Does HIPAA Apply to Pharmacies?

To answer the question does HIPAA apply to pharmacies, it is necessary to review the definitions of HIPAA Covered Entities, healthcare providers, and health care in the General Administrative Requirements of the Administrative Simplification provisions. Most people assume that HIPAA does apply to pharmacies because pharmacies have access to health information when they fill prescriptions. … Read more

Does HIPAA Apply to Dentists?

There is no straightforward answer to does HIPAA apply to dentists because there are times when dentists may not qualify as HIPAA Covered Entities, times when services provided by dentists are not covered by HIPAA regulations, and times when dentists may not have to follow HIPAA privacy or security standards. While healthcare providers are often … Read more

What is HIPAA Compliance Software?

HIPAA compliance software provides a range of tools to help organizations achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) and maintain compliance thereafter. However, because of the complexity of HIPAA, organizations are advised to select a software solution from a vendor who also provides support, training, and guidance. Most HIPAA Covered Entities … Read more

HIPAA Training for Students

Because the HIPAA Privacy Rule defines students as members of a Covered Entity´s workforce, HIPAA training for students should be the same as that for employees. However, in many cases, students may require additional HIPAA training in order to avoid unintentional violations of HIPAA attributable to a lack of knowledge and experience. When medical students … Read more

What are the HIPAA Training Requirements?

Although Title II of the Health Insurance Portability and Accountability Act (HIPAA) stipulates HIPAA training is mandatory “for all members of the workforce”, the Privacy and Security Rules provide few details about specific HIPAA training requirements. The reason the Act is limited with regards to specific HIPAA training requirements is because HIPAA applies to many … Read more

Are phone calls a HIPAA violation?

The rules regarding HIPAA compliance and patient telephone calls have been clarified with a Declaratory Ruling and Order issued by the Federal Communication Commission (FCC). Many healthcare providers have called on the FCC to clarify the rules regarding HIPAA and patient telephone calls by healthcare providers. Healthcare providers further requested information on how the rules … Read more

Is Texting in Violation of HIPAA?

Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be … Read more

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is an important piece of legislation, first introduced in 1996. But, why is HIPAA so important? How has HIPAA helped to improve the healthcare industry and the care given to patients? HIPAA was designed to address one issue in particular: Insurance coverage for individuals that are “between … Read more

Who Enforces HIPAA?

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was introduced. The Act contained many new rules for healthcare organizations across the states, so it is a reasonable take time to consider which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates. Who Enforces HIPAA? The … Read more

Impact of Florida Blue Data Breach Revealed

Florida Blue, the business name of Blue Cross and Blue Shield of Florida, has recently announced that the personally identifiable information of a nearly one thousand insurance applicants has been exposed online following a data breach of their network. The organisation was alerted to the exposure of patient data in late August. They immediately launched … Read more

Patient Files Stolen from Storage Facility in New Jersey

Following a break-in at a file storage facility in East Brunswick, New Jersey, the Otolaryngology Associates of Central Jersey is in the process of alerting patients to a breach of their protected health information. The files stolen included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the … Read more

Amazon and MongoDB Announce New Security Features

Amazon Web Services has announced that new safeguards have been incorporated into its cloud server that reduce the probability that users to misconfigure their S3 buckets. If their S3 buckets are not configured in the correct manner, users risk accidentally leaving the data they store on the server unsecured. Amazon will sign a business associate … Read more

RBS Releases Report on Data Breach Statistics in 2017

A report covering data breaches in 2017 has recently been released by Risk Based Security (RBS). The report revealed there has been a 305% increase in the number of records exposed in data breaches compared to 2016. RBS- a provider of real time information and risk analysis tools-analyzed breach reports from the first 9 months … Read more

What is HIPAA compliant email?

Are Emails HIPAA Compliant? The changes made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 failed to clear much of the ambiguity regarding the HIPAA compliance of emails. The HIPAA Security Rule has been criticised; it did not explicitly ban the use of email to communicate PHI, but instead introduced several requirements … Read more

Californian Wildfires Result in HIPAA Waiver

Earlier this month, the Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. This waiver is like those issued following Hurricanes Irma … Read more

What is the HIPAA electronic signature rule?

The use of electronic or “e-signatures” has seen an increase in recent years in many sectors, including the healthcare industry. However, for some time there was concern over whether the use of such signatures was HIPAA-compliant. After much debate, it is widely deemed that they are not a violation of HIPAA, provided the users put … Read more

Illinois Healthcare System’s Business Associate Experiences PHI Breach

Cