HIPAA Compliance
PHI Exposed in HealthEquity Cyberattack
Financial technology and business services provider HealthEquity based in Draper, UT encountered a cyberattack that exposed SharePoint data, including protected health information (PHI). HealthEquity offers the following services: health savings account (HSA), and consumer-focused benefits solutions, such as health reimbursement arrangements (HRAs). It handles many HRAs, HSAs, and other benefit accounts. HealthEquity revealed in its...
SkinCure Oncology Email Account Breach
SkinCure Oncology in Burr Ridge, IL has informed 13,434 individuals regarding an email attack that happened in June 2023. SkinCure Oncology has sent personal notifications to patients who had their protected health information (PHI) compromised because of an email breach. Based on the substitute breach notice, it was confirmed by the investigation that an unauthorized third party accessed several email accounts from June 23 to June...
Guidance Sought on Notification Requirements Related to the Change Healthcare Data Breach
CHIME and some healthcare provider organizations wrote to Melanie Fontes Rainer, the Office for Civil Rights (OCR) Director, for clarity and information for physicians and healthcare providers concerning the reporting requirements associated with the Change Healthcare data breach. The HHS replied immediately to CHIME’s letter and stated that concerning the breach response, the affected HIPAA-covered entities may assign the task of...
PHI of 175,195 Patients Exposed in South Texas Oncology and Hematology Cyberattack
Cancer treatment center South Texas Oncology and Hematology (STOH) based in San Antonio, TX has informed 176,303 patients about a cyberattack discovered on February 15, 2024. STOH has seven centers located in Texas with over 405 employees and approximately generates $8 million in yearly revenue. After discovering the security incident, STOH deactivated its system and engaged a third-party cybersecurity company to help secure its...
Surgeon Who Exposed Transgender Care to Minors Charged with Criminal HIPAA Violations
The Department of Justice has revealed the indictment against surgeon Eithan Haim, MD. Haim was the whistleblower who provided the press with documents regarding minors at Texas Children’s Hospital who got gender-affirming care. Haim faces charges of four criminal violations of the Health Insurance Portability and Accountability Act (HIPAA), namely illegally accessing, obtaining, and disclosing Texas Children’s pediatric...
Court Ruling Changes OCR’s Website Tracking Technology Guidance
A Texas federal judge made a decision that the guidance set by the HHS’ Office for Civil Rights about website tracking technologies was illegal, stating that OCR went beyond its authority when it released the guidance. According to the judge, metadata obtained from an unauthenticated website is not considered individually identifiable health information if combined with an IP address. In December 2022, OCR clarified to hospitals and...
ComplianceJunction HIPAA Training Course Receives AHIMA Approval
The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers health plans, healthcare clearinghouses, and their business associates. HIPAA has important privacy and security provisions that restrict the uses and disclosures of healthcare data – termed protected health information (PHI) – and require PHI to be safeguarded at all times. HIPAA requires covered entities to implement policies and...
23andMe 2023 Data Breach Investigated by Security Regulators
Data security regulators in the U.K. and Canada have started a mutual investigation of 23andMe concerning its 2023 data breach where about 7 million individuals or approximately 50% of its clients were impacted. 23andMe is a company offering direct-to-client genetic testing through DNA analysis of customers’ saliva samples and gives clients information regarding their health and ancestral roots. In October 2023, a hacker accessed...
Cyber Attack on the Snowflake Platform
A financially driven threat actor monitored as UNC5537 is executing a cyber attack on Snowflake client databases. About 165 Snowflake clients are believed to have been impacted. Snowflake is a multi-cloud data storage platform that clients use for storing and analyzing large amounts of structured and unstructured information. Based on Google’s cybersecurity company Mandiant, the threat actor uses stolen credentials to...
UHG Required to Send Breach Notifications Involving Change Healthcare Not Later Than June 21, 2024
On June 7, 2024, Senators Marsha Blackburn (R-TN) and Maggie Hassan (D-NH) sent a letter to UnitedHealth Group CEO Andrew Witty telling him to issue the notifications involving the ransomware attack on Change Healthcare on February 21, 2024. Affected individuals need to know about the ransomware attack promptly. The Office for Civil Rights (OCR) revised its website FAQ to clarify misunderstandings regarding breach notifications and...
FBI Recovers 7,000 Decryption Keys Through Operation Cronos
The Federal Bureau of Investigation (FBI) advises LockBit ransomware attack victims to contact the Internet Crime Complaint Center (IC3). The FBI has secured over 7,000 decryption keys that past victims can use to retrieve their data files at no cost. During the 2024 Boston Conference on Cyber Security, it was confirmed by FBI Cyber Assistant Director Bryan Vorndran that the FBI has a substantial number of decryption keys in its...
Cencora/Lash Group Faces Class Action Lawsuit Over Cyberattack
Cencora Inc. and The Lash Group LLC are facing a data breach-related lawsuit filed by plaintiff Keith Wolford. Allegedly, the defendants were unable to enforce reasonable and proper safety measures to protect the privacy of personally identifiable information (PII) and protected health information (PHI) covered by HIPAA laws. Because of those failures, patient data was impermissibly exposed to threat actors. Cencora, a wholesale drug...
