Onsite HIPAA Compliance Audits Will be Delayed
The Office for Civil Rights’ onsite HIPAA compliance audits that were scheduled to take place in the first quarter of 2017 are to be delayed, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw. In an interview at HIMSS17, McGraw explained to Information Security Media Group that the decision to delay the onsite HIPAA compliance audits was taken to allow OCR time to process the reports from the desk audits....
Horizon BCBS of New Jersey HIPAA Fine of $1.1 Million Announced
A Horizon BCBS of New Jersey HIPAA compliance fine has been announced by the New Jersey Division of Consumer Affairs. In addition to a $1.1 million financial settlement, Horizon BCBS of New Jersey is required to adopt a corrective action plan to ensure that the electronic protected health information (ePHI) of its policyholders is appropriately secured. Horizon BCBS of New Jersey HIPAA Fine Resolves Multiple Privacy and Security Rule...
$5.5 Million Memorial Healthcare HIPAA Fine Agreed
The Department of Health and Human Services’ Office for Civil Rights has announced a massive settlement has been reached with Florida-based Memorial Healthcare System. The Memorial Healthcare HIPAA fine of $5.5 million settles potential violations of the HIPAA Privacy and Security Rules spanning several years. The settlement is the joint largest ever HIPAA fine issued to a single covered entity. The Memorial Healthcare HIPAA fine...
Children’s Health HIPAA Fine: $3.2 Million Paid to OCR to Resolve Multiple HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights has announced the first Civil Monetary Penalty of the year: The Children’s Health HIPAA fine of $3.2 million is one of the largest penalties to date for a single HIPAA-covered entity. The size of the CMP reflects the number of violations discovered and the length of time that the HIPAA violations were allowed to persist before Children’s Health eventually complied...
MAPFRE Life HIPAA Settlement: $2.2 Million for Impermissible Disclosure of ePHI
MAPFRE Life Insurance Company of Puerto Rico has settled potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with the Department of Health and Human Services’ Office for Civil Rights. MAPFRE Life HIPAA Settlement of $2.2 Million Agreed with OCR According to the resolution agreement, MAPFRE Life will pay OCR $2,204,182 and must adopt a corrective action plan to address multiple noncompliance issues...
2016 Healthcare Data Breach Report Published
The 2016 healthcare data breach report from cybersecurity company Protenus shows that 2016 was a record-breaking year for healthcare data breaches. In 2016, more than one healthcare data breach occurred every day on average. Those breaches resulted in the theft or exposure of 27 million individuals’ confidential information. In total, 450 breach incidents were reported by healthcare organizations – healthcare providers, health plans,...
$475,000 Presense Healthcare HIPAA Settlement Agreed with OCR
The Department of Health and Human Services’ Office for Civil Rights has announced a $475,000 Presense Healthcare HIPAA settlement has been agreed. This is the first HIPAA enforcement action of 2017 and the first time OCR has settled a case solely based on the delayed issuing of breach notifications to individuals impacted by a protected health information breach. In 2013, Presense St. Joseph Medical Center, a hospital run by...
63% Increase in Healthcare Data Breaches in 2016
There has been a 63% increase in major healthcare data breaches in 2016, according to the 2016 Healthcare Cyber Breach Report from cybersecurity firm TrapX. The report, which covers healthcare data breaches in 2016 from January 1 to December 12, shows that while the total number of healthcare records exposed in 2016 was considerably lower than last year, the number of incidents increased substantially. In 2015, 111,812,172 records...
November 2016 Breach Barometer Report: Worst Month for Health Data Breaches
The November 2016 Breach Barometer Report from Protenus provides a snapshot of the state of healthcare data security, cataloging the health data breaches that occurred last month. The report is released each month and provides a useful record of HIPAA breaches throughout the year. While the total number of health records exposed or stolen in November fell from the previous month, and November figures are the seventh lowest of the...
2015 Ashley Madison Data Breach Results in $1.75 Million Fines
The 2015 Ashley Madison data breach that exposed the credentials of more than 37 million would-be adulterers has resulted in fines of $17.5 million being issued to Ruby Corp., the organization that owns Ashley Madison. The fines were announced this week by both the Federal Trade Commission and the New York attorney general. The fines were issued due to poor security practices which contributed to the cyberattack, but also for...
$650,000 UMass HIPAA Settlement Announced by OCR
The University of Massachusetts Amherst (UMass) has agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $650,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The UMass HIPAA settlement could have been much higher, although OCR took into consideration the financial position of the University, which had operated at a financial loss last year. OCR...
$1 Million Settlement for 2013 Adobe Systems Data Breach
Connecticut Attorney General George Jepsen has announced that a settlement has been reached for the 2013 Adobe Systems data breach that affected more than half a million individuals in 15 states. The 2013 Adobe Systems data breach first came to light on September 17, 2013 when the company received an alert that one of its servers was approaching capacity. The response to that alert revealed that an unauthorized individual was...
Guidance on HIPAA and the FTC Act
The Federal Trade Commission (FTC) in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued guidance on HIPAA and the FTC Act explaining it is not sufficient to only consider HIPAA regulations when sharing health data. Organizations must also ensure they comply with the Federal Trade Commission Act (FTC Act). The guidance on HIPAA and the FTC Act was issued to ensure that organizations...
EHNAC Migrates HIPAA Privacy and Security Modules to HITRUST CSF Framework
The two leading standards development associations – the Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance HITRUST – have announced they are to collaborate and will be streamlining their certification and accreditation programs for healthcare industry stakeholders. The standards development organizations have a similar vision and want to reduce the complexity of information...
$2.14 Million St. Joseph Health HIPAA Settlement Announced
The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $2.14 million St. Joseph Health HIPAA settlement after a data breach investigation uncovered serious violations of the HIPAA Security Rule. St Joseph Health, which is sponsored by the St. Joseph Health Ministry, operates 14 acute care hospitals in California, New Mexico, and Texas, in addition to many skilled nursing facilities, hospices, home...
Healthcare Lawyers Increasingly Involved in Cybersecurity Matters
A recent survey conducted by Bloomberg Law and the American Health Lawyers Association (AHLA) asked more than 300 healthcare attorneys from across the United States about their involvement in cybersecurity matters and their opinions on their future involvement in data breaches and cyber-attacks. The survey revealed the extent to which healthcare attorneys are being called upon to deal with cybersecurity matters and showed attorneys...
OCR Issues Cloud Computing Guidance for HIPAA Covered Entities
Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued cloud computing guidance for HIPAA covered entities. The new guidance was issued in response to numerous questions that had been asked by covered entities and their business associates about how cloud services could be adopted without falling afoul of HIPAA Rules. The new cloud computing guidance for HIPAA covered entities can also be used by...
Business Associate HIPAA Audits Now Imminent
The business associate HIPAA audits are scheduled to commence this month, The business associate HIPAA compliance audits are not expected to result in punitive action being taken if HIPAA violations are discovered. The audits provide a snapshot of the state of compliance and are intended to identify common compliance issues which will be used to direct future guidance. OCR may prefer to resolve noncompliance with voluntary actions and...
Data Breach Notification Law in California Updated
Data breach notification law in California has been updated again, further strengthening the already stringent laws in the state. Data breach notification law in California is already the strongest in the country. The latest update is intended to further protect state residents whose personal information is compromised. The latest update closes a gap in the data breach notification law in California, which has previously not required...
HHS Privacy and Security Guidance is not in Line with Federal Guidelines, says GAO
The Government Accountability Office (GAO) has released a damning report on the Department of Health and Human Services (HHS), criticizing its lack of oversight and privacy and security guidance for HIPAA covered entities. The GAO determined that the privacy and security guidance issued by the HHS failed to meet federal guidelines and did not cover all of the elements of the Cybersecurity Framework issued by the National Institute of...
ONC Issues Guidance on EHR Contract Negotiations
The Office of the National Coordinator for Health IT (ONC) has issued new guidance on EHR contract negotiations to help HIPAA covered entities avoid some of the common problems experienced when selecting, negotiating, and implementing new EHR systems. The new guidance on EHR contract negotiations – EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print – is intended to help HIPAA covered...
ONC Report Confirms Most Hospitals Allow Patients to Access Their EHRs
Significant progress has been made toward providing all patients with access to their ePHI, according to a recent report issued by the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC). Back in 2012, only 24% of non-acute care hospitals allowed patients to view their ePHI. The percentage of hospitals now allowing access to ePHI has risen to 95%; an increase of 4% since...
Health and Fitness App Privacy Policies Often Absent, says Think Tank
One would assume that health and fitness app privacy policies would be more important than many other types of app, given the types of data they collect. However, according to a recent study performed by Washington DC think tank, The Future of Privacy, health and fitness app privacy policies are often nowhere to be seen. Only 60% of the apps assessed for the study actually had privacy policies compared to 76% of general apps. The...
OCR Data Breach Investigations to Be Increased for Sub-500 Record Breaches
The Department of Health and Human Services’ Office for Civil Right is the main enforcer of HIPAA Rules. All complaints about potential violations of HIPAA Rules are followed up, and OCR data breach investigations are initiated for all breaches if they impact more than 500 individuals. That is not to say that data breaches involving the exposure or theft of fewer than 500 records are never investigated, only that with limited funding...
Walgreens HIPAA Violations Do Not Result in Financial Penalty
Walgreens HIPAA violations discovered by reporters from WTHR 13 in 2006 have not resulted in any punitive action being taken by the Department of Health and Human Services’ Office for Civil Rights (OCR). According to a recent WTHR 13 report, the case against Walgreens has now been closed. Potential Walgreens HIPAA violations were uncovered by WTHR 13 reporters in 2006 following an investigation into the suspected dumping of protected...
CMS Takes Steps to Prevent Abuse of Nursing Home Residents on Social Media Sites
Reports of abuse of nursing home residents on social media networks have prompted the Centers for Medicare and Medicaid Services (CMS) to take steps to protect seniors living in nursing homes and assisted living facilities. While the vast majority of nursing home employees are committed to providing excellent levels of care for elders in nursing facilities, the volume of reports of abuse of nursing home residents on social media...
Largest Ever HIPAA Penalty: Advocate Health Agrees to $5.55 Million Settlement
This week, the HHS’ Office for Civil Rights announced it has issued the largest ever HIPAA penalty to a single covered entity. Advocate Health will pay a penalty of $5.55 million to OCR to settle the case, which involved multiple potential HIPAA violations some of which spanned several years. OCR reports that some violations of the Health Insurance Portability and Accountability Act date back to when the HIPAA Security Rule was first...
37 Months’ Imprisonment for Criminal HIPAA Violations
A former customer service representative at Tampa General Hospital has been sentenced to 37 months’ imprisonment for criminal HIPAA violations and tax fraud. Shanakia Benton abused her data access rights while employed at the hospital and accessed and stole patient data with intent to commit fraud. Benton was provided with access to the data in order to perform work duties. According to the court documents, Benton had previously...
Medical Students Potentially Violating HIPAA by Tracking Patients using EHRs
A recent study published in JAMA Internal Medicine suggests medical students may be violating HIPAA regulations by tracking patients using EHRs. A survey was conducted in an academic health center to determine the extent to which medical students were tracking patients using EHRs. The survey was conducted in August 2013 on 169 fourth year students. Little research had previously been conducted and the extent to which students were...
OIG Assesses HIPAA Standards for EHR Contingency Planning
The Department of Health and Human Services’ Office of Inspector General has conducted a survey to investigate whether HIPAA standards for EHR contingency planning were being met by U.S. hospitals. 400 hospitals were asked questions about EHR contingency planning and whether their plans had been put into practice. While a majority of hospitals had developed EHR contingency plans and had largely complied with HIPAA regulations, only...
University of Mississippi Medical Center HIPAA Settlement Announced
The failure to comply with HIPAA Rules can prove costly, as the University of Mississippi Medical Center HIPAA compliance settlement clearly shows. Following an investigation into a breach of 500 patient records, the Department of Health and Human Services’ Office for Civil Rights (OCR) discovered multiple violations of Health Insurance Portability and Accountability Act Rules. The University of Mississippi Medical Center HIPAA...
OCR Announces $2.7 million OHSU HIPAA Violation Settlement
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Oregon Health & Science University (OHSU) has agreed to settle multiple potential HIPAA violations which contributed to the potential disclosure of protected health information on a number of occasions. The OHSU HIPAA violation settlement is one of the largest of 2016. OHSU is required to make a monetary payment of $2.7 million to the OCR...
167 HIPAA Covered Entities Selected for a Compliance Audit
The long awaited second phase of HIPAA compliance audits started earlier this year with the sending of emails to covered entities requesting contact information. From the responses, the Department of Health and Human Services’ Office for Civil Rights (OCR) formed a pool of eligible covered entities which would be eligible for a HIPAA compliance audit. The OCR announced this week that 167 covered entities have been selected for a “desk...
OCR Releases Ransomware Guidance for HIPAA Covered Entities
The Department of Health and Human Services’ Office for Civil Rights (OCR) has released new guidance for covered entities to help them protect their organizations from ransomware attacks, and deal with attacks if they should occur. The new guidance also clarifies how HIPAA Rules apply to healthcare ransomware infections. Earlier this year, Deputy Director for Health Information Privacy Deven McGraw announced that new guidance on...
Business Associate Agrees to $650,000 Settlement for HIPAA Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has agreed to settle the case against Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for $650,000. CHCS has agreed to a corrective action plan and will pay the financial penalty to the OCR to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), without admission of liability. In...
HIPAA Minimum Necessary Standard Discussed at NCVHS Hearing
Melissa Martin, the President of the American Health Information Management Association (AHIMA) gave a testimony at a recent National Committee on Vital and Health Statistics’ (NCVHS) meeting regarding the HIPAA minimum necessary standard. The NCVHS subcommittee on privacy, confidentiality, and security held the hearing to discuss whether changes need to be made to the HIPAA minimum necessary standard, and whether HIPAA covered...
Illinois Data Breach Notification Law Updated
Bruce Rauner – the Governor of Illinois – has recently signed a number of amendments to Illinois data breach notification law. The changes are intended to better protect Illinois residents in the event that their personal information is exposed or stolen. Health Insurance and Medical Information Included in Illinois Data Breach Notification Law Changes have been made to the Personal Information Privacy Act (PIPA) which expand the...
OIG Report: Washington State Insurance Exchange Security Places PHI at Risk
The Department of Health and Human Services’ Office of the Inspector General (OIG) has recently published a report of its investigation into Washington State’s health insurance exchange. The audit, which commenced in May 2015, was conducted to determine whether the exchange had adhered to federal requirements, including those stipulated in the Centers for Medicare & Medicaid Services in its Minimum Acceptable Risk Standards for...
