Archives: Health Information Privacy

Subscribe to Health Information Privacy RSS Feed

Report Summarizes Healthcare Data Breaches in January 2017

Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off. In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient … Continue Reading

New HHS Secretary Delays Effective Date of Part 2 Final Rule

We previously reported that the 30 year old regulations (last updated in 1987) relating to the disclosure of substance abuse treatment information has been updated by SAMHSA to bring it into the modern world of electronic health information [view related post]. The Part 2 Final Rule was to go into effect tomorrow (February 17, 2017). … Continue Reading

Children’s Medical Center of Dallas Clobbered by OCR

In a rare move by the OCR, it assessed a $3.2 million fine against Children’s Medical Center of Dallas (Children’s) after it issued a Notice of Proposed Determination against Children’s and Children’s failed to request a hearing. The Notice was issued following the OCR’s investigation of two self-reported data breaches. The first involved the theft … Continue Reading

Pagers Compromised Exposing Health Information of Patients

Providence Health & Services, a health system located in Alaska, California, Oregon, Montana and Washington, has reported that its paging system has been breached. An unauthorized individual was able to intercept pages between healthcare workers and post the contents of the pages online between October 25 and October 28, 2016. The pages included patients’ names, … Continue Reading

Three-Month Delay Means Health Network Must Pay

A delay in reporting a HIPAA violation can result in a significant monetary penalty. That was the message sent by the Office for Civil Rights (OCR), which recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). According to the OCR, Presence Health (a large … Continue Reading

Governors Recommend States Align Privacy Laws with Federal HIPAA

The National Governors Association released a road map report on December 9 entitled, Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers. The report aims at reducing the legal barriers that prevent the effective and efficient flow of health … Continue Reading

FDA Guidance on Cybersecurity in Medical Devices

On December 28, 2016, the Food and Drug Administration (FDA) issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The guidance clarified aspects of the reporting requirements under Part 806 (21 CFR part 806), which require device manufacturers and importers to report certain device corrections and removals to the FDA. Most actions taken by … Continue Reading

November the Worst Month Yet for Healthcare Breaches

We have repeatedly reiterated numerous warnings to the healthcare industry about malware and ransomware [see related posts here and here]. Our predictions have unfortunately become true, as November was the worst month ever for healthcare data breaches, according to self-reports to the Office for Civil Rights (OCR). In the month of November 57 incidents of … Continue Reading

21st Century Cures Act Includes Prohibition on Information Blocking and Mandates for Additional HIPAA Guidance

On November 30, 2016, the U.S. House of Representatives voted strongly in favor of the 21st Century Cures Act (the Act), an expansive health bill that addresses the discovery and development of new medical therapies as well the delivery of health care treatment by providers. In 2015, the House had previously approved an earlier version … Continue Reading

UMass Amherst Settles HIPAA Violations with OCR for $650,000

The Office for Civil Rights (OCR) has announced that the University of Massachusetts Amherst (UMass) has agreed to settle an investigation against it as a result of a malware infection for $650,000, along with implementing a Corrective Action Plan. Although $650,000 is a hefty sum for the allegations, the OCR in its announcement said it … Continue Reading

OCR Stresses Importance of Authentication in Newsletter

In a recent newsletter, the Office for Civil Rights (OCR) encourages health care organizations to review their procedures around authentication and “ensure that they have the appropriate safeguards in place.” The Newsletter, entitled What Type of Authentication is Right for You? states that “[O]ver the past years, the healthcare sector has been one of the … Continue Reading

Critical Cyber-Attack on Hospitals Now A Reality- A View From ‘Across the Pond’

Serious trouble for all health and care providers looms large. High risk women in labour and major trauma cases are being diverted to other hospitals after a cyber-attack recently shut down services at a hospital in the East of England, Northern Lincolnshire and Goole Hospitals NHS Foundation Trust. Putting aside why anyone would want to … Continue Reading

Three Former Warner Chilcott District Managers Prosecuted for HIPAA Violations

The United States Attorney’s Office for the District of Massachusetts recently announced that three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act (HIPAA) and committing healthcare fraud. The allegations include that the district managers directed certain sales representatives to fill out prior … Continue Reading

Confusing Joint Guidance published by OCR and FTC on HIPAA Authorization Forms

There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the OCR and the FTC is rather confusing. The guidance titled “Sharing Consumer Health Information? Look to … Continue Reading

U.S. Department of Education Issues Guidance on Student Medical Records

On September 14, 2016, the Department of Education (DOE) issued a “Dear Colleague Letter” to provide guidance on the application of the Family Educational Rights and Privacy Act (FERPA) to the disclosure of student medical records in the context of litigation. FERPA generally prohibits a school from disclosing personally identifiable information from a student’s education … Continue Reading

Central Ohio Urology Group Notifies 300,000 Patients of Breach

Approximately 300,000 patients of Central Ohio Urology Group have been notified that their protected health information has been stolen and posted online. Although the actual date of the hacking has not been released, the records were posted online on August 2, 1016. The stolen data posted online included names, addresses, telephone numbers, email addresses, dates … Continue Reading

OCR Releases HIPAA Guidance on Cloud Computing

On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes … Continue Reading

3.3 Million Health Records Breached by Business Associate Newkirk

Newkirk Products Inc., which provides ID cards and management services for healthcare organizations, including multiple Blue Cross Blue Shield organizations, has announced that it has discovered that its computer system was compromised starting on May 21, 2016, although the intrusion was not discovered until July 6, 2016. Newkirk has started to notify the 3.3 million … Continue Reading

Ransomware and Malware Continue to Plague Health Care Organizations

We continue to warn health care organizations about the real and serious risks associated with ransomware and malware, but organizations don’t prepare for it adequately and are getting hit hard. Just this past week, several healthcare organizations have publicly announced that they have been victims of ransomware and malware. The organizations include a dermatology practice … Continue Reading

CMS Issues Warning to Nursing Homes Regarding Abuse of Residents Via Social Media

On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) issued guidance to nursing homes in a letter to state survey agencies (Letter) that addresses nursing homes’ obligations to protect residents. The Letter focuses on potential psychosocial harm to nursing home residents caused by the sharing on social media of demeaning photographs or … Continue Reading

JCAHO Delays Decision Allowing Physicians to Text Orders

We previously reported that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) lifted its ban on allowing health care providers to use texts for physician orders. JCAHO recently reversed its decision and reinstated the ban stating that more guidance is needed “to ensure a safe implementation involving the secure texting of orders for those … Continue Reading

Athens Orthopedic Clinic’s EMR compromised by hackers using vendor’s log-in credentials

Athens Orthopedic Clinic in Georgia reported on July 25, 2016, that a hacker gained access to its electronic medical record system at the end of June using the log-in credentials of a third-party vendor. It has determined that patient records in the electronic medical record system were compromised during the hack and it is in … Continue Reading
LexBlog