Archives: HIPAA and Health Information

Subscribe to HIPAA and Health Information RSS Feed

HIPAA Refresher for Workplace Wellness Programs

Now more than ever, workplace wellness programs are becoming increasingly popular among employers. A common concern many employers have is how to design a meaningful workplace program intended to improve the health of participating employees while complying with HIPAA’s privacy and security rules. Although employers are not covered entities, HIPAA may apply to an employer’s … Continue Reading

OCR Levies Hefty Fine Against FQHC

Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, … Continue Reading

ABCD Pediatrics Victim of Ransomware

ABCD Pediatrics, located in San Antonio, Texas has notified the Office for Civil Rights that a ransomware cyber intrusion has resulted in access to its servers, including the protected health information (PHI) of its patients. The ransomware used by the attackers was Dharma. The practice found through forensic analysis that access had been gained to … Continue Reading

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which … Continue Reading

Erie County Medical Center IT Systems Shut Down By Virus

Buffalo, New York Erie County Medical Center has announced that its IT system has been shut down since Sunday, April 11, 2017, due to an unnamed virus. The shut-down has affected the medical facility’s email system, electronic health record and website. Because the electronic health system is not accessible, staff is using paper records for … Continue Reading

Washington University School of Medicine Victim of Phishing Attack

Another employee falls for a phishing attack. This time, it was an employee of the Washington University School of Medicine The employee received a phishing email on December 2, 2016, and fell for what looked like a real request, responded to it, which allowed access to employee email accounts, which included the health information of 80,000 … Continue Reading

Horizon BCBS of New Jersey Pays State $1.1 million for HIPAA violations

We often forget that state AG’s have jurisdiction under the HIPAA Omnibus Rule to levy fines and penalties against HIPAA covered entities for violations. This is because the Office for Civil Rights has traditionally taken the primary role in enforcing HIPAA. But Horizon Blue Cross Blue Shield of New Jersey (Horizon) was reminded of the … Continue Reading

$5.5 Million Shelled Out to OCR for Alleged HIPAA Violations

Florida Memorial Healthcare Systems has agreed to pay the Office for Civil Rights (OCR) $5.5 million to settle alleged HIPAA violations relating to an incident that occurred in April 2012 that two employees accessed patient information of 106,000 patients in an unauthorized manner and with criminal intent, including their names, dates of birth, and Social … Continue Reading

Report Summarizes Healthcare Data Breaches in January 2017

Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off. In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient … Continue Reading

Children’s Medical Center of Dallas Clobbered by OCR

In a rare move by the OCR, it assessed a $3.2 million fine against Children’s Medical Center of Dallas (Children’s) after it issued a Notice of Proposed Determination against Children’s and Children’s failed to request a hearing. The Notice was issued following the OCR’s investigation of two self-reported data breaches. The first involved the theft … Continue Reading

Pagers Compromised Exposing Health Information of Patients

Providence Health & Services, a health system located in Alaska, California, Oregon, Montana and Washington, has reported that its paging system has been breached. An unauthorized individual was able to intercept pages between healthcare workers and post the contents of the pages online between October 25 and October 28, 2016. The pages included patients’ names, … Continue Reading

Three-Month Delay Means Health Network Must Pay

A delay in reporting a HIPAA violation can result in a significant monetary penalty. That was the message sent by the Office for Civil Rights (OCR), which recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). According to the OCR, Presence Health (a large … Continue Reading

Governors Recommend States Align Privacy Laws with Federal HIPAA

The National Governors Association released a road map report on December 9 entitled, Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers. The report aims at reducing the legal barriers that prevent the effective and efficient flow of health … Continue Reading

ONC and OCR Issue Joint Fact Sheet on Use of PHI for Public Health Activities

Whenever fact sheets or other guidance is issued by either the Office of the National Coordinator for Health Information Technology (ONC) or the Office for Civil Rights (OCR), it helps gain insight into the thinking of the regulators so we watch it closely. But when the ONC and OCR issues joint guidance, it is hitting … Continue Reading

21st Century Cures Act Includes Prohibition on Information Blocking and Mandates for Additional HIPAA Guidance

On November 30, 2016, the U.S. House of Representatives voted strongly in favor of the 21st Century Cures Act (the Act), an expansive health bill that addresses the discovery and development of new medical therapies as well the delivery of health care treatment by providers. In 2015, the House had previously approved an earlier version … Continue Reading

UMass Amherst Settles HIPAA Violations with OCR for $650,000

The Office for Civil Rights (OCR) has announced that the University of Massachusetts Amherst (UMass) has agreed to settle an investigation against it as a result of a malware infection for $650,000, along with implementing a Corrective Action Plan. Although $650,000 is a hefty sum for the allegations, the OCR in its announcement said it … Continue Reading

OCR Stresses Importance of Authentication in Newsletter

In a recent newsletter, the Office for Civil Rights (OCR) encourages health care organizations to review their procedures around authentication and “ensure that they have the appropriate safeguards in place.” The Newsletter, entitled What Type of Authentication is Right for You? states that “[O]ver the past years, the healthcare sector has been one of the … Continue Reading

Three Former Warner Chilcott District Managers Prosecuted for HIPAA Violations

The United States Attorney’s Office for the District of Massachusetts recently announced that three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act (HIPAA) and committing healthcare fraud. The allegations include that the district managers directed certain sales representatives to fill out prior … Continue Reading

Confusing Joint Guidance published by OCR and FTC on HIPAA Authorization Forms

There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the OCR and the FTC is rather confusing. The guidance titled “Sharing Consumer Health Information? Look to … Continue Reading

OCR Releases HIPAA Guidance on Cloud Computing

On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes … Continue Reading

3.3 Million Health Records Breached by Business Associate Newkirk

Newkirk Products Inc., which provides ID cards and management services for healthcare organizations, including multiple Blue Cross Blue Shield organizations, has announced that it has discovered that its computer system was compromised starting on May 21, 2016, although the intrusion was not discovered until July 6, 2016. Newkirk has started to notify the 3.3 million … Continue Reading
LexBlog