NIST Cybersecurity Framework Update
The National Institutes of Standards and Technology (NIST) has announced that there will be a minor NIST Cybersecurity Framework update in early 2017. NIST sought suggestions from industry stakeholders over a period of two years since the NIST Cybersecurity framework was published. NIST issued a request for information (RFI) in December 2015 and received over 100 responses on best practices, Framework use, and suggestions for long...
ONC Releases New Tools Explaining Consumers’ Rights to Access Health Information
The HHS’ Office of the National Coordinator for Health IT has released a new set of tools explaining consumers’ rights to access health information under HIPAA. Earlier this year the HHS’ Office for Civil Rights released new guidance for healthcare providers and other covered entities explaining how the HIPAA Privacy Rule requires covered entities to provide consumers with a copy of their electronic protected health information (ePHI)...
Healthcare Professionals Committing HIPAA Violations on Yelp
A recent ProPublica report has revealed that many healthcare professionals are committing HIPAA violations on Yelp and other review sites when responding to bad feedback from patients. A response to a negative comment may be viewed as a good way of mitigating some of the damage caused, but this can all too easily backfire. When physicians or other healthcare professionals see a bad review, they have to exercise much greater caution...
Beware of HIPAA Violations When Responding to Yelp Reviews
Online reviews of patients’ experiences with healthcare providers can be an invaluable way to gain feedback from patients. Some healthcare providers even encourage patients to write reviews of their experiences, while others are wary as poor reviews can be bad for business. Concern about the latter has led some healthcare providers to respond to comments about the poor treatment of patients, and by doing they have violated one of the...
OCR Updates HIPAA Guidance for Health App Developers
The Department of Health and Human Services’ Office for Civil Rights (OCR) has updated its HIPAA guidance for health app developers to make it easier for developers of health apps to obtain answers to questions about the Health Insurance Portability and Accountability Act Rules. Last year, the OCR was criticized by the app industry for doing too little to help health app developers understand the complexities of HIPAA Rules. The OCR...
How Much Can Covered Entities Charge for PHI Access? HHS Issues Clarification
There is a lot of uncertainty about how much covered entities can charge patients for PHI access under HIPAA Rules. Many healthcare providers feel they have received conflicting information about the allowable charges for providing patients with copies of their protected health information (PHI). Patients are likewise confused. Many individuals would like to obtain copies of their health data, and are allowed to do so under the HIPAA...
Have You Started Preparing for a HIPAA Compliance Audit?
Have you started preparing for a HIPAA compliance audit? Will you be able to supply compliant documentation to OCR auditors if your organization is selected for an audit later this year? Time to Start Preparing for a HIPAA Compliance Audit The Office for Civil Rights (OCR) will be auditing covered entities later this year and assessing compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The first round of HIPAA...
Guidance for Dealing with Ransomware Attacks to be Issued by OCR
Many HIPAA covered entities believe that guidance for dealing with ransomware attacks should be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR). There has been some confusion over whether a ransomware attack actually constitutes a data breach. HIPAA covered entities are required to report breaches of protected health information to the OCR within 60 days of the discovery of a breach. They must also...
AHA Calls for Changes to Healthcare Data Privacy Rules
The American Hospital Association (AHA) has urged congress to update data privacy rules to align them more closely with HIPAA. At present, the privacy rules of 42 CFR Part 2 (Part 2) restrict the use and disclosure of substance abuse records of patients that have been enrolled in certain substance abuse programs. The AHA is concerned that because current regulations prohibit the disclosure of patients’ entire medical records,...
OCR Warns Hospitals to Prepare for Business Associate Data Breaches
The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently issued a warning to HIPAA covered entities saying they should be prepared for business associate data breaches. Recent surveys have suggested that HIPAA covered entities do not believe that some of their business associates would inform them of a data breach that exposed their patients’ protected health information. Many covered entities also...
Nebraska Data Breach Notification Law Amended
Pete Ricketts – the Governor of Nebraska – has recently put his name to a new bill (LB 835) that amends Nebraska Data Breach Notification Law. The bill was recently passed with a unanimous 46-0 vote. The new bill expands the state’s definition of personal information and clarifies when data encryption does – and does not – require organizations to issue notifications to individuals affected by a security breach. The changes have...
Joint Commission Ends Text Message Ban on Orders
The Joint Commission has lifted its five-year ban on clinicians using smartphones to send orders via text message. In the May copy of its Perspectives newsletter, the Joint Commission announced that the text message ban has been lifted with immediate effect, although there is one caveat. A secure text messaging platform must be used. The ban on text messaging was first introduced in 2011. Clinicians were prohibited from sending orders...
Pharma Company Manager Pleads Guilty to Criminal HIPAA Violations
It is a relatively rare occurrence for the Department of Justice to pursue cases against individuals for criminal HIPAA violations, although action is being taken against a pharma company manager for alleged criminal HIPAA violations. Charges of Criminal HIPAA Violations in Pharmaceutical Fraud Scheme A case has been filed against Landon Eckles, a district manager for the pharmaceutical firm Warner Chilcott, for criminal HIPAA...
