HHS Issues Clarification On Business Associates Liability
On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS Fact Sheet on direct liability of business associates, fines can be incurred...
Maximum Penalties for HIPAA Violations Changed by HHS
The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the...
Brookside ENT and Hearing Center Announces Closure Following Ransomware Attack
Michigan-based Brookside ENT and Hearing Center has announced its closure following a ransomware attack on their facility resulted in all of their patient files being permanently destroyed. The practice-run by just two doctors-lost access to patient records, appointment schedules, payment information, and other sensitive after a hacker gained access to their network and infected it with ransomware. As with most ransomware attacks, the...
Report Released on Issues of Healthcare Data Collected by Non-HIPAA Covered Entities
The healthcare and fitness tech industry is booming, with millions of users across the US using these devices and apps to track everything from their weight, sleeping habits, heart rate, and food consumption. Some of this information is similar to that collected by healthcare organisations when monitoring their patients. However, there is a vast difference in the responsibilities of these organisations and the healthcare tech industry...
IRS Launches 2019 Dirty Dozen Campaign
The Internal Revenue Service has launched a tax-related phishing awareness campaign. The campaign is designed to inform taxpayers fo the twelve most common tax scams, known as the ‘Dirty Dozen”. Each tax season, the IRS raises awareness of the most common phishing campaigns in an attempt to protect taxpayers, businesses, and tax professionals. Cybercriminals are particularly active in the period from January to April as they attempt...
What is Ransomware?
Ransomware attacks against healthcare organisations are becoming increasingly common. However, many individuals are still uncertain as to what constitutes a ransomware attack, and the potential consequences it has on an organisation. This article provides some background on ransomware attacks, outline how these attacks occur, and offer some guidance on how employees can mitigate the risk of such an attack befalling their organisation....
HHS Guidelines on Cybersecurity Best Practices for Healthcare Organisations Released
The U.S. Department of Health and Human Services has issued a four-volume publication on voluntary cybersecurity best practices for healthcare organisations. The publication includes guidelines for managing cyber threats and protecting patients. It is hoped that the guidelines will help all organisations that handle the protected health information (PHI) and other sensitive information of patients create a robust cybersecurity...
ICS-CERT Discovers Vulnerability in Philips Health App
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App which would only take a “low level” of skill to exploit. The Philips HealthSuite Health Android App is used by individuals to help them achieve activity targets and health goals. The app collects user...
President Trump Signs Opioid Bill into Law
On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. According to the National Institute on Drug Abuse, over 100 people die every day in the United States from overdosing on opioids. Hundreds more suffer due addiction to opioids, which include drugs such as pain relievers, heroin, and fentanyl (a synthetic opioid). According to the Centers for Disease Control and Prevention, the...
Anthem Settles for Record $16 Million with OCR
Anthem, Inc., a health insurance company and the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, has been levied the largest ever fine for a HIPAA violation for the February 2015 attack on their servers which saw over 78.8 million records stolen. The Anthem data breach settlement of $16 million is nearly three times the previous record-holder for largest HIPAA fine ($5.55 million) and...
New York Hospital Fires Employees Following Security Breach
A hospital in New York has fired several employees following a security breach. Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, announced that several employees accessed patient protected health information (PHI) without proper authorisation to do so. This violates the Health Insurance Portability and Account Act (HIPAA). Officials at the hospital discovered the mishandling of PHI during...
Patient Data Stolen in Legacy Health Phishing Attack
Legacy Health has announced that the PHI of 38,000 patients was stolen during a phishing attack on their facility. Legacy Health is a non-profit hospital system based in Portland, Oregon. The organisation consists of six hospitals and employs upwards of 10,000 staff. IT security staff at Legacy Health discovered the breach on June 21. The staff quickly launched an investigation to determine the cause and scope of the breach....
Press America Inc Faces Lawsuit Over HIPAA Breach
Press America, Inc, a mail service used by a pharmacy benefit manager CVS Pharmacy, is being sued for the occurrence of an accidental disclosure of 41 people’ protected health information. As a subcontractor to supply a mail-order pharmacy service for the health planCVS Pharmacy is a business associate of health plan CVS Pharmacy and, as such, both bodies must adhere with HIPAA Rules. CVS Pharmacy completed a business associate...
Iliana Peters Now Acting Deputy at the OCR
OCR’s Iliana Peters has stepped in to replace Deven McGraw, Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR), in an interim role. Peters will serve as Acting Deputy Director until a suitable replacement for McGraw can be identified. Peters has departed her role as senior advisor for HIPAA Compliance and Enforcement at OCR. There are no plans in place to bring...
HIPAA Alliance Marketplace Matches Healthcare Organizations With HIPAA-Compliant Business
This week has seen the launch of a new platform that streamlines the process of searching for HIPAA-compliant business associates. The HIPAA Alliance Marketplace has been developed to match HIPAA covered entities with trusted vendors that have been independently verified as HIPAA-compliant. Healthcare organizations are required to comply with Health Insurance Portability and Accountability Act Rules, and so too must their business...
HIPAA Compliant Business Associates Easier to Locate with New Tool
The challenge of finding HIPAA compliant business associates has been addressed with the introduction of a new tool to simplify this task. Healthcare organizations are only allowed to use business associates that comply with HIPAA Rules and sign a business associate agreement. Finding HIPAA compliant business associates is time consuming, although locating vendors willing to follow HIPAA Rules is only part of the steps that must be...
Improperly Configured Cloud Services in Over Half of Businesses
The healthcare sector has made great waves recently in embracing cloud based technology. Most healthcare groups now implementing secure cloud storage services to host web applications or store data which contains electronic protected health information (ePHI) pertaining to subscribers. However, as the proliferation of secure cloud storage systems continues at pace, it does not mean data breaches will not be experienced, and neither...
Almost 500K Records Exposed in September Healthcare Data Breaches
The Breach Barometer report from for September has been released and shows there was a significant increase in healthcare data breaches during that month. The report collates healthcare data violations reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and security breaches recorded by databreaches.net. The latter of which have yet to appear on the OCR ‘Wall of Shame.’ Overall,...
HIPAA Compliance and Skype: What You Need to Know
Skype and other text messaging platforms are a useful way of broadcasting information, but there are some questions to be answered in relation to HIPAA compliance of the service. There has recently been a lot of discussions and debate regarding this. There are security measure implemented by Skype to prevent unauthorized access of information transmitted via the platform and messages are encrypted. However it might still be unclear if...
Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS
The Department of Health and Human Services, at the start of 2014, completed a proposal for introducing a new rule to bring in an official certification of compliance for health plans. The proposed rule would have obligated all controlling health plans (CHPs) to complete a variety of documentation to HHS to confirm compliance with electronic transaction standards established by the HHS under HIPAA Rules. The main objective pf proposed...
Redlock Report: Cloud Storage Services are Misconfigured in over Half of Businesses
According to a recent study by cloud threat defense firm RedLock, more than half of businesses have made mistakes that have exposed sensitive data in the cloud. The report reveals that as muc as 53% of organizations are not following established security best practices, such as using multi-factor authentication for all privileged account holders. Worse again, many businesses are notmonitor their cloud environments constantly which...
Should Identity Theft Protection Services Be Offered to Data Breach Victims Under HIPAA?
The HIPAA Breach Notification Rule stated that covered bodies must advise people once their ePHI has been compromised. It is less clear if it is a requirement that credit monitoring and identity theft protection services should be be offered to those affected. HIPAA does not stata outright whether credit monitoring and identity theft protection services should be given to people affected by a data violation. The decision whether or...
OCR Issue Clarification on HIPAA Disclosure Rules
The Department of Health and Human Services’ Office for Civil Rights OCR, has, following the recent attacks in Las Vegas, moved to issue a clarification on HIPAA Rules regarding disclosures to family, friends and other people. In the aftermath of Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the regions where both hurricanes occurred. Such a waiver is often, but not...