Ransomware Attack on Synnovis Affects London Hospitals
Synnovis, a UK-based medical laboratory services provider encountered a ransomware attack that disrupted patient services at several NHS hospitals in London. Operations at the following hospitals and care centers were affected: Guy’s Hospital King’s College Hospital St Thomas’ Hospital Evelina London Children’s Hospital Royal Brompton Hospital Care sites in six London boroughs: Bexley, Lewisham, Greenwich, Bromley, Lambeth, and...
Email Accounts Compromised at Children’s Health Care
Children’s Health Care in Minneapolis, MN, doing business as Children’s Minnesota, found out that patients’ protected health information (PHI) was compromised in an email security incident that was identified on March 13, 2024. Children’s Health Care is a large pediatric healthcare provider in the U.S. It has two hospital campuses located in St. Paul, and Minneapolis, and specialty clinics. It is the only Level I Trauma...
2.8 Million Individuals Affected by Sav-Rx Data Breach
Medication Benefit Management solutions provider to health plans, A&A Services based in Fremont, Nebraska, also known as Sav-Rx, encountered a cyberattack on October 8, 2023. It was confirmed that the Sav-Rx data breach affected the protected health information (PHI) of 2,812,336 people. A security breach was discovered because of a computer system interruption. Steps were undertaken to protect those systems from further...
Agencies Alert of Increasing Attacks on Healthcare Providers by Black Basta Ransomware Group
The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Multi-State Information Sharing and Analysis Center, and Department of Health and Human Services published a joint cybersecurity alert about the Black Basta ransomware variant. Threat actors used this ransomware to encrypt files and steal data from roughly 12 critical infrastructure sectors, such as the healthcare and public health sectors. AHA...
Patient Information Exposed Due to Superior Air-Ground Ambulance Service Data Breach and a Stolen TimeDoc Laptop
PHI of 858K Individuals Exposed in Superior Air-Ground Ambulance Service Data Breach Superior Air-Ground Ambulance Service provides ambulance and Emergency Medical Services (EMS) in Michigan, Indiana, Illinois, Ohio, and Wisconsin. It reported the exposure and theft of the protected health information (PHI) of 858,238 patients because of a cyberattack in May 2023. The healthcare company discovered suspicious activity in its IT system...
Exposure of PHI of Hypertension-Nephrology Associates Patients and Allina Health Patients
Hypertension-Nephrology Associates Patients Affected by Data Theft Incident Hypertension-Nephrology Associates based in Michigan reported recently that it was targeted by a cyberattack last February 2024. An unidentified threat actor left a ransom note on its computer program requiring payment to stop exposing patient information stolen during the cyberattack. Ransomware groups still target the healthcare sector by stealing data and...
Potential Cyberattacks on Ascension, Palomar Health Medical Group and Georgia Institute for Plastic Surgery
Ascension Cyberattack Investigation Ascension, the biggest nonprofit and Catholic health system in America, stated it is looking into a suspected cyberattack that has interrupted clinical operations. As a safety precaution, business associates have been instructed to disconnect from its systems. The Google-owned cybersecurity company Mandiant assisted with the investigation and remediation initiatives and the appropriate authorities...
Health Data Analytics Company Submits 1.1-Million Record Data Breach Report
Berry, Dunn, McNeil & Parker, LLC (BerryDunn), an accounting and consulting company based in Portland, ME filed a data breach report with the Maine Attorney General that affected the personal data of 1,107,354 people. BerryDunn is a health data analytics services provider to healthcare companies, medical insurance companies, and government regulatory and healthcare policy organizations. To carry out its contracted services, its...
PHI Exposed in Moffitt Cancer Center and Los Angeles County Department of Health Services Cyberattacks
Moffitt Cancer Center Impacted by the Advarra Data Breach Moffitt Cancer Center reported a data security breach that occurred at Advarra. Advarra is Moffitt Cancer Center’s provider of services associated with patient care and treatment as well as a research study. On October 26, 2023, Advarra found suspicious activity in the user account of an employee. The forensic investigation affirmed that an unauthorized person accessed...
Is Wix HIPAA Compliant?
Wix is not HIPAA compliant and websites built on the platform should not be used to collect Protected Health Information unless an exception to HIPAA applies, or unless a third party product is used to ensure PHI is not maintained or transmitted by Wix servers. The question of is Wix HIPAA compliant is answered in the platform’s Help Pages. The relevant Help Page states Wix services are not specifically designed to comply with HIPAA....
Alcohol Addiction Company Violates Consumer Data Privacy
The Federal Trade Commission (FTC) has instructed the alcohol addiction treatment company Monument to cease sharing consumers’ health information with third parties for promotion purposes without acquiring affirmative authorization. A $2.5 million civil monetary penalty was enforced although the penalty was suspended because Monument could not afford to pay. The FTC’s issued order settles FTC charges that Monument shared consumers’...