$2.2 Million HIPAA Penalty for Unauthorized Filming of Patients
The Department of Health and Human Services’ Office for Civil Rights has announced its second HIPAA compliance settlement in three days, having arrived at an agreement with New York Presbyterian Hospital (NYP) over alleged violations of the HIPAA Privacy Rule. The settlement stems from the ‘egregious disclosure’ of protected health information to multiple individuals during the filming of a television show at the hospital. NYP had...
Orthopaedic Clinic Pays Penalty for Business Associate Agreement HIPAA Violation
A Business Associate Agreement HIPAA violation discovered by the Department of Health and Human Services’ Office for Civil Rights (OCR) has culminated in a $750,000 settlement being reached with the Raleigh Orthopaedic Clinic (ROC) of North Carolina. An investigation was launched by OCR in 2013 following receipt of ROC’s report of a disclosure of protected health information (PHI) to a potential business partner. ROC entered into a...
$750,000 Settlement for HIPAA Business Associate Agreement Failures
The latest OCR settlement for HIPAA Business Associate Agreement (BAA) failures highlights the importance of having up to date, HIPAA-compliant BAAs in place for all business associates. Raleigh Orthopaedic Clinic, P.A., of North Carolina has agreed to settle a case filed by the Office for Civil Rights for alleged violations of HIPAA Rules, stemming from an April 30, 2013 breach of PHI. An investigation was launched by OCR after...
Healthcare IT Security Focus On Compliance Not Breach Prevention
According to the latest Vormetric data threat report, the main healthcare IT security focus is meeting HIPAA compliance requirements, not preventing data breaches. HIPAA Compliance is the Main Healthcare IT Security Focus For the report, Vormetric commissioned 451 Research to conduct a survey which questioned healthcare IT managers about their spending plans for the coming year. They were asked where the bulk of the cybersecurity...
Phase 2 HIPAA Audit Protocol Released
The Department of Health and Human Services’ Office for Civil Rights published the new phase 2 HIPAA audit protocol this week. The protocol details the inquiries that will be made when the audits are conducted later this year. The second round of audits has been much delayed, and while the OCR has indicated progress was being made, the publication of the phase 2 HIPAA audit protocol suggests that the delays have come to an end and the...
The Hidden Cost of Pagers in Healthcare
Numerous studies have been conducted on the cost of HIPAA-compliant alternatives to the pager, yet little research has actually been conducted on the actual cost of pagers in healthcare. Pager use is in steep decline. Pager services are being dropped by telecoms companies due to the lack of demand. Most industries have retired pagers long ago and have switched to smartphones. However, the healthcare industry lags behind. Pagers are...
Phase 2 HIPAA Audit Program Begins
The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA audit program has now started. Covered entities are now being emailed to verify contact information and to gather preliminary information. The initial stage of the phase 2 HIPAA audit program requires OCR to form the sample pool from which covered entities are chosen. The emails have been sent to the contacts OCR has listed for...
Phase 2 HIPAA Compliance Audits Underway, says OCR
Phase 2 of the HIPAA compliance audits is now underway, according to a recent announcement issued by the Department of Health and Human Services’ Office for Civil Rights (OCR). The audits are being conducted to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The OCR explains that audits are an important tool that enable the OCR to assess whether organizations are implementing the necessary safeguards...
3.9 Million Dollar HIPAA Breach Settlement Announced by OCR
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with the Feinstein Institute for Medical Research for potential HIPAA violations stemming from a 2012 data breach. The Feinstein Institute has agreed to pay the OCR $3.9 million to settle the charges and has also agreed to adopt a corrective action plan (CAP) to address the issues raised during the OCR breach...
Feinstein Institute to Pay OCR $3.9 Million for Improper Disclosure of PHI
Feinstein Institute for Medical Research has agreed to settle charges of improper disclosure of PHI with the Department of Health and Human Services’ Office for Civil Rights (OCR). A payment of $3.9 million will be made, with Feinstein also required to adopt a stringent corrective action plan to address a number of violations of HIPAA Rules discovered by OCR investigators. Laptop Containing PHI Was Left On the Back Seat of a Car OCR...
North Memorial Healthcare to Pay $1.5 Million HIPAA Fine
North Memorial Healthcare has agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $1.5 million for failing to obtain a HIPAA-compliant business associate agreement from a major contractor. North Memorial also failed to conduct a comprehensive, organization-wide risk analysis according to a statement issued by the OCR. The OCR initiated an investigation into North Memorial Healthcare after receiving...
Business Associate Data Breaches Can Be Expensive: Hospital Pays OCR $1.55 Million
The latest OCR HIPAA settlement illustrates just how expensive business associate data breaches can be if a HIPAA-covered entity has not obtained a signed, compliant business associate agreement (BAA). North Memorial Health Care of Minnesota has recently agreed to pay $1,550,000 to settle HIPAA violations that were discovered when the Department of Health and Human Services’ Office for Civil Rights conducted an investigation into a...
