Archives: HIPAA and Health Information

Subscribe to HIPAA and Health Information RSS Feed

Second Largest Business Associate Breach in 2017

Cornerstone Business & Management Solutions, a medical supply company located in Nebraska, has notified 21,856 individuals and the Office for Civil Rights that while performing a routine review of system logs, it discovered a suspicious account on its server downloading personal information of patients using its medical devices, including names, addresses, dates of birth, and … Continue Reading

Privacy Tip #107 – Medical Marijuana Privacy

As more and more state laws allow the use of marijuana for medical conditions, and dispensaries are opening to provide users with access to marijuana for medical purposes (and recreational use), patients are questioning and becoming concerned about the protection of their privacy when purchasing marijuana in dispensaries. The concern is that federal law still … Continue Reading

HHS Issues Limited Waiver of HIPAA Sanctions Post-Hurricane Harvey

The U.S. Department of Health and Human Services (HHS) has used its authority to waive certain provisions of HIPAA in response to Hurricane Harvey. HHS previously declared a public health emergency in Texas and Louisiana related to the hurricane and its aftermath. Under the waiver, HHS waives sanctions against covered hospitals that do not comply … Continue Reading

OCR Releases “Improved Web Tool” for Breach Reporting

The Office for Civil Rights (OCR) recently issued an “improved web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and learn how all breaches of health information are investigated and successfully resolved.” The tool, called “The HIPAA Breach Reporting Tool (HBRT) allows individuals … Continue Reading

Unencrypted Backup Drive of 531 EEG Patients Lost

Baptist Medical Center South, located in Jacksonville, Florida has admitted that one of its backup drives has been missing since May 18, 2017. The unencrypted backup drive contained the protected health information of 531 patients who underwent an EEG at the facility between 2015 and 2017. It has not been recovered to date. The backup … Continue Reading

NJ Gov. Chris Christie Seeks to Ease HIPAA Restrictions in Cases of Opioid Overdose

Last week, New Jersey Governor Chris Christie told reporters that he is in talks with representatives from the U.S. Department of Health and Human Services and the U.S. Department of Justice about easing HIPAA restrictions in situations where individuals have experienced an opioid overdose. Gov. Christie chairs the presidential commission on opioid abuse. Speaking to … Continue Reading

Medicaid Documents Thrown in Dumpster

The North Dakota Department of Human Services has admitted that one of its employees threw Medicaid claim resolution worksheets into a dumpster instead of disposing them in a secure onsite shredding receptacle. The result? The documents were found in the dumpster by a citizen who notified the Department, which then notified almost 2,500 patients of … Continue Reading

Privacy Tip #92 – Finally, HHS Is Removing SSNs from Medicare Cards

For those of you who know me, you know that I have been very frustrated with the federal and state governments for continuing to use Social Security numbers for eligibility, enrollment and participating in Medicare and Medicaid. This includes listing individuals’ Social Security numbers on the Medicare and Medicaid cards. The good news is that … Continue Reading

“Fireball” Malware a Threat to Health Care Industry

A new report released by Check Point has security personnel working in the health care industry particularly concerned and they are warning their colleagues about the existence of “Fireball.” Fireball, released by a Chinese operation, has infected approximately 250 million computers worldwide. According to the report, the malware hijacks web browsers and turns computers into … Continue Reading

HHS Releases Health Care Industry Cybersecurity Task Force Report

This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing … Continue Reading

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care … Continue Reading

OCR Settles With Texas Health System for $2.4 Million for Disclosing PHI to Media In a Press Release

The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff … Continue Reading

HIPAA Refresher for Workplace Wellness Programs

Now more than ever, workplace wellness programs are becoming increasingly popular among employers. A common concern many employers have is how to design a meaningful workplace program intended to improve the health of participating employees while complying with HIPAA’s privacy and security rules. Although employers are not covered entities, HIPAA may apply to an employer’s … Continue Reading

OCR Levies Hefty Fine Against FQHC

Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, … Continue Reading

ABCD Pediatrics Victim of Ransomware

ABCD Pediatrics, located in San Antonio, Texas has notified the Office for Civil Rights that a ransomware cyber intrusion has resulted in access to its servers, including the protected health information (PHI) of its patients. The ransomware used by the attackers was Dharma. The practice found through forensic analysis that access had been gained to … Continue Reading

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which … Continue Reading

Erie County Medical Center IT Systems Shut Down By Virus

Buffalo, New York Erie County Medical Center has announced that its IT system has been shut down since Sunday, April 11, 2017, due to an unnamed virus. The shut-down has affected the medical facility’s email system, electronic health record and website. Because the electronic health system is not accessible, staff is using paper records for … Continue Reading

Washington University School of Medicine Victim of Phishing Attack

Another employee falls for a phishing attack. This time, it was an employee of the Washington University School of Medicine The employee received a phishing email on December 2, 2016, and fell for what looked like a real request, responded to it, which allowed access to employee email accounts, which included the health information of 80,000 … Continue Reading

Horizon BCBS of New Jersey Pays State $1.1 million for HIPAA violations

We often forget that state AG’s have jurisdiction under the HIPAA Omnibus Rule to levy fines and penalties against HIPAA covered entities for violations. This is because the Office for Civil Rights has traditionally taken the primary role in enforcing HIPAA. But Horizon Blue Cross Blue Shield of New Jersey (Horizon) was reminded of the … Continue Reading

$5.5 Million Shelled Out to OCR for Alleged HIPAA Violations

Florida Memorial Healthcare Systems has agreed to pay the Office for Civil Rights (OCR) $5.5 million to settle alleged HIPAA violations relating to an incident that occurred in April 2012 that two employees accessed patient information of 106,000 patients in an unauthorized manner and with criminal intent, including their names, dates of birth, and Social … Continue Reading

Report Summarizes Healthcare Data Breaches in January 2017

Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off. In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient … Continue Reading

Children’s Medical Center of Dallas Clobbered by OCR

In a rare move by the OCR, it assessed a $3.2 million fine against Children’s Medical Center of Dallas (Children’s) after it issued a Notice of Proposed Determination against Children’s and Children’s failed to request a hearing. The Notice was issued following the OCR’s investigation of two self-reported data breaches. The first involved the theft … Continue Reading
LexBlog