Data Breach at Med Center Health affects almost 160,000 of its Patients
The FBI has been investigating a large Med Center Health data breach that affects many affiliates and approximately 160,000 patients. Hackers are not believed to be responsible for the Med Center Health data breach, in fact it is thought that the data was stolen by an ex-employee. It is understood that the thief took a large variety of personal data such as the names, home addresses, insurance information, procedure codes, billing...
February Sees Dramatic Rise in Insider Healthcare Data Breaches
In its most recent healthcare data breach report. Protenus has indicated that the month of February witness a significant increase in insider healthcare data breaches. The February Breach Barometer report shows that there were 31 reported healthcare data breaches during February. Although that number is equal to January 2017, when a total of 31 healthcare data breaches were also reported, the number of insider healthcare data breaches...
Highmark BCBS of Delaware Probes Data Break Impacting 19K People
Highmark BlueCross BlueShield of Delaware is probing a data break which has affected 19,000 payees of employer-paid health policies. The data break affects 2 contractors of Highmark BCBS – BCS Financial Corporation and Summit Reinsurance Services. Highmark BSBC director of secrecy as well as information supervision, Karen Kane, released a statement stating 16 former and current Highmark self-insured clients have been affected....
$475K Settlement for Late HIPAA Break Notice
The Division of Health and Human Services’ OCR has publicized the 1st HIPAA payment of current year. This is additionally the 1st settlement so far exclusively based on a needless delay to break notice after the revelation of patients’ safeguarded health info. Presence Health, among the biggest healthcare systems serving people of Illinois, has consented to pay OCR $475K to resolve possible HIPAA Break Notice Law breaches. After a...
UMass to Pay the Office for Civil Rights $650K to Settle HIPAA Breaches
The Division of Health and Human Services’ OCR has consented to a $650K agreement with University of Massachusetts Amherst (UMass). The agreement solves HIPAA breaches that caused the UMass undergoing a malware contagion in 2013. In early 2013, a malevolent program was set up on a computer terminal in the Center for Speech, Language, and Hearing. The infection led to the forbidden revelation of the electronic safeguarded health...
St. Joseph Health to make Payment of OCR $2.14 Million to Resolve HIPAA Case
The Division of Health and Human Services’ OCR has declared it has decided to resolve possible breaches of the HIPAA Security and Privacy Laws with St. Joseph Health (SJH). St. Joseph Health has to pay $2,140.50 to OCR and implement a corrective action plan (CAP) to bring procedures and policies up to the standard required by HIPAA. St. Joseph Health is a not-for-profit cohesive Catholic health care distribution method backed by the...
Assistance on HIPAA as well as Cloud Computing Released by HHS
The Division of Health and Human Services has issued revised advice on cloud computing and HIPAA to assist protected bodies to take benefit of the cloud devoid of endangering a HIPAA breach. The key emphasis of the help is the usage of cloud service providers (CSPs). CSPs which are lawfully independent bodies from a HIPAA-covered body are categorized as business associates as per HIPAA rules if the cloud service provider has to...
$400K HIPAA Payment for BAA Failures
The Section of Human and Health Services’ OCR has stated it has concluded an agreement with Care New England Health System (CNE) to settle suspected breaches of the HIPAA. CNE should reimburse a financial fine of $400K and should implement a complete Corrective Action Plan (CAP) to tackle different parts of HIPAA defiance. Care New England Wellbeing Organization (CNE) offers central company help for several subordinate allied...
Revised Safety Risk Evaluation Device Announced by ONC
OCR has a preference to resolve HIPAA conformity problems through voluntary conformity as well as non-punitive ways, even though financial fines are these days becoming more usual. If OCR detectives discover HIPAA breaches, financial fines might be imposed. Penalties of as much as $1.5 million can be imposed for each breach type found. Among the most usual causes for a financial fine is the failure to carry out a complete,...