HIPAA Rules for Workplace Wellness Programs
There has been some confusion surrounding the HIPAA Rules for workplace wellness programs. This week, the Department of Health and Human Services’ Office for Civil Rights has taken action and has issued new guidance which clarifies how HIPAA applies to certain workplace wellness programs. HIPAA Rules for Workplace Wellness Programs Clarified by OCR The Health Insurance Portability and Accountability Act covers healthcare providers,...
HIPAA Rules Covering mHealth Apps Require Clarification
A bipartisan group of congressmen has written to Sylvia Matthews Burwell, the Secretary of Health and Human Services (HHS), criticizing the HHS for failing to clarify HIPAA Rules covering mHealh apps. While the HHS has taken some steps to help mHealth app developers comply with HIPAA Rules, the efforts made so far have not been sufficient and many app developers are still none the wiser about how and when HIPAA Rules apply. In...
Pagers in Healthcare: New Research Reveals Hidden Cost
For a number of years there have been secure and reliable alternatives to pagers, yet the use of pagers in healthcare continues. Some hospitals have already made the switch to secure messaging platforms, although a great deal still rely on pagers to communicate with physicians, nurses, and other healthcare workers. Pagers have served the healthcare industry well for a number of decades. The devices are reliable and physicians are...
NIST Cybersecurity Framework and HIPAA Security Rule Crosswalk Issued
The Department of Health and Human Services’ Office for Civil Rights has issued a crosswalk between the NIST Cybersecurity Framework and HIPAA Security Rule to help covered entities assess whether there are any gaps in their compliance programs. NIST Cybersecurity Framework and HIPAA Security Rule Crosswalk Issued By OCR The crosswalk between the NIST Cybersecurity Framework and HIPAA Security Rule was developed in conjunction with...
OCR Issues Crosswalk Between the HIPAA Security Rule and NIST Cybersecurity Framework
The Department of Health and Human Services’ Office for Civil Rights has recently issued a crosswalk to assist HIPAA covered entities comply with the HIPAA Security Rule and manage cybersecurity risks under the National Institutes of Standards and Technology (NIST) Cybersecurity Framework. The purpose of the Crosswalk is to help covered entities identify mappings between the Security Rule and the NIST Framework. The Crosswalk can be...
HHS Clarifies HIPAA Data Sharing Rules
After seeking feedback from covered entities about aspects of the Health Insurance Portability and Accountability Act that are causing confusion, the U.S Department of Health and Human Services has published two fact sheets to improve understanding of HIPAA data sharing rules. If a fully interoperable health system is to be developed, it is essential that HIPAA-covered entities understand HIPAA data sharing rules. It is hoped that...
HIPAA Rules on Website Testimonials: 25K Fine for Privacy Breach
A physical therapy provider has reached a settlement with the Department of Health and Human Services’ Office for Civil Rights to resolve HIPAA privacy violations dating back to 2012, when PHI was posted on the company website without prior authorization having been obtained from patients. HIPAA Rules on Website Testimonials: Obtain Authorization Before Disclosing PHI Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) had...
HIPAA Guidance for Health App Developers Issued by OCR
The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health app developers. The new guidance covers a number of scenarios when HIPAA Rules must be followed, as well as explaining when app developers are not bound by HIPAA rules. The new HIPAA guidance for health app developers is intended to clear up confusion about when HIPAA rules must be obeyed and when HIPAA Rules do not apply....
Lincare Ordered to Pay $239,800 HIPAA Violation Penalty
Clearwater, Florida-based respiratory and infusion care provider Lincare Holdings has been ordered to pay a HIPAA violation penalty of $239,800 to the Department of Health and Human Services Office for Civil Rights (OCR) by an administrative law judge. This is only the second time in the past 8 years that a HIPAA-covered entity has been forced to pay a HIPAA fine rather than agreeing to a settlement with the OCR to settle...
HIPAA Cybersecurity Standards Not Adhered to By Law Firms
According to a new survey conducted by Legal Workspace, many law firms are not adhering to HIPAA cybersecurity standards and are not keeping protected health information secure. Data is not being protected by encryption, intrusion detection systems are not being implemented, logs of data access not being kept, and when they are, those logs are not being maintained and reviewed. Adhering to HIPAA cybersecurity standards is not...
CMP for HIPAA Violations Imposed on Lincare Inc., by OCR
Office for Civil Rights has announced that Lincare, a provider of respiratory care and home health services, has been ordered to pay a CMP for HIPAA compliance violations as a result of the accidental disclosure of 278 confidential patient records. The civil monetary penalty of $239,800 was deemed appropriate after HIPAA Privacy Rule violations were discovered to have directly contributed to the patient privacy breach. $239,800 CMP...
Why is Healthcare Technology Behind the Times?
Look at the annual profits reported by healthcare providers and it will be clear that many organizations can afford to implement new technology, especially when it will improve workflows, efficiency, and productivity. So why is healthcare technology behind the times? What is holding healthcare providers back when there is technology that can be leveraged to allow huge cost savings to be made and patient outcomes to be improved? Why is...
HIPAA and Firearms Background Checks
Healthcare providers concerned about HIPAA compliance and firearms background checks have received further clarification on when it is possible for PHI to be disclosed. A new rule has been finalized by the Obama administration that permits healthcare providers to disclose certain elements of Protected Health Information to the FBI as part of its firearms background check program, amending the Health Insurance Portability and...
New Data Breach Notification Laws in California Effective
On January 1, 2016, new data breach notification laws in California came into effect. All agencies doing business in the state of California must comply with the new laws if a data breach is suffered that exposes personal information of state residents. Cal. Civ. Code § 1798.29(d)(1)(D) Data Breach Notification Laws in California Come into Effect The new data breach laws in California apply if data is either exposed, or is reasonably...
ProPublica HIPAA Helper Database Uncovers HIPAA Bad Boys
ProPublica has launched a HIPAA compliance violation search engine to make it easier for consumers to find healthcare organizations that have violated patient privacy in the past. The ProPublica HIPAA Helper database allows individuals to find out who is repeatedly violating patient privacy and HIPAA Privacy and Security Rules. Setting up the ProPublica HIPAA Helper Database Determining which healthcare organizations have violated...
Business Associate HIPAA Compliance to Be Tested By OCR
The next round of OCR HIPAA compliance audits is penciled in to start in the first quarter of 2016. While the audits have been much delayed, it is unlikely that they will be pushed back further. OCR has been heavily criticized for its lack of enforcement of HIPAA, in particular the failure of the audit program to materialize. The next round of audits will see Business associate HIPAA compliance efforts examined, as this will be the...
Allina Health System HIPAA Violation Uncovered
An Allina Health System HIPAA violation has been discovered that dates back to April 6, 2015. Documents containing the PHI of patients have been accidentally disposed of with regular trash instead of being sent for shredding. Allina Health System HIPAA Violation Potentially Affects up to 6,100 Patients of the Isles Clinic Several thousand patients of the Minneapolis Isles clinic run by Allina Health System have been notified that some...
HIPAA Holding Back Healthcare Cloud Application Adoption
A new survey conducted by Bitglass shows the adoption of cloud applications has grown considerably since 2014 across all industries, but healthcare cloud application adoption lags behind. Only the retail and utility industries have a lower overall adoption rate, according to the report. Healthcare Cloud Application Adoption Increases by 350% Compared to 2014, healthcare cloud application adoption has grown considerably. The percentage...
OCR HIPAA Settlement for a Phishing Attack
University of Washington Medicine has agreed to an OCR HIPAA settlement for a phishing attack suffered in 2013. A financial penalty of $750,000 must be paid to Office for Civil Rights, and a corrective action plan (CAP) must be adopted to address areas of non-compliance with the HIPAA Security Rule. First OCR HIPAA Settlement for a Phishing Attack Data breaches are investigated by Office for Civil Rights and financial penalties are...
FTC V LabMD: Case Dismissed After Challenge: Appeal Lodged
In August 2013, the Federal Trade Commission filed a lawsuit against LabMD over a 2008 data breach. The FTC v LabMD case was recently dismissed due to insufficient evidence that breach victims faced a substantial risk of coming to harm as a result of the exposure of their personal data. The lawsuit was filed in response to the exposure of approximately 9,000 consumer records in 2008. A spreadsheet containing customer billing...
The State Attorney General HIPAA Fines Continue
State attorney general HIPAA fines continue to be issued, as the University of Rochester Medical Center agrees to pay a HIPAA settlement of $15,000 for a 2015 patient privacy breach. Earlier this year, the University of Rochester Medical Center suffered a data breach that affected 3,403 patients. The breach involved an employee of URMC taking patient data to her new employer, who used that information to send a mailing offering the...
Hospital Use of Two-Factor Authentication Solutions
The results of a study on the use of two-factor authentication solutions by non-federal acute care hospitals have recently been published by the Office of the National Coordinator for Health Information Technology. The analysis of ePHI security protection trends showed that just under half of hospitals are now using two-factor authentication solutions to ensure the electronic Protected Health Information (ePHI) of patients is...
Triple-S Data Breach Settlement Reached with OCR
This week, OCR announced a Triple-S data breach settlement was reached. The Puerto Rico health insurer will pay $3.5 million to OCR to settle potential HIPAA violations spanning 5 years. The Triple-S data breach settlement could potentially have been far greater, considering the BlueCross BlueShield licensee has reported eight data breaches to OCR since 2010 and has previously been fined for HIPAA violations. Triple-S Data Breach...
Lahey Hospital HIPAA Breach Settlement Agreed with OCR
The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Lahey Hospital and Medical Center following an investigation into potential HIPAA violations. The Burlington, Mass. hospital has decided to settle the OCR’s case without admission of liability. The Lahey Hospital HIPAA breach settlement relates to the impermissible disclosure of Protected Health Information of 599 patients in...