Value of Strong Cybersecurity Programs and Guidance on Informed Consent Requirements
Companies with Strong Cybersecurity Programs Get Higher Returns for Shareholders Investing in cybersecurity measures aids in preventing data breaches, and evading regulatory penalties. According to a recent report by Diligent Institute and Bitsight, organizations with strong cybersecurity programs generally exhibit improved financial performance and generate higher profits for their investors. Diligent Institute and Bitsight conducted...
HIPAA Security Audit
A HIPAA security audit can help covered entities and business associates identify threats to the confidentiality of Protected Health Information and remedy gaps in security to demonstrate a good faith effort to comply with HIPAA. For smaller organizations, a HIPAA security audit can be more cost-effective than adopting a recognized security framework. In 2021, Congress passed an amendment to the HITECH Act which – among other measures...
Cyberattacks and Data Breaches Reported by Ernest Health Hospitals, Wyndemere Senior Care, Baylor College of Medicine and Harvard Pilgrim Health Care
Patient Data Theft from Several Ernest Health Hospitals Ernest Health manages rehabilitation and long-term acute care hospitals located in Arizona, Colorado, California, Indiana, Idaho, Montana, Ohio, New Mexico, South Carolina, Texas, Utah, Wyoming, and Wisconsin. Ernest Health patients were recently notified about a data security incident that affected their personal and protected health information (PHI). On February 1, 2024,...
Is WhatsApp HIPAA Compliant?
WhatsApp is not HIPAA compliant and cannot be used to send and receive Protected Health Information unless a patient specifically requests confidential communications via WhatsApp. However, there are other scenarios in which it is possible to use WhatsApp for healthcare. In 2016, WhatsApp announced the implementation of end-to-end encryption across all web and mobile apps. Not only are chat messages encrypted, but also images,...
$7.5M Theft of Grant Fund Explained by HHS
Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has questioned the Department of Health and Human Services (HHS) regarding a 2023 cyberattack that involved the theft of grant funds worth millions of dollars and the inability of the HHS to inform Congress regarding the incident. In January 2024, Bloomberg publicized a report regarding a hacking incident that...
Is it Possible to Have HIPAA Compliant Gmail?
It is possible to have HIPAA compliant Gmail if you subscribe to a Google Workspace account that supports HIPAA compliance, if the products included in the Workspace account are configured to support HIPAA compliance, and if the Gmail service is used in compliance with the Privacy Rule standards relating to permissible uses and disclosures. When an individual or organization qualifies as a HIPAA covered entity or business associate,...
OCR Opens HIPAA Compliance Investigation of Change Healthcare
The HHS’ Office for Civil Rights started the investigation of Change Healthcare three weeks after its cyberattack on February 21, 2024. Usually, OCR’s cyberattack and data breach investigations are started a few months after the breach report submission. Sometimes, it investigates years after the breach happened. In this case, the data breach is not yet reported to OCR because it is still being investigated. Change Healthcare has just...
Is Zelle HIPAA Compliant?
Zelle is not required to be HIPAA compliant due to a clause in the text of HIPAA that exempts payment processors from complying with HIPAA. However, covered entities that offer Zelle as a payment option should implement procedures for making the use of Zelle HIPAA compliant. When covered entities accept payments directly from plan members and patients, it is not true that the payment options provided have to be HIPAA compliant payment...
Legislative Revisions to Enhance Health Data Privacy
Senator Bill Cassidy (R-LA), who is a member of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, has filed a white paper that requests for information (RFI) suggesting revisions to the Health Insurance Portability and Accountability Act (HIPAA) to enhance health data privacy protections and prompts Congress to do something to broaden privacy protections for all health information. The white paper entitled...
Lurie Children’s Hospital Ransomware Attack and UNITE HERE Data Breach
EHR System of Lurie Children’s Hospital Now Restored One Month After Ransomware Attack Ann & Robert H. Lurie Children’s Hospital located in Chicago encountered a ransomware attack that resulted in the deactivation of its phone, email, and health record systems. Lurie Children’s Hospital, which serves more than 220,000 patients annually, discovered a breach of its systems on January 31, 2024, and has reported that an identified...
Change Healthcare Faces Lawsuit While Personal Touch Holding Corp Settles Lawsuit
Multiple Class Action Lawsuits Against Change Healthcare Due to Ransomware Attack On February 21, 2024, Change Healthcare encountered a Blackcat ransomware attack and has not yet recuperated from the incident, with all systems still not accessible online two weeks after the ransomware attack. The Blackcat ransomware gang professed to have stolen 6TB of information before file encryption and the affiliate responsible for the attack...
OCR’s HIPAA Compliance and Data Breaches Annual Report
The Department of Health and Human Services (HHS) Office for Civil Rights has sent its annual reports to Congress regarding compliance with the HIPAA Privacy, Security, and Breach Notification Rule and exposure of unsecured protected health information (PHI) for 2022. HIPAA Compliance in 2022 OCR details in the yearly report that large data breaches have increased 107% from 2018 to 2022. Concerns concerning possible HIPAA violations...
Cyberattack Leader Faces 40 Years Imprisonment and LockBit RaaS Infrastructure Operations Disrupted
Leader of Gang Responsible for the Attack on University of Vermont Medical Center Looking at 40 Years Imprisonment A Ukrainian male charged with being the leader of groups who attacked thousands of enterprise computers by using malware has admitted in federal court in Nebraska to one count of conspiracy to do wire fraud and one count of conspiracy to violate U.S. anti-racketeering rules. One victim, the University of Vermont Medical...
Is PayPal HIPAA Compliant?
PayPal is not required to be HIPAA compliant for payment processing activities when a payment collected on behalf of a covered entity relates to a payment for health care or health insurance. However, PayPal does not meet the requirements to be HIPAA compliant for any other service or activity. In addition, because of concerns about PayPal’s Privacy Policy, it is not advisable to disclose any sensitive personal information to PayPal....
Is Ivy Pay HIPAA Compliant?
Ivy Pay is HIPAA compliant for therapists who are required to comply with HIPAA due to qualifying as a covered or hybrid entity, or qualifying as a business associate when providing a service for or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information. When healthcare providers conduct or outsource electronic healthcare transactions for which the Secretary for...
Why Cybercriminals Target the Healthcare Sector and Why We Should Care
According to the HHS Office for Civil Rights, 2023 saw more than 116 million personal patient records compromised across 655 breaches. When personal identifiable information (PII) is compromised, it can be a direct attack on a facility or it can be an attack on a third-party company the healthcare facility has outsourced their digital records to. But have the frequent PII breach headlines desensitized us to the real problem, which is...
Is Intuit QuickBooks HIPAA Compliant?
Intuit QuickBooks is not HIPAA compliant unless the downloadable version of the software is deployed in a HIPAA compliant hosting service that prevents Intuit from accessing Protected Health Information (PHI) used in accounting and management activities. As this option is rarely cost-effective, it is recommended healthcare providers that want to use PHI with accounting and management software look for a QuickBooks HIPAA compliant...
7 Facts about Security Breaches in Healthcare
Security breaches in healthcare are on the increase; and, although there has been a decline in the average number of records exposed per security breach, a cause for concern is that a growing proportion of healthcare security breaches are attributable to hacking and IT incidents. Since the passage of the HITECH Act in 2009, health plans, health care clearinghouses, and healthcare providers – collectively known as HIPAA Covered...
Is it HIPAA Compliant to Use Marketo?
It is HIPAA compliant to use Marketo Engage to create, collect, maintain, and transmit Protected Health Information (PHI) if the automated marketing platform is part of an Experience Cloud for Healthcare subscription, if the subscription is supported by a Business Associate Agreement with Adobe, and if Marketo Engage is configured to comply with the appropriate Security Rule safeguards. Even when these conditions are met, it may also...
Is Stripe HIPAA compliant?
Stripe does not have to be HIPAA compliant to provide payment processing services to HIPAA covered entities and business associates because payment processing services are exempted from HIPAA with regards to uses and disclosures of PHI. However, if any of Stripe’s other services are intended to be used by a covered entity or business associate to create, collect, maintain, or transmit PHI, it is important to know is Stripe HIPAA...
What does the HIPAA Omnibus Rule Mandate?
The HIPAA Omnibus Rule mandates changes to the Privacy, Security, Enforcement, and Breach Notification Rules to implement some – but not all – of the privacy provisions required by Subtitle D of the HITECH Act. The HIPAA Omnibus Rule also mandates changes to the Privacy Rule to prohibit health plans from using genetic information for underwriting purposes. What is the HIPAA Omnibus Rule? The HIPAA Omnibus Rule is a Rule...
HIPAA Changes 2024
HIPAA changes – and changes to other Rules that impact HIPAA compliance – happen more frequently than many people appreciate; but, because they have a limited impact on covered entities and business associates, they are often overlooked. This article looks at some of the recent changes to HIPAA and HIPAA compliance, and looks ahead to potentially more substantial HIPAA changes in 2024. Since the publication of the HIPAA Omnibus Final...
What is Considered PHI?
PHI is considered to be health, treatment, or payment information – or any associated identifying information – that is created, received, maintained, or transmitted by a HIPAA regulated entity. PHI is an acronym for Protected Health Information – a term used in the healthcare and health insurance industries to describe individually identifiable health information subject to the privacy and security regulations of the Health Insurance...
Why Was HIPAA Created?
HIPAA was created to help individuals with health problems obtain health insurance and to make it easier for employees who change jobs or lose their jobs to maintain adequate coverage. The Act also enabled group purchasing by small businesses to increase their purchasing power in the health insurance market. The Background to HIPAA When Bill Clinton won the presidential election in 1992, one of the reasons for his success was a...
