As Hurricane Florence was making landfall, Department of Health and Human Services Secretary Alex Azar issued HIPAA guidance that outlined when hospitals in declared state of emergency areas can qualify for a waiver of certain provisions of the HIPAA Privacy Rule, including fines and penalties. According to the guidance, “the HIPAA Privacy Rule allows patient … Continue Reading
Data breaches continue to plague the health care industry, and July 2018 was the worst month so far this year in the number of data breaches reported to the Office for Civil Rights (OCR). Thirty-three data breaches were reported by covered entities and business associates in July, with the largest one reported by UnityPoint Health, … Continue Reading
In its July newsletter on cybersecurity, the Office for Civil Rights (OCR) released “Guidance on Disposing of Electronic Devices and Media,” which outlines the requirements health care providers and business associates have regarding the security of electronic data and media under the HIPAA Security Rule. The newsletter reminds health care providers and business associates that … Continue Reading
It is a rare occurrence when a health care entity challenges the Office for Civil Rights (OCR) regarding proposed fines and penalties for HIPAA violations. In my memory, it has only happened once before. On June 1, 2018, an Administrative Law Judge (ALJ) granted summary judgment in favor of the OCR against The University of … Continue Reading
Medical transcription provider MEDantex has reportedly exposed the protected health information of thousands of patients through its unsecured provider portal, which did not require a password for access. According to reports, including KrebsOnSecurity, the patients’ audio medical notes were uploaded to MEDantex’s website, which were then to be transcribed and uploaded to a portal accessible … Continue Reading
Data breaches continue to be an issue for healthcare providers, as indicated when looking at breaches reported to the Office for Civil Rights (OCR), as required by HIPAA. In the first three months of 2018, there were 77 breaches of protected health information (PHI) reported to OCR, which included more than one million patient records. … Continue Reading
On April 30, 2018, a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the … Continue Reading
The New Jersey Attorney General’s office announced this week that it has fined Virtua Medical Group, which is comprised of more than 50 medical practices in New Jersey, for failing to protect the privacy of 1,650 patients when their medical information was accessible online. The information was uploaded to a password-protected FTP website, but during … Continue Reading
On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located … Continue Reading
In its January newsletter, the Office for Civil Rights (OCR) focused on cyber extortion, which it stated has “risen steadily over the past couple of years and continue to be a major source of disruption for many organizations.” Since the health care industry has been the target of cyber extortion attacks, the OCR is specifically … Continue Reading
In the first settlement for HIPAA violations in 2018, Fresenius Medical Care North America (Fresenius) has agreed to pay $3.5 million to the Office for Civil Rights (OCR) to settle allegations against it relating to five data breaches that occurred over a four month period in 2012. Interestingly, the five separate breaches affected the information … Continue Reading
Covered entities, including employer sponsored health plans, should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) following OCR’s recent announcement of a large HIPAA settlement last month on the heels of its release of the preliminary results … Continue Reading
In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, … Continue Reading
On December 6, 2017, Henry Ford Health System (HFHS) disclosed that health information of 18,470 patients may have been viewed or stolen. HFHS became aware of the incident on October 3, 2017 after employee credentials were accessed or stolen. According to a statement published on HFHS’ website, Social Security numbers and credit card information were … Continue Reading
In the wake of the national opioid overdose crisis, the Office for Civil Rights (OCR) has provided clarification on when covered entities are permitted to disclose patient information during opioid emergencies. The OCR commented that some health care providers believe that they must have the patient’s consent in order to share information with family members … Continue Reading
The Centers for Medicare & Medicaid Services (CMS) recently issued guidance intended to help clinicians eligible for the Merit-based Incentive Payment System (MIPS) navigate an attestation required thereunder concerning the prevention of information blocking. MIPS was implemented via CMS’s Quality Payments Program final rule with comment period released in 2016, and represents one avenue for … Continue Reading
Paper records continue to be problematic. An Illinois psychiatrist reported to the Office for Civil Rights (OCR) that the medical records of 10,500 patients were stored in the basement of a house that he rented to an individual for at least four years. The tenant was provided a key to the basement by the psychiatrist’s … Continue Reading
Unfortunately, September was another banner month for data breaches involving the health care industry. According to the Office for Civil Rights (OCR) website, 39 data breaches involving over 500 records were reported to the OCR in the month of September. This does not include all records breached, as health care entities have until February 2018 … Continue Reading
With open enrollment in full swing for many employers, now is a good time to review employee benefit communications. Plan sponsors of health plans are generally responsible for properly administering all of the health plan notices required by law, including HIPAA. To ease the administrative burden and to cut costs, these notices can, and often … Continue Reading
Fax machines are still used in the medical community, and these days, faxing may be more secure than emailing as hackers have not yet cracked the task of hacking into old fax machines. All kidding aside, fax machines have been, and continue to be a risk to organizations as they have the ability to store … Continue Reading
Cornerstone Business & Management Solutions, a medical supply company located in Nebraska, has notified 21,856 individuals and the Office for Civil Rights that while performing a routine review of system logs, it discovered a suspicious account on its server downloading personal information of patients using its medical devices, including names, addresses, dates of birth, and … Continue Reading
As more and more state laws allow the use of marijuana for medical conditions, and dispensaries are opening to provide users with access to marijuana for medical purposes (and recreational use), patients are questioning and becoming concerned about the protection of their privacy when purchasing marijuana in dispensaries. The concern is that federal law still … Continue Reading
The U.S. Department of Health and Human Services (HHS) has used its authority to waive certain provisions of HIPAA in response to Hurricane Harvey. HHS previously declared a public health emergency in Texas and Louisiana related to the hurricane and its aftermath. Under the waiver, HHS waives sanctions against covered hospitals that do not comply … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Any person who believes that a covered entity or business associate is not complying with HIPAA may file a complaint with OCR (complaints may also be submitted directly to a covered entity). … Continue Reading
