Archives: Health Information Privacy

Subscribe to Health Information Privacy RSS Feed

U.S. Department of Education Issues Guidance on Student Medical Records

On September 14, 2016, the Department of Education (DOE) issued a “Dear Colleague Letter” to provide guidance on the application of the Family Educational Rights and Privacy Act (FERPA) to the disclosure of student medical records in the context of litigation. FERPA generally prohibits a school from disclosing personally identifiable information from a student’s education … Continue Reading

Central Ohio Urology Group Notifies 300,000 Patients of Breach

Approximately 300,000 patients of Central Ohio Urology Group have been notified that their protected health information has been stolen and posted online. Although the actual date of the hacking has not been released, the records were posted online on August 2, 1016. The stolen data posted online included names, addresses, telephone numbers, email addresses, dates … Continue Reading

OCR Releases HIPAA Guidance on Cloud Computing

On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes … Continue Reading

3.3 Million Health Records Breached by Business Associate Newkirk

Newkirk Products Inc., which provides ID cards and management services for healthcare organizations, including multiple Blue Cross Blue Shield organizations, has announced that it has discovered that its computer system was compromised starting on May 21, 2016, although the intrusion was not discovered until July 6, 2016. Newkirk has started to notify the 3.3 million … Continue Reading

Ransomware and Malware Continue to Plague Health Care Organizations

We continue to warn health care organizations about the real and serious risks associated with ransomware and malware, but organizations don’t prepare for it adequately and are getting hit hard. Just this past week, several healthcare organizations have publicly announced that they have been victims of ransomware and malware. The organizations include a dermatology practice … Continue Reading

CMS Issues Warning to Nursing Homes Regarding Abuse of Residents Via Social Media

On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) issued guidance to nursing homes in a letter to state survey agencies (Letter) that addresses nursing homes’ obligations to protect residents. The Letter focuses on potential psychosocial harm to nursing home residents caused by the sharing on social media of demeaning photographs or … Continue Reading

JCAHO Delays Decision Allowing Physicians to Text Orders

We previously reported that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) lifted its ban on allowing health care providers to use texts for physician orders. JCAHO recently reversed its decision and reinstated the ban stating that more guidance is needed “to ensure a safe implementation involving the secure texting of orders for those … Continue Reading

Athens Orthopedic Clinic’s EMR compromised by hackers using vendor’s log-in credentials

Athens Orthopedic Clinic in Georgia reported on July 25, 2016, that a hacker gained access to its electronic medical record system at the end of June using the log-in credentials of a third-party vendor. It has determined that patient records in the electronic medical record system were compromised during the hack and it is in … Continue Reading

University of Mississippi Medical Center settles HIPAA violations for $2.75M

The Office for Civil Rights (OCR) has obtained another big settlement from a covered entity resulting from a data breach. This most recent settlement of fines and penalties and a Resolution Agreement is with the University of Mississippi Medical Center (UMMC) for $2.75 million. The OCR commenced an investigation against UMMC after UMMC self-reported a … Continue Reading

Oregon Health & Science University pays $2.7M penalty for data breaches

Oregon Health & Science University (OHSU) has agreed to settle alleged HIPAA violations involving two separate data breaches with the Office for Civil Rights (OCR) for $2.7 million. In the span of three months in 2013, OHSU experienced two reportable data breaches, which triggered investigations by the OCR. The first occurred when an unencrypted laptop … Continue Reading

CMS allows qualified entities to sell claims data

The Centers for Medicare and Medicaid Services released a final rule permitting “qualified entities” to sell Medicare claims data to providers and others for use in improving quality of care. The rule expands on CMS’ Qualified Entity Program, which permits organizations to apply to become qualified to receive Medicare Parts A, B, and D claims … Continue Reading

Physical security still an issue: Pruitt Health suffers breach in break-in

The importance of physical security and the risk associated with the unauthorized access to or loss of paper records is clear from recent experiences of Pruitt Health in South Carolina. On March 2, 2016, an intruder broke the front door glass of one of its home health locations and had access to paper medical records … Continue Reading

OCR levies first fine ever directly against business associate

Our predictions that the Office for Civil Rights (OCR) will become more aggressive with audits, investigations, and fines against HIPAA business associates has come true. On June 24, 2016, the OCR announced that it has settled an investigation with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), stemming from CHCS’ capacity as a HIPAA … Continue Reading

Connecticut Legislative Update: Public Act 16-77: An act concerning patient notices, designation of a health information technology officer, assets purchased for the state-wide health information exchange and membership of the state health information technology advisory council

This legislation (P.A. 16-77) makes substantive and technical changes related to Public Act 15-146, a major public health and health care bill passed by the Connecticut Legislature during its 2015 Legislative Session. CONNECTICUT HEALTH INSURANCE EXCHANGE CONSUMER INFORMATION WEBSITE Under current law, Connecticut’s Health Insurance Exchange (HIX) is required, within available resources, to establish and … Continue Reading

HHS guidance seeks to clarify scope of PSQIA

On May 24, 2016, the Department of Health & Human Services (HHS) issued guidance (Guidance) to health care providers and patient safety organizations (PSOs) in an attempt to clarify the definition of patient safety work product (PSWP) under the Patient Safety and Quality Improvement Act of 2005 and its implementing regulations (collectively, the PSQIA). The … Continue Reading

FDA issues guidance on the use of EHRs in clinical investigations

The U.S. Food and Drug Administration (FDA) just issued draft guidance on the Use of Electronic Health Record Data in Clinical Investigations for comment within the next 60 days. The guidance is intended to assist all parties associated with clinical research with the appropriate use of electronic health records in FDA-regulated clinical investigations, which in … Continue Reading

Joint Commission lifts ban on physicians texting patient orders

The Joint Commission, which is the national accrediting organization for health care organizations, has long banned physicians using text messages to place orders for patient care due to data security concerns. In 2011, the Joint Commission stated that texting was not acceptable for health care providers to text orders for patient care, treatment or services. … Continue Reading

Telemedicine nursing licensure compact legislation enacted in 6 states and 7 more right behind

In another case of technology out pacing the law, telemedicine has continued to push the limits of state medical professional licensure laws. Generally, physicians and nurses must be licensed in the state in which they are practicing; and yet technology has become so sophisticated that telemedicine is allowing those medical providers to provide access to … Continue Reading

Raleigh Orthopedic Clinic settles with OCR for $750,000 for lack of business associate agreement

Consistent with the settlement the OCR agreed to with North Memorial Health Care of Minnesota, [view related post] the Office for Civil Rights has settled its investigation of Raleigh Orthopaedic Clinic, P.A. (Raleigh Orthopaedic) for $750,000. The OCR alleged that Raleigh Orthopaedic “potentially” violated HIPAA “by handing over protected health information for approximately 17,300 patients … Continue Reading

OCR issues audit protocol and targets over 800 entities—business associates too

The Office for Civil Rights (OCR) has issued its revamped audit protocol for its second phase of auditing covered entities and business associates’ compliance with the HIPAA Privacy, Security and Breach Notification Rules. The lengthy audit protocol is posted on the OCR website. It provides general instructions, and then cites each statutory section of the … Continue Reading

Feds identify security vulnerabilities in state healthcare exchange websites

A Government Accountability Office (GAO) examination of the state-run health insurance exchanges for California, Kentucky and Vermont identified inadequate security measures in place to protect consumers’ personal information. While state officials from Kentucky and California denied that any security breaches had occurred or that any personal data had been compromised as a result of the … Continue Reading

FTC, ONC, OCR and FDA release online tool for mobile health app developers

While attending the International Association of Privacy Professionals annual global event, and listening to Chairwoman Edith Ramirez discuss the Federal Trade Commission’s (FTC) concerns about consumer privacy, the FTC, the Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA) announced that they had … Continue Reading

Class action suit filed against 21st Century Oncology for data breach

We previously reported [view related post] that 21st Century Oncology had suffered a data breach and notified 2.2 million patients that it had been the victim of a hacking that exposed the names, Social Security numbers, physicians’ names, diagnosis information, and insurance information of its patients. Although the intrusion occurred in October 2015, 21st Century … Continue Reading

Transfer of healthcare website information to Facebook alleged to be a HIPAA violation

Filed under the title of creative lawyering, a putative class action case has been filed against Facebook in federal court in Northern California alleging that health care providers and medical organizations have violated HIPAA by allowing Facebook to access user data from searches on the medical providers’ websites. The plaintiffs allege that when they visit … Continue Reading
LexBlog