for PHI Access? HHS Issues Clarification

There is a lot of uncertainty about how much covered entities can charge patients for PHI access under HIPAA Rules. Many healthcare providers feel they have received conflicting information about the allowable charges for providing patients with copies of their protected health information (PHI). Patients are likewise confused. Many individuals would like to obtain copies of their health data, and are allowed to do so under the HIPAA...

Read More
Have You Started Preparing for a HIPAA Compliance Audit?
May23

Have You Started Preparing for a HIPAA Compliance Audit?

Have you started preparing for a HIPAA compliance audit? Will you be able to supply compliant documentation to OCR auditors if your organization is selected for an audit later this year? Time to Start Preparing for a HIPAA Compliance Audit The Office for Civil Rights (OCR) will be auditing covered entities later this year and assessing compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The first round of HIPAA...

Read More
Guidance for Dealing with Ransomware Attacks to be Issued by OCR
May20

Guidance for Dealing with Ransomware Attacks to be Issued by OCR

Many HIPAA covered entities believe that guidance for dealing with ransomware attacks should be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR). There has been some confusion over whether a ransomware attack actually constitutes a data breach. HIPAA covered entities are required to report breaches of protected health information to the OCR within 60 days of the discovery of a breach. They must also...

Read More
AHA Calls for Changes to Healthcare Data Privacy Rules
May14

AHA Calls for Changes to Healthcare Data Privacy Rules

The American Hospital Association (AHA) has urged congress to update data privacy rules to align them more closely with HIPAA. At present, the privacy rules of 42 CFR Part 2 (Part 2) restrict the use and disclosure of substance abuse records of patients that have been enrolled in certain substance abuse programs. The AHA is concerned that because current regulations prohibit the disclosure of patients’ entire medical records,...

Read More
OCR Warns Hospitals to Prepare for Business Associate Data Breaches
May10

OCR Warns Hospitals to Prepare for Business Associate Data Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently issued a warning to HIPAA covered entities saying they should be prepared for business associate data breaches. Recent surveys have suggested that HIPAA covered entities do not believe that some of their business associates would inform them of a data breach that exposed their patients’ protected health information. Many covered entities also...

Read More