Healthcare Secure Messaging Offers Many Benefits
Implementing a healthcare secure messaging solution will help to ensure that privacy breaches are avoided. HIPAA regulations prohibit the sending of Protected Health Information (PHI) over open, unencrypted mobile networks. Should a physician or other healthcare professional send a text message containing PHI, HIPAA rules will be violated. The Department of Health and Human Services’ Office for Civil Rights (OCR) may not currently be...
Texas Seeks Civil Penalties for Improper Disposal of PHI
The state of Texas has recently sued Alliance Health Management & Consulting Inc., and is seeking civil penalties for improper disposal of PHI after the home health care management company failed to adhere to HIPAA and state regulations covering the disposal of medical records and personal information of patients. Boxes of files were discarded in recycling dumpsters close to Stevenson Middle School last year without first being...
Liability for PHI Disclosure on Social Media Websites
Who is liable for PHI disclosure on social media if an employee of a healthcare provider uploads a photo of a medical record to a Facebook account? Can the healthcare provider be sued for the improper disclosure? Where does liability for PHI disclosure lie? According to a Hamilton County Common Pleas Court judge, the healthcare provider is not liable. The plaintiff must seek damages from the individual responsible for exposing...
Attorney General HIPAA Penalties Continue with 90K Settlement
Attorney General HIPAA penalties continue to be issued, with Hartford Hospital and its Business Associate (BA), EMC Corp, having recently settled with the state of Connecticut over a breach of PHI after an unencrypted laptop computer was stolen in 2012. The incident resulted in the PHI of 8,900 state residents being exposed. EMC had been contracted by Hartford Hospital to conduct an analysis of PHI in an effort to cut down on...
Tracking Medical Identity Theft: Senators Demand Answers
Healthcare providers, health plans, and business associates of covered entities have suffered huge data breaches this year. Hackers have targeted healthcare plans in 2015 and have been successful in obtaining huge volumes of PHI. The data is used for identity theft, but what is being done about it? Are the CMS and/or OCR tracking medical identity theft? Four senators are now demanding some answers. Sens. Lamar Alexander, R-Tenn.,...
HIPAA Guidance for Emergencies Released by OCR
It often takes an emergency situation to realize that policies and procedures are not adequate, and the recent outbreak of Ebola clearly highlighted issues with current legislation, prompting the OCR to issue HIPAA guidance for emergencies. The new guidance will help HIPAA-covered entities to avoid Privacy Rule violations when reacting to emergency situations, and provides further clarification of the rules covering the disclosure of...
HIPAA Requires Business Associate Agreements with Contractors
All HIPAA-covered entities must have signed Business Associate Agreements with contractors before any PHI is provided. The failure to obtain a signed BAA prior to PHI being provided could potentially result in a fine being issued by the Department of Health and Human Services’ Office for Civil Rights. Both the covered entity and Business Associate (BA) can be fined for a failure to comply with these rules. Business Associate...
Trust in HIPAA-Covered Entities Ability to Securely Store Healthcare Data Remains Low
Earlier this year, a survey conducted by Software Advice indicated that the high volume of cyberattacks, cases of insider theft, and negligence by healthcare providers with regard to data security was negatively affecting patient confidence in healthcare organizations’ ability to securely store healthcare data. The survey was conducted on 243 healthcare patients, who were questioned about healthcare security, patient data theft and...
Governor Brown Updates California Breach Notification Law
Legislation covering data privacy & security in the state of California is stricter than most other states, and a new trio of bills amending California breach notification law were signed last week adding even greater protections for California residents. State governor, Jerry Brown, added his signature to three new bills last week which amend California breach notification law, increasing the data elements included under...
Health App Privacy Risks Revealed by New Study
A new study published by BMC Medicine has revealed numerous health app privacy risks, with 66% of accredited apps under test found not to employ data encryption, potentially allowing the personal data of users to be intercepted by cybercriminals. The study, unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment, set out to explore whether health and wellness apps offered an adequate...
ONC Final Interoperability Roadmap Released
It has been a long time coming but the wait is over: The ONC Final Interoperability Roadmap has now been released. The Interoperability Roadmap is intended to show healthcare organizations the path towards a fully interoperable health system, one which places the patient at the center of a system that offers real-time health data access by any patient and healthcare provider. The ultimate aim is to develop a healthcare system that...
Meaningful Use Stage 3 Final Rules Released
The Centers for Medicare & Medicaid Services (CMS) together with the Office of the National Coordinator for Health Information Technology (ONC), have released the Meaningful Use Stage 3 Final Rules. Now begins a 60-day commenting period. The release of the Meaningful Use Stage 3 Final Rules has taken some time. Following the release of the draft version earlier this year, the CMS had to review over 2,500 comments collected from...
Mobile App Developers’ HIPAA Questions to be Answered by OCR
The Department of Health and Human Services’ Office for Civil Rights is to answer mobile app developers’ HIPAA questions via a new web portal launched earlier this week. HIPAA Rules can be confusing for entities covered by the legislation; however, many mobile app developers have found the Security, Privacy Rules impossible to fathom, and have struggled to come to terms with the complexities of the regulations. This has resulted in...