Biggest Ever HIPAA Agreement: Advocate Health to Reimburse OCR $5.5 Million
Previous month, the Department of Health and Human Services’ OCR publicized 2 huge agreements with protected entities to settle suspected HIPAA breaches. Nevertheless, even the $2.7 million, as well as, $2.75 million settlements at UMMC and OHSU were not big as compared to the latest implementation case. OCR has just publicized it has consented to the biggest ever HIPAA agreement with a single protected body. Advocate Health Care...
2.75 Million Dollar HIPAA Agreement Achieved with UMMC
Immediately after the 2.7 million HIPAA break agreement with OHSU comes news of one more multi-million-dollar agreement with one more university. The Division of Health and Human Services’ OCR declared four days ago that University of Mississippi Medical Center (UMMC) has consented to settle down suspected HIPAA breaches and will reimburse a monetary fine of $2.75 million. UMMC has also consented to implement a corrective action plan...
Oregon Health & Science Varsity to Pay The Office for Civil Rights $2.7 Million for 2013 Data Breaks
Oregon Health & Science University (OHSU) has consented to resolve a lawsuit with the Division of Health and Human Services’ OCR originating from 2 data breaks suffered in 2013. A fine of $2.7 million will be funded by OHSU to resolve suspected HIPAA breaches without confession of responsibility. The secrecy breaks happened soon after each other during 2013. Within the duration of 3 months, the safeguarded health information of...
Philadelphia BA Agrees to $650K OCR Payment
The Division of Health and Human Services’ OCR issued particulars of a settlement which was concluded with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) on June 24, 2016. CHCS has approved to settle down suspected HIPAA breaches with the Office for Civil Rights OCR as well as has approved to execute a Corrective Action Plan. Catholic Health Care Services of the Archdiocese of Philadelphia will also reimburse...
$1.55 Million HIPAA Agreement for Want of BAA as well as Risk Study Failures
The Division of Health and Human Services’ OCR has declared it has achieved an agreement with North Memorial Health Care of Minnesota on suspected HIPAA breaches from a 2011 data break. North Memorial has consented to pay $1,550,000 to OCR to settle down the HIPAA violation fees. After a PHI break reported on September 27, 2011, OCR carried out an inquiry and found HIPAA violations that contributed to the cause of a breach of...
HIPAA Business Associate Informs 31K Record Data Violation
Omaha-based Seim Johnson, a commercial partner of several healthcare providers in Nebraska and outside, has declared that one of its laptops was thieved in Nashville, Tennessee, revealing almost 31,000 healthcare patient files. The laptop had the protected health information of 30,972 healthcare patients, including 4,200 patients of Community Hospital in McCook, Nebraska. It’s not sure which other healthcare providers were functioning...
Apple Health HIPAA Violation Affects 91K Medicaid Receivers
As per a statement released by Steve Dotson, HCA risk manager, a Washington State Health Care Authority (HCA) worker has breached the safeguarded health info of 91,000 Apple Health Medicaid package customers over a duration of nearly 3 years. All affected persons are being informed that their name, Social Security number, Apple Health ID number, date of birth, and private health info were improperly revealed between 2013 and 2015. The...
Two Employees Sacked for Jason Pierre-Paul HIPAA Violation
Earlier in July 2015, Jason Pierre-Paul, New York Giant football team member paid a visit to Jackson Memorial Hospital of Miami for medication following a fireworks mishap. News reports appeared soon after verifying Pierre-Paul had undergone a major hand damage. At the time of the disaster, the football player was discussing a new $60 million agreement with the Giants. ESPN’s Adam Schefter succeeded to get control of Pierre-Paul’s...
Borgess Rheumatology Notifies 700 Patients of Mailing Mistake
Borgess Rheumatology has notified that 700 of its patients have been affected by a mailing mistake which happened on December 9, 2015. That revealed their PHI. Although no Social Security numbers or other extremely confidential data have been revealed, concerned patients have had their names as well as the truth that they get medical services at Borgess Rheumatology revealed to another patient. In each one incident, a lone patient...
