In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements surrounding the notification process following a breach. Whether it’s a small breach where someone in your organization accidentally sent a patient’s contact information … Continue Reading
In March of this year, The Office for Civil Rights of the Department of Health and Human Services issued a letter addressing the recent cybersecurity incident impacting many health care entities, primarily Change Healthcare, a unit of UnitedHealthcare Group (read the letter here). This incident was a great reminder of the constant vigilance required to … Continue Reading
On December 10, 2020, the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) collaborated on announcing proposed HIPAA changes, intended to “empower patients” and “improve coordination of care”. That’s encouraging, although one would have thought that to be unnecessary by now. HIPAA was enacted in 1996. It is a … Continue Reading
Most medical practices view HIPAA compliance as maintaining appropriate documentation regarding patient notices and consents, and controlling access to the PHI within the office; that’s PRIVACY. Practices tend to forget the technology/security side of HIPAA, which requires maintaining, or reasonably attempting to maintain, secure EHR/IT systems; that’s SECURITY. Athens Orthopedic Clinic PA agreed to pay … Continue Reading
The following are just some random thoughts or curated information regarding the impact the COVID pandemic will have on privacy in general, and health information privacy in particular. I have attached a link to information issued by HHS explaining that, not only are HHS and OCR specifically advising that the release of patient information regarding … Continue Reading
Although many believe the HIPAA rules already allow for disclosure of COVID-19 cases on the basis of a public emergency, OCR just issued Guidance, attached in the link below, confirming disclosure is permitted when needed to provide treatment, with the notification is required by law and in order to prevent or control the spread of … Continue Reading
On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. According to HHS, in 2013 the ambulance company reported a breach … Continue Reading
On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017. According to HHS, URMC … Continue Reading
Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server. In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure … Continue Reading
The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced an $111,400 settlement and substantial corrective action plan for a Colorado hospital whose former employee still had access to electronic patient protected health information (“PHI”). In 2013, Pagosa Springs Medical Center failed to de-activate a former employee’s username and password … Continue Reading
The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced a $125,000 settlement for a disclosure of patient protected health information (“PHI”) to a reporter. In 2015, a patient of Allergy Associates of Hartford, P.C. (“Allergy Associates”) contacted a local TV station about a dispute that the patient had with … Continue Reading
HHS has published a very brief guide, in the form of a checklist, to explain the steps for a HIPAA covered entity or business associate to take in response to a cyber related security incident. You can access the checklist at this link: Cyber Related Security Steps… Continue Reading
Community Health Systems announced today, August 18th, that hackers broke into its computers and stole data on 4.5 million patients. The information included names, Social Security numbers, physical addresses, birthdays and telephone numbers. More information on the breach is available at http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/index.html … Continue Reading
U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced yet another enforcement action. Specifically, OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a report that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. The investigation revealed that Concentra had previously recognized in … Continue Reading
A HIPAA security risk assessment (SRA) tool was recently made available through HHS. The tool was developed as a collaborative effort between the HHS Office of the National Coordinator for Health Information Technology (ONC), the HHS Office of Civil Rights (OCR) and the HHS Office of General Counsel (OGC). This SRA tool is intended to … Continue Reading
OCR PREPARING FOR NEXT ROUND OF HIPAA AUDITS By Paul J. Welk, PT, JD In a February 24, 2014 notice published in the Federal Register, the Department of Health and Human Services announced a pre-audit survey of HIPAA covered entities and business associates. The information collected will involve a survey of up to 1,200 covered … Continue Reading
Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP. Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health … Continue Reading
Accretive Health recently agreed to settle a Federal Trade Commission (FTC) complaint that stems from a July, 2011 incident in which an Accretive employee’s laptop was stolen from his car. As a medical billing and revenue management services provider, Accretive grants its employees access to “sensitive personal health information” including “patient names, dates of birth, … Continue Reading
The Department of Health and Human Services (HHS) has released a proposed rule that would modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by allowing health care providers to make certain disclosures to the National Instant Criminal Background Check System (NICS). The NICS aims to keep guns from being sold to those … Continue Reading
A Massachusetts-based dermatology practice recently agreed to pay $150,000 to settle claims that it failed to have sufficient policies and procedures in place to address a breach notification requirement under the HITECH Act. The investigation was initiated following a report that an unencrypted thumb drive containing electronic protected health information of approximately 2,200 individuals was … Continue Reading
HIPAA Omnibus Rule Compliance: Is Your Practice Ready? On January 17, 2013, the United States Department of Health and Human Services released a Final Rule, commonly known as the “HIPAA Omnibus Rule,” which included significant changes to the HIPAA compliance requirements for healthcare covered entities, including private practice rehabilitation and medical providers. The compliance date … Continue Reading
Contributed by Lee Kim, Esq. The CERT program is having a free all-day event tomorrow (June 26, 2013) in Pittsburgh, PA on security incident management for health information exchanges. This event is underwritten by the US Department of Health and Human Services. Registration is free, but required. http://www.cert.org/cybersecurity-hie/. The event will be live and also … Continue Reading
Contributed by Lee Kim 412.594.3915 Healtheway was previously known as the National Helath Information Network. It is a non-profit public-private partnership and has announced today its nine founding members. These members include the American Medical Association, Epic, Kaiser Permanente, New York eHealth Collaborative, among others. For the full press release, please see http://finance.yahoo.com/news/healtheway-announces-founding-members-groundbreaking-110000367.html.… Continue Reading