HIPAA Compliance for Home Health Care
HIPAA compliance for home health care workers can be especially challenging due to working in multiple – and sometimes unfamiliar – environments and often encountering scenarios that do not occur in purpose-built healthcare facilities. Home health care workers provide a valuable service to patients in the community. As well as visiting patients unable to go to a healthcare facility and providing feedback to physicians, home health...
3 HIPAA Violation Consequences That Are Often Overlooked
The three HIPAA violation consequences most often overlooked affect individuals, healthcare organizations, and the timeliness of care in ways not often considered. HIPAA violations occur more often than many people are aware of because the only public source of information about HIPAA violations is HHS’ Office for Civil Rights (OCR). Complaints made directly to healthcare organizations and sanctions imposed on members of the workforce...
American Hospital Association Files Lawsuit Against HHS Over Tracking Technology Guidance
In December 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of pixels and other website tracking technologies. According to the guidance, these technologies were essentially banned, as they allowed individually identifiable health information to be captured on websites and apps with...
Who Created HIPAA?
The people who created HIPAA in the context of the Rules healthcare organizations have to comply with were Donna Shalala and her team at the Department of Health and Human Services. If Donna Shalala is a new name to you, this article explains who she was and her role in the creation of HIPAA. Donna Shalala is the longest-serving Secretary for Health and Human Services (HHS), having been appointed to the role in 1993 by President Bill...
How Long Does It Take to Get HIPAA Certified?
The length of time it takes to get HIPAA certified depends on who is getting certified, the reason for getting certified, the criteria for certification, and how much of the criteria already exists. Consequently, there is no definitive answer to how long does it take to get HIPAA certified. Taking these variables one-by-one, if an individual takes a HIPAA training course to improve their job prospects, and a certificate of achievement...
The Role of the HIPAA Technical Safeguards
The HIPAA Technical Safeguards play an important role in HIPAA compliance inasmuch as they are designed to protect and control access to electronic Protected Health Information (ePHI). The safeguards and the standards within them provide a framework for covered entities and business associates to help ensure the confidentiality, integrity, and availability of ePHI. Although they were published more than twenty years ago, the HIPAA...
How to Conduct an Effective HIPAA Security Risk Assessment
An effective HIPAA security risk assessment enables covered entities and business associates to identify threats to the confidentiality, integrity, and availability of electronic PHI, and to implement policies and procedures that prevent, detect, contain, and correct security violations. The requirement to conduct a HIPAA security risk assessment appears in the Administrative Safeguards of the Security Rule (45 CFR §164.308). When...
HIPAA and Social Media Policies
There are no one-size-fits-all HIPAA and social media policies because the Administrative Simplification Regulations were published years before most people had access to social media. Different people use social media in different ways, so healthcare organizations must develop and enforce their own HIPAA compliant social media policies. Because of the way in which the HIPAA Administrative Simplification Regulations are published, it...
Why is HIPAA Training Important?
HIPAA training is important because it equips healthcare professionals with the knowledge and skills needed to protect patient privacy, prevent data breaches, ensure legal compliance, foster ethical healthcare practices, and maintain trust in the healthcare system, thereby upholding the integrity and security of sensitive health information. HIPAA training serves as a guardian of patient privacy, ensuring that healthcare professionals...
HIPAA Compliance Training for Employees
HIPAA compliance training for all employees, including medical staff, healthcare administrators, and IT staff, is important because it equips these diverse professionals with the knowledge, skills, and ethical principles necessary to collectively protect patient privacy, uphold the confidentiality of sensitive health information, ensure legal compliance with the HIPAA, and foster a culture of trust and integrity within healthcare...
Pros and Cons of HIPAA
HIPAA compliance offers benefits such as safeguarding sensitive data, empowering patients with rights, ensuring data security and confidentiality, fostering standardized healthcare transactions, and maintaining insurance coverage portability, but its implementation involves administrative burdens, costs, potential hindrance to innovation and research, complexities in patient communication, legal consequences for violations,...
Benefits of HIPAA Compliance
HIPAA compliance yields benefits including enhanced patient data security, privacy protection, improved trust through transparent handling of personal health information, standardized and efficient healthcare transactions, patient empowerment through control over their data, and the preservation of health insurance coverage portability during job transitions or life events. HIPAA compliance has brought about a series of significant...
Is Microsoft OneDrive HIPAA Compliant?
Many organizations in the healthcare industry take advantage of cloud storage services because of their convenience and cost-effectiveness. Microsoft OneDrive is one of the most popular cloud storage services as it is included in all Microsoft business subscriptions; but is OneDrive HIPAA complaint and suitable for storing Protected Health Information in the cloud? The answer to the question is OneDrive HIPAA compliant is that no...
What Does it Take to Make Microsoft Teams HIPAA Compliant?
To make Microsoft Teams HIPAA compliant, it is necessary to select a plan with the capabilities to support compliance, configure the platform to meet the requirements of the Security Rule, and train members of the workforce how to use Microsoft Teams in compliance with HIPAA. It is also necessary to accept the terms of Microsoft’s Business Associate Agreement. Many businesses in the healthcare industry take advantage of Microsoft...
How to Make Google Forms HIPAA Compliant
HIPAA Covered Entities and Business Associates need to know how to make Google Forms HIPAA compliant before using the Workspace service to collect, store, or share Protected Health Information (PHI). Google Forms is a web-based service that is part of the Google Workspace suite of productivity and collaboration tools. The service can be used by healthcare organizations to create surveys and obtain feedback from employees and patients...
4 Out of 10 Medical Devices Have Unpatched Critical Vulnerabilities
A new report from the cybersecurity firm Armis has identified the riskiest connected medical devices used by hospitals in the United States. Connected medical devices are a security weak point, and each year many new vulnerabilities are detected. One of the main problems for healthcare organizations is keeping on top of patching, which can be a challenge for connected medical devices as they are constantly in use. One of the biggest...
HB 300 Training Requirements
Information on the HB 300 training requirements for companies, organizations, and individuals that do business with Texas residents that involves access to protected health information and/or sensitive personal information. What is Texas HB 300? HB 300 – Texas House Bill 300 – was passed and signed into law by Texas Governor Rick Perry in June 2011 and took effect on September 1, 2012. The bill amended existing state laws such...
Healthcare Providers, Google Meet and HIPAA Compliance
For the past few years, the good faith use of Google Meet and HIPAA compliance has not been an issue for healthcare providers due to OCR’s Notice of Enforcement Discretion for telehealth during the COVID-19 pandemic. However, with the COVID-19 public health emergency about to expire, healthcare providers will have to start using Google Meet in compliance with HIPAA. During the COVID-19 pandemic, the use of chat, phone, and video...
What Makes an Electronic Signature HIPAA Compliant?
The Department of Health and Human Services has not issued specific guidance about what makes an electronic signature HIPAA compliant other than stipulating “any electronic signature used will result in a legally binding contract under applicable State or other law”. However, this may soon be about to change. In the original text of the Health Insurance Portability and Accountability Act (HIPAA), the Secretary for Health and Human...
HIPAA Security Rule Failures Land Banner Health with $1.25M Financial Penalty
Banner Health has agreed to settle alleged violations of the HIPAA Security Rule with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and will pay a $1.25 million financial penalty. Banner Health will also adopt a corrective action plan to ensure full compliance with the HIPAA Security Rule and will be monitored by OCR for two years. The OCR investigation into HIPAA Security Rule compliance was...
Does HIPAA Apply to Employers?
The answer to the question does HIPAA apply to employers is complicated for, although the Health Insurance Portability and Accountability Act impacts around half of employers, only a small percentage of employers are required to comply with the Privacy, Security, and Breach Notification standards of the Administrative Simplification provisions. According to a September 2022 report compiled by the Bureau of Labor Statistics, 70% of...
Does HIPAA Apply to Schools?
In most cases, HIPAA compliance is not applicable to education institutions as they are not deemed HIPAA covered entities, but in some instances a school can be classified as a covered entity if healthcare services are given to students. At such times, HIPAA may still not apply because any student health information obtained would be included in the students’ education records and education records are not governed by the HIPAA...
What is HIPAA Email Archiving Compliance?
HIPAA email archiving compliance is an alternative way to describe HIPAA compliant email archiving. However, there is more than one way to archive emails; and different compliance requirements apply depending on whether emails are archived on-premises, in the cloud via an email service provider, or in the cloud via a third-party service provider. It is also important to be aware the requirements for HIPAA email archiving compliance...
HIPAA Waiver Form
A valid HIPAA waiver form is required whenever a Covered Entity wants to use or disclose Protected Health Information for a purpose not otherwise required by the General Provisions of the Administrative Requirements or permitted by the HIPAA Privacy Rule. Generally, Covered Entities are required to disclose Protected Health Information (PHI) when requested to do so by the Department of Health and Human Services (HHS) or by an...
How Often is HIPAA Training Required?
The text of the HIPAA Privacy Rule and Security Rule related to training doesn´t help answer the question how often is HIPAA training required. However, by reviewing other areas of HIPAA, it is possible to establish that the frequency of HIPAA training should be as often as it is required. Considering the importance of HIPAA and the severity of the penalties for noncompliance – fines of more than $1.9 million can be imposed per...
What are the HIPAA Password Requirements?
Before answering the question what are the HIPAA password requirements, it is important to note that passwords are not a requirement of HIPAA if Covered Entities use an alternative authentication method to “verify that a person or entity seeking access to ePHI is the one claimed” (Security Rule Standard §164.312(d)). According to the Department of Human Services´ Guide to the Technical Security Standards there are three ways in which...
HIPAA and Pictures – The Challenge of Compliance
The relationship between HIPAA and pictures is a challenging area of compliance – especially for healthcare providers who may often receive unsolicited images that do not qualify as Protected Health Information, or who have to contend with patients and visitors taking photos and videos in healthcare environments that can reveal the identities of other patients. Pictures play an important role in the provision of healthcare. They can...
Criminal Prosecutions for HIPAA Violations by Ohio Hospital Employee
Criminal prosecutions for HIPAA violations made by hospital employees are a relatively uncommon occurrence; but the recent spate of HIPAA prosecutions over the past few years suggests that has now changed. Another case of improper accessing of PHI has resulted in criminal charges for HIPAA violations being brought against an employee, this time a healthcare provider that worked at the ProMedica Bay Park Hospital in Oregon, Ohio....
What Does Pharmacy HIPAA Compliance Consist Of?
Pharmacy HIPAA compliance consists of meeting the requirements of the HIPAA Administrative Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, some pharmacies may be subject to more stringent federal and state laws whose requirements pre-empt HIPAA, while some may not be HIPAA Covered Entities at all. Pharmacies qualify as healthcare providers under HIPAA when they “dispense drugs, devices,...
HIPAA Compliance for Dental Offices
HIPAA compliance for dental offices is not as straightforward as complying with the standards of the Privacy, Security, and Breach Notification Rules because there are instances when federal or state laws can pre-empt HIPAA, when exemptions can apply, or when dental offices do not qualify as HIPAA Covered Entities. Judging by the volume of news stories covered by this website relating to data breaches and HIPAA violations, HIPAA...
What are the HIPAA Rules for Medical Devices?
Following the introduction of the HITECH Act and the passing of the HIPAA Privacy and Security Rules, Pharmaceutical companies and medical device manufacturers have had to navigate HIPAA Rules for medical devices, and this has caused some of those companies a number of problems. For any company required to record, store or transmit electronic Protected Health Information (ePHI) there are a number of considerations, the most important...
Are Pagers HIPAA Compliant?
Many healthcare providers are asking the question “are pagers HIPAA-compliant?” The simple answer to the question is no, pagers are not HIPAA-compliant, but they can be used without violating HIPAA Rules, but only if electronic Protected Health Information (ePHI) is not transmitted via pagers, or that data is encrypted. Unfortunately, just like unencrypted emails and SMS text messages, information sent via pager can be intercepted,...
Using a Business Password Manager to Share ePHI in Compliance with HIPAA
Using a business password manager to share ePHI in compliance with HIPAA is a viable alternative to other secure forms of communication if your organization implements a business password manager and the vendor is willing to sign a Business Associate Agreement. One of the most challenging requirements of HIPAA compliance is communicating ePHI in compliance with the Security Rule safeguards. Familiar channels of communication such as...
Is the Use of Mandrill by Healthcare Organizations HIPAA Compliant?
The leading automated email marketing platform Mandrill is a transactional email service that MailChimp provides. This software allows companies to automatically broadcast emails to customers and people that interact with their web apps and links to MailChimp via an API. Transactional emails are the same as marketing emails in that they are programmed to be initiated by events including password resets, confirmation of placement of...
Meta Facing Class Action Lawsuit over Use of Health Data for Serving Targeted Advertisements
Another lawsuit has been filed against Meta by a patient who claims her private healthcare information was collected without consent and was used to serve targeted advertisements related to her medical condition. The plaintiff, Jane Doe, was a patient of UCSF Medical Center and the Dignity Health Medical Foundation, who have also been named in the lawsuit. The case stems from the inclusion of Meta Pixel on web pages behind a login on...
HIPAA Compliance and Dropbox: What You Need to Know
Dropbox is a one of the most popular and successful file hosting services available online, but doe it comply with HIPAA? Dropbox claims it is now fully behind and supportive of HIPAA and HITECH Act compliance but that does not mean Dropbox itself is HIPAA compliant. No software or file sharing platform can be HIPAA compliant on its own as it depends on how the software or platform is used and the individuals using it. However,...
Does Amazon Web Services Comply with HIPAA?
Under the Healthcare Insurance Portability and Accountability Act, all providers of a product or service that ‘touches’ PHI are deemed to be business associates and are required to comply with HIPAA Rules. That means appropriate safeguards must be implemented to ensure the confidentiality, integrity, and availability of any PHI that is available through their products or services. Any healthcare entity or vendor obligated to comply...
Web Server Hacking Incident Results in $875,000 HIPAA Fine for Oklahoma State University
On January 5, 2018, Oklahoma State University – Center for Health Sciences (OSU-CHS) reported a web server hacking incident to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The subsequent OCR investigation determined multiple areas of noncompliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA). Yesterday, OCR...
Is Calendly HIPAA Compliant?
Is the scheduling service Calendly HIPAA compliant? The service streamlines how businesses can organize meetings – saving time and improving productivity by eliminating the confusion that results from lengthy email chains. This makes Calendly a popular service across a variety of sectors, but can it be used in the healthcare industry in a HIPAA-compliant manner? The Calendly platform integrates with a number of other...
Sharing Patient Information with Family Over the Phone
When sharing patient information with family over the phone, healthcare providers need to ensure they verify who they are speaking to, that the patient has not objected to their health information being shared, and that any details disclosed to family members comply with the HIPAA Minimum Necessary Standard. When a patient enters hospital, it is understandable that family members want to enquire about their wellbeing. One of the most...
Is SharePoint HIPAA Compliant?
It may be one of the most popular cloud services worldwide, but is SharePoint HIPAA compliant? Microsoft’s SharePoint Online service offers a collaborative cloud-based platform for the storage, management, and sharing of documents. It allows multiple users to view and edit a document simultaneously from various devices and can be integrated with other popular Microsoft applications in most Microsoft 365 and Office 365 enterprise...
Is Box HIPAA Compliant?
Is the cloud storage service Box HIPAA compliant? Box is a cloud data storage and management service that allows users to access data from different devices. However, before it can be utilized in a healthcare setting to manage and store protected health information (PHI), Covered Entities must ensure Box is HIPAA compliant. There are a number of features of Box that make it attractive for users. Once information is uploaded to its...
HIPAA Compliance Software
HIPAA compliance software is an application for overcoming the challenges of complying with HIPAA. Depending on the capabilities of the software, it can help compliance officers more easily identify gaps in compliance, more effectively eliminate gaps in compliance, and more accurately track compliance activities to ensure the organization is complying with HIPAA at all times. HIPAA compliance is a “100% task” inasmuch as if you comply...
HHS Seeks Comment on HITECH Act Requirements Concerning HIPAA Enforcement
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has requested comments from the public on two outstanding requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 that relate to its enforcement of compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR is the main enforcer of HIPAA compliance and investigates complaints and data...
OCR Annouces 4 Financial Penalties to Resolve HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights has imposed four financial penalties on healthcare providers to resolve violations of the Health Insurance Portability and Accountability Act (HIPAA). Three dental practices were hit with sizable fines, one for a violation of the HIPAA Right of Access and two for impermissible disclosures of patients’ protected health information (PHI). The HIPAA Right of Access is a...
HHS’ Office for Civil Rights Director Urges HIPAA-Regulated Entities to Improve Cybersecurity
In the United States, healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities are required to comply with the standards of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. The HIPAA Security Rule calls for HIPAA-regulated entities to implement safeguards to ensure the confidentiality, integrity, and availability of...
Bipartisan Bill Proposes Creation of Commission to Investigate U.S. Health Data Privacy Laws
Bipartisan legislation has been introduced in the U.S. to create a commission to analyze federal and state health data privacy laws and make recommendations for closing regulatory privacy gaps. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) sets minimum standards for privacy and security of healthcare data, including placing restrictions on uses and disclosures of personally identifiable...
Healthcare Providers Fined $425,000 by New Jersey for HIPAA and Consumer Fraud Act Violations
The New Jersey Attorney General and the Division of Consumer Affairs have announced a settlement has been agreed with three New Jersey healthcare providers to revolve an investigation into two data breaches that affected 105,200 individuals, including 80,333 New Jersey residents. The breaches occurred in 2019, the first was the result of a phishing attack and the second was a mailing error that occurred when sending notification...
HHS Imposes 5 Financial Penalties for HIPAA Right of Access Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the closure of five investigations into potential violations of the Health Insurance Portability and Accountability Act (HIPAA), all of which have resulted in financial penalties. The enforcement actions are part of OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. The HIPAA Right of Access gives individuals the...
$130,000 Settlement Agreed with Two New Jersey Printing Companies to Resolve Alleged HIPAA Violations
An investigation conducted by the New Jersey Division of Consumer Affairs into an unauthorized disclosure of the protected health information (PHI) of almost 56,000 New Jersey residents has been settled by New Jersey Acting Attorney General, Andrew Bruck. The two firms will pay financial penalties totaling $130,000 and have agreed to a consent order that requires them to make changes to their policies and procedures to improve data...
New Jersey Fines Infertility Clinic $495,000 for Multiple Violations of the HIPAA Rules
An investigation conducted by the New Jersey Department of Law and Public Safety Division of Consumer Affairs into a HIPAA compliance data breach at an infertility clinic has been settled, with the clinic operator agreeing to pay a financial penalty of $495,000. Diamond Institute for Infertility and Menopause, LLC (Diamond) is based in Millburn, NJ, and operates two infertility clinics in the state and one in New York. The company...
Guidance on HIPAA and COVID-19 Vaccination Status Disclosures Issued by HHS
In the United States, HIPAA compliance rules restrict uses and disclosures of healthcare data, but there has been considerable confusion about HIPAA and COVID-19 vaccination status disclosures amongst the public, and even members of Congress. The U.S. Department of Health and Human Services’ Office for Civil Rights, the main enforcer of HIPAA, has now released guidance on HIPAA and COVID-19 vaccination status disclosures to help clear...
Pediatric Care Provider Fined $80,000 for HIPAA Right of Access Violation
A pediatric hospital in Omaha, NE has agreed to settle a Department of Health and Human Services’ Office for Civil Rights (OCR) HIPAA investigation and will pay a financial penalty of $80,000 to close the case. The investigation was launched in response to a complaint from a patient who was not provided with a copy of her late daughter’s medical records in a timely manner. HIPAA gives individuals the right to obtain a copy of their...