HIPAA and HITECH Compliance

The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general are authorized to issue penalties for HIPAA violations. Besides paying financial penalties, covered entities must follow a corrective action plan to have policies and procedures that are according to the criteria specified by HIPAA. The Health Insurance Portability and … Read more

The COVID-19 pandemic has not led to any long-term modifications to HIPAA, however, it has seen unmatched flexibilities announced on a non-permanent basis to make it less complicated for healthcare companies and business associates that are battling against COVID-19. In emergency scenarios like disease outbreaks, HIPAA Rules stay effective and the demands of the HIPAA … Read more

The Department of Health and Human Services’ Office for Civil Rights (OCR) has released new guidance to make clear how the HIPAA Privacy Law can be applied to disclosures of protected health information (PHI) to aid applications for extreme risk protection orders. In June 2021, the U.S. Department of Justice shared model legislation to give … Read more

West Virginia University Health System is dealing with a class-action lawsuit because of a compromise of the protected health information (PHI) of 7,445 patients, however, the Supreme Court of Appeals of West Virginia has lifted the class certification order. The lawsuit is in connection with an insider data breach that took place in 2016. From … Read more

Ransomware attacks, hacks, and other IT security problems are the cause of major data breach reports sent to the Department of Health and Human Services’ Office for Civil Rights, although data breaches concerning physical documents are likewise common. The Verizon Data Breach Investigations Report showed that exposed physical files made up 43% of all data … Read more

A New Jersey infertility clinic has reached a settlement with the state and will pay a $495,000 penalty fee for its violation of the HIPAA and New Jersey laws as it did not implement appropriate cybersecurity action. Diamond Institute for Infertility and Menopause, LLC (Diamond) in Millburn, NJ operates one healthcare facility in New Jersey, … Read more

Lately, the U.S. Department of Justice has been pursuing healthcare criminal acts and investigations frequently entail the issuance of a HIPAA subpoena. The subpoena pressures HIPAA-regulated entities to give data including patient health records that they are not allowed to reveal because of Privacy Rule prohibitions on uses and disclosures. Under the HIPAA Privacy Rule, … Read more

Two DuPage Medical Group patients are filing a lawsuit against the healthcare company subsequent to a July 2021 ransomware attack whereby patients’ protected health information (PHI) was exposed. DuPage Medical Group encountered a ransomware attack in the middle of July. The forensic investigation confirmed unauthorized people had acquired access to its computer system between July … Read more

Four healthcare employees filed a lawsuit against Amazon because allegedly their Amazon Alexa devices possibly captured conversations without their intention or permission and might have caught health data protected by HIPAA. Amazon Alexa devices listen for words and phrases that awaken the devices and activates them to begin recording. Particularly, the devices listen to the … Read more

Social media platforms including Facebook, Snapchat, Twitter, and Instagram allow healthcare companies to easily promote their services and earn new clients. Healthcare companies could utilize social media platforms to connect with patients, give announcements about their services, and get patients to take on a more dynamic part in their medical care. Although there are a … Read more

There is a lot of misunderstandings concerning the case of questioning a person if they had a COVID-19 vaccine. Is it considered a HIPAA violation, especially pertaining to employers questioning their personnel to give evidence of being vaccinated against COVID-19 to cease using a face mask in the work area? The Health Insurance Portability and … Read more

The National Institute of Standards and Technology (NIST) is preparing to modify and make updates to its guidance on carrying out the HIPAA Security Regulation and is looking for ideas from stakeholders on facets of the guidance that ought to be adjusted. NIST publicized the guidance – NIST Special Publication (SP) 800-66, Revision 1, An … Read more

Devised by the Department of Health and Human Services as part of the 21st Century Cures Act, the information blocking and interoperability regulations became enforceable on April 5, 2021. These new regulations set out what information blocking entails and states that penalties can be imposed when providers engage in practices that disrupt access, exchange, and … Read more

Montefiore Medical Center has found out that another employee accessed patient records without having any valid work reason. The report of New York hospital in February 2020 stated that an employee was identified to have accessed patient health records without any authorization for a period of 5 months in 2020, and another employee was identified … Read more

The Delaware Superior Court dismissed a legal action filed on behalf of affected individuals of a Brandywine Urology Consultants data breach because the plaintiffs failed to present proof showing they had experienced harm because of the breach. Brandywine Urology Consultants encountered a ransomware attack on January 27, 2020 The attack was identified after two days … Read more

The Department of Health and Human Services’ Office for Civil Rights has stated that it is going to implement enforcement discretion and will not issue financial penalties on HIPAA-covered entities or business associates in the event of HIPAA rules violations associated with the honest use of online or web-based scheduling applications (WBSAs) for booking individual … Read more

