HHS Points to Ways to Improve Compliance With HIPAA Requirements   Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access their electronic or paper health records. Unfortunately it’s often easier said than done, and federal regulators want that to change. Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that...

With the exception of one large insider theft, hacker attacks, some involving ransomware, continue to be the method of choice behind the biggest health data breaches reported so far this year to federal regulators. As of July 3rd, 149 breaches affecting nearly 2.7 million people have been reported to the Department of Health and Human Services’ ‘wall of shame’. Of those 2017 breaches, 53 are listed as hacking/IT incidents. Even though...

Unsecure Email Incident a Reminder of Risks to PHI A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides, including website forms used to collect information and smartphone apps. According to the HHS “Wall of Shame”, the Mississippi Division of Medicaid reported on May 26, 2017 to the U.S. Department of Health...

HIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again Colorado-based Metro Community Provider Network is just another healthcare entity to learn a painful lesson from the Department of Health and Human Services Office for Civil Rights regarding the importance of conducting a timely and comprehensive risk assessment. The breach was reported in early 2012 after a hacker accessed employees’ email accounts and obtained 3,200...

A ransomware attack on a Texas urology practice that could potentially affect nearly 280,000 patients ranks as one of the largest health data breaches of 2017. On January 22nd Urology Austin, suffered a ransomware attack that encrypted data stored on its servers. Among the information impacted by the ransomware were names, addresses, birthdates, SSN’s, and medical information. Their mitigation effort included restoring data from backups and...

HHS Office of Civil Rights (OCR) is now completing reports of audits performed in 2016 and distributing reports. Once the report is received, organizations have 10 days to respond. The following is an overview of a small clinic that was subject to a Privacy Audit by the OCR. This was a desk audit, meaning that the auditors did not come on-site and all information was provided to the OCR by uploading documents to a portal. While a desk audit...

Reversing the position taken in May 2016, The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not use secure text messaging platforms to transmit patient care orders. TJC’s earlier position said that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and...

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity. It’s a HIPAA...

It’s been just over a year since the February 2015 health plan Anthem Inc. reported a record-breaking cyber-attack that affected almost 78 million individuals. In the last year the healthcare sector has been the target of several other massive cyber-attacks since the Anthem breach; however, the Anthem incident still tops the Department of Health and Human Services’ “wall of shame” website as the largest health data...

Look for the 2016 agenda for the Department of Health and Human Services’ Office for Civil Rights to accelerate its recent emphasis on enforcement of HIPAA.

Over a five-week period, the OCR announced plans to collect $5 million in monetary penalties in three enforcement actions against HIPAA covered entities. This increased emphasis on collecting fines and penalties is seen as a move to provide funds for the agency. These funds will be allocated to a program focused on auditing entity compliance with the HIPAA Privacy, Security and Breach Notification Rules, as well as other enforcement and regulatory activities.