Lincare Inc to Disburse $239,800 CMP for HIPAA Infringement
For just the second time in its past, OCR has instructed a HIPAA-covered body to disburse civil fiscal fines for HIPAA infringements. Lincare Inc. is needed to pay $239,800 for breaches of the HIPAA Secrecy Law which were found during the inquiry of a complaint concerning an infringement of 278 patient data. The Secrecy Law breach – 45 C.F.R. § 164.530(i) – was lately approved by a U.S. Department of Health as well as Human Services...
Survey Shows Law Companies are not Complying with HIPAA Regulations
The Health Insurance Portability and Accountability Act (HIPAA) deals with health insurers, healthcare providers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Infringement Announcement Laws. HIPAA additionally applies to vendors as well as other firms carrying out business with covered bodies, which are classified as HIPAA Business Associates. In case a Business...
ONC Publicizes Final 10-Year Interoperability Program
On Tuesday, the Office of the National Coordinator for Health IT announced the long-anticipated final 10-Year Interoperability Program. After the announcement of the draft form of the program in January 2015, the Office of the National Coordinator wanted remarks from interested parties. More than 250 remarks were received, which were utilized to fine- tune the plan before the announcement of the final form. The final Countrywide...
Existing Risk of Scam from 2012 Philadelphia Ambulance HIPAA Break
This week the Philadelphia Fire Department informed a data break involving 750 people who had utilized the ambulance facility in 2012. Three years before a worker of Intermedix, the company accustomed to managing the Fire Department’s data requirements, had been provided access to files; however, one worker utilized his data access rights to thieve financial files of patients. The files were thieved to file fake tax returns as per an...
Indiana Attorney General Announces $12,000 HIPAA Penalty for Discarded PHI
The Indiana Attorney General’s Office has announced its first penalty for Health Insurance Portability and Accountability Act violations pursuant to part 13410(e) of the HITECH Act. The penalty of $12,000 was imposed on ex Kokomo dentist, Joseph Beck, for unlawfully throwing out of the Protected Health Information (PHI) of his patients. 63 boxes of private records comprising an approximated 7,000 files were found in an Olive Branch...
Business Associates Constitute 40 Percent of HIPAA Breaks
In the 1st quarter of 2013, 40 percent of all HIPAA breaks involving the revelation of PHI that affected over 500 people were the consequence of the acts of BAs of HIPAA–protected entities. The problem seems to be increasing because throughout the preceding 4 years BAs caused 30 percent of all registered HIPPA security breaks. This fact hasn’t been overlooked by the Division of Health and Human Services. A fresh rule has been created...
Highmark Branch Visionworks Struck by 75K HIPAA Break
Highmark Inc., the Pennsylvania-based health Insurance business, has declared today that Visionworks, one of its branches, has misplaced a computer server having the medical files of roughly 75,000 patients. The medicinal information saved on the server contained particulars of patients’ trips to Visionworks optometrists, their lens recommendations and names as well as addresses. The HIPAA break is believed to have possibly revealed...
Boston Business Associate Sacked Over 15K HIPAA Violation
MDF Transcription Services, a Business Partner of Boston Medical Center, has been sacked after a HIPAA breach that revealed the secret data of roughly 15,000 people when their information was publicized on an unsafe transcription website. The HIPAA breach wasn’t found by the hospital, but by a different healthcare provider who noted that information had been erroneously displayed on the website. According to a statement provided...
HIPAA Violations Cost Healthcare Industry $5.6 Billion a Year
A latest statement from the Ponemon Institute has emphasized the gravity of the danger from cyber-attacks and must serve as a notice to healthcare providers that they should improve data safety. The cost to the industry is substantial. Data violations are projected to cost the healthcare trade $5.6 billion a year, and that money might be put to much better use conducting research and improving healthcare facilities. While the report...
Wellpoint Approves $1.7 Million Payment for HIPAA Breaches
Wellpoint is among the leading providers of Affiliated Health Policies, with nearly 36 million policy holders throughout the United States. Fraction of its databank of policy holders was accessible to illegal persons between October 23, 2009, and March 7, 2010. The safety infringement was brought to the notice of Wellpoint in March 2010 when a litigation was recorded in California by a claimant who found it was likely to access the...
Idaho State University Instructed to Pay $400K Settlement for HIPAA Violation
Disobeying HIPAA rules can incur severe fines, as found by Idaho State University this month. The organization has lately been compelled to settle down with the Division of Health and Human Services’ Office of Civil Rights for suspected breaches of the HIPAA Privacy Law. Penalties were issued for HIPAA non-compliance problems pertaining to inadequacies, network security which revealed secret patient health info to 3rd parties. ISU had...
HIPAA Comprehensive Rule Comes into Force
The HIPAA Comprehensive Regulation was printed on Jan 25, 2013, by the Division of Health and Human Services (HHS) like an improvement to the Health Insurance Portability and Accountability Act (HIPAA). The latest rule came into effect on March 26, 2013, and changes current HIPAA rules to provide greater safety of patient data; spreading the reach of HIPAA as well as changing rules to conform them with the Health Information...
Texas Lady Pleads Guilty to HIPAA Breaches
U.S. Lawyer John M. Bales has declared that Joneshia Cranford, a 33-year old inhabitant of Lufkin in the Eastern Region of Texas, has pleaded guilty to breaches of the Health Information Portability and Accountability Law of 1996. Cranford was accused of wrongly accessing the Safeguarded Health Info of patients at the healthcare establishment where she worked and revealing that info for financial compensation, with the lady pleading...
Alaska DHSS Arrives at $1.7M Agreement with OCR for HIPAA Safety Rule Breaches
The thievery of a moveable hard drive from a worker of the Alaska Department of Health and Social Services (DHSS) possibly revealed the ePHI of about 2,000 persons. After an inquiry by the HHS Office for Civil Rights (OCR), an agreement has been achieved and the DHHS should pay the HHS $1.7 million for the HIPAA Safety Law breaches. The U.S. Division of Health and Human Services’ Office for Civil Rights was warned to the violation...
Online Patient Calendars Bring about $100K HIPAA Violation
Prior to displaying Safeguarded Health Info on any website, it’s necessary that the method is evaluated for safety dangers. If a website is maintained or owned by a 3rd party or a cloud service is offered, an authorized business associate contract should also be obtained prior to any info is publicized. It might appear obvious that ePHI can’t be publicized on freely accessible websites; nevertheless, it’s a fault that can simply be...
Blue Cross Blue Shield to Reimburse HHS $1.5M for HIPAA Infringement
The Office for Civil Rights has accomplished its first implementation action developing from the HITECH Infringement Notice Rule and has penalized Blue Cross Blue Shield of Tennessee (BCBST) for breaching the Security and Privacy Regulations of the Health Insurance Portability and Accountability Law (1996). BCBST has currently bargained a disbursement with the HHS and will disburse $1.5 million for the security infringement for its...
Negligence in Business Associate Security Results in 20K Patient HIPAA Infringement
As per a New York Times story circulated this week, the health reports of 20,000 patients of Stanford University Hospital in Palo Alto, Calif., have been announced online and available to the public for nearly a year after a mistake was made by one of the hospital’s business partners. The hospital as well as its service provider – Multi-Specialty Collection Services of Los Angeles (MSCS) – verified that a work sheet having the medical...
Health Net Penalized 55K for Late HIPAA Infringement Notice
Health Net, Connecticut-based insurance firm is to pay a penalty of $55,000 to the Office of Vermont Attorney General for HIPAA disobedience and failing to safeguard the information of the state’s policyholders after a HIPAA data infringement that revealed the private health info of 1.5 million persons. The Health Insurance Portability and Accountability Act (1996) needs all protected entities inform security infringements that reveal...