The U.S. Court of Appeals for the Fifth Circuit has reversed the $4,348,000 HIPAA violation charges enforced by the Department of Health and Human Services’ Office for Civil Rights on the University of Texas M.D. Anderson Cancer Center. The Civil Monetary Penalty was charged to M.D. Anderson in 2018 after the investigation of three data … Read more

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices are now ubiquitous in the workforce due to the vast range of benefits offered to employers. They allow individuals to readily communicate with each … Read more

The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian. On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019. Secretary Azar’s announcement comes as … Read more

Kaspersky Labs has released a report revealing significant deficiencies in the cybersecurity training provided to healthcare employees.  The study was conducted by surveying 1,758 healthcare employees in the United States and Canada. Kaspersky Lab, a vendor of cybersecurity software, instigated the study to investigate potential causes for the substantial increase in cybersecurity breaches in recent … Read more

The Department of Veteran Affairs Office of Inspector General (VA OIG) has discovered severe security failings at the Tibor Rubin VA Medical Center in Long Beach, California.  A recent inspection by the VA OIG uncovered security vulnerabilities related to medical device workarounds and multiple compliance issues with the Veterans Health Administration (VHA) and VA policies.  The … Read more

In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The … Read more

UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so. The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine. The suit claims patient information that still had personal identifiers attached … Read more

Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data. KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took … Read more

Takai, Hoover & Hsu has terminated a nurse for accessing the protected health information (PHI) of 16,542 without the correct authorization to do so. The healthcare provider, owned by Takai, Hoover & Hsu and based in Germantown, MD, has stated that the information may have been passed on to a third-party and used for fraud … Read more

On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS … Read more

The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for … Read more

Michigan-based Brookside ENT and Hearing Center has announced its closure following a ransomware attack on their facility resulted in all of their patient files being permanently destroyed. The practice-run by just two doctors-lost access to patient records, appointment schedules, payment information, and other sensitive after a hacker gained access to their network and infected it … Read more

The healthcare and fitness tech industry is booming, with millions of users across the US using these devices and apps to track everything from their weight, sleeping habits, heart rate, and food consumption. Some of this information is similar to that collected by healthcare organisations when monitoring their patients. However, there is a vast difference … Read more

The Internal Revenue Service has launched a tax-related phishing awareness campaign. The campaign is designed to inform taxpayers fo the twelve most common tax scams, known as the ‘Dirty Dozen”. Each tax season, the IRS raises awareness of the most common phishing campaigns in an attempt to protect taxpayers, businesses, and tax professionals. Cybercriminals are particularly … Read more

Ransomware attacks against healthcare organisations are becoming increasingly common. However, many individuals are still uncertain as to what constitutes a ransomware attack, and the potential consequences it has on an organisation. This article provides some background on ransomware attacks, outline how these attacks occur, and offer some guidance on how employees can mitigate the risk … Read more

The U.S. Department of Health and Human Services has issued a four-volume publication on voluntary cybersecurity best practices for healthcare organisations. The publication includes guidelines for managing cyber threats and protecting patients. It is hoped that the guidelines will help all organisations that handle the protected health information (PHI) and other sensitive information of patients … Read more

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App which would only take a “low level” of skill to exploit. The Philips HealthSuite Health Android App is used by individuals to help … Read more

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. According to the National Institute on Drug Abuse, over 100 people die every day in the United States from overdosing on opioids. Hundreds more suffer due addiction to opioids, which include drugs such as pain relievers, heroin, and fentanyl … Read more

Anthem, Inc., a health insurance company and the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, has been levied the largest ever fine for a HIPAA violation for the February 2015 attack on their servers which saw over 78.8 million records stolen. The Anthem data breach settlement of $16 … Read more

A hospital in New York has fired several employees following a security breach. Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, announced that several employees accessed patient protected health information (PHI) without proper authorisation to do so. This violates the Health Insurance Portability and Account Act (HIPAA). Officials at the hospital discovered … Read more

Legacy Health has announced that the PHI of 38,000 patients was stolen during a phishing attack on their facility. Legacy Health is a non-profit hospital system based in Portland, Oregon. The organisation consists of six hospitals and employs upwards of 10,000 staff. IT security staff at Legacy Health discovered the breach on June 21. The … Read more

OCR’s Iliana Peters has stepped in to replace Deven McGraw, Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR), in an interim role. Peters will serve as Acting Deputy Director until a suitable replacement for McGraw can be identified. Peters has departed her role as … Read more