The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity. It’s a HIPAA...Read More
It’s been just over a year since the February 2015 health plan Anthem Inc. reported a record-breaking cyber-attack that affected almost 78 million individuals. In the last year the healthcare sector has been the target of several other massive cyber-attacks since the Anthem breach; however, the Anthem incident still tops the Department of Health and Human Services’ “wall of shame” website as the largest health data...Read More
Look for the 2016 agenda for the Department of Health and Human Services’ Office for Civil Rights to accelerate its recent emphasis on enforcement of HIPAA.
Over a five-week period, the OCR announced plans to collect $5 million in monetary penalties in three enforcement actions against HIPAA covered entities. This increased emphasis on collecting fines and penalties is seen as a move to provide funds for the agency. These funds will be allocated to a program focused on auditing entity compliance with the HIPAA Privacy, Security and Breach Notification Rules, as well as other enforcement and regulatory activities.Read More
Several recent large data breaches involving email mishaps serve as a reminder of precautions that healthcare entities must take with protected health information contained in digital communications that are sent or received by their organizations.
Recent incidents listed on the HHS “wall of shame” include two incidents at the North Carolina Dept. of Health and Human Services. Another reported incident, not yet publicly posted on the HHS website, occurred at the University of Cincinnati Health.Read More
HIPAA is not a new issue for healthcare providers; however, the ever changing threat landscape along with the OCR’s renewed commitment to compliance and enforcement, reinforces the need for healthcare providers to ensure that they are focused on preparing for privacy or security issues that are increasingly occurring.Read More
As the healthcare industry continues to digitize patient records, that data is a growing target for cybercriminals intent on committing medical identity theft and fraud.
The number of individuals affected by medical identity theft in the U.S. increased 22 percent in 2014 compared to the previous year—an increase of nearly half a million victims.Read More
The recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, highlights the need for healthcare providers to step up their security programs.Read More
St. Elizabeth’s Medical Center in Massachusetts has been hit with a $218,000 HIPAA penalty. This penalty is the result of an investigation stemming from two security incidents.
The first incident involved staff members using an Internet site to share documents containing patient data without first assessing risks. The second involved the theft of a worker’s personally owned unencrypted laptop and storage device.Read More
Recent health data breaches once again have business associates (BAs) grabbing headlines, which reinforces the importance of scrutinizing third-parties handling PHI.
Recently North Shore-LIJ Health System reported that they did not learn about a breach at one of their BA’s until eight months later. Shortly thereafter, Medical Informatics Engineering, which offers a Web-hosted electronic health record system as well as personal health records, disclosed that they were the target of a breach that affected its clients and their patients.Read More
Beacon Health System of Indiana, which includes two hospitals: Elkhart General Hospital, Elkhart, and Memorial Hospital, South Bend, recently had to notify patients about a security breach. The breach was caused by a phishing attack targeting employee emails. An investigation showed that some of the emails were compromised as early as 2013 and the breach was not discovered until March 2015. Among the information accessed were names, Social Security numbers, birth dates, and drivers license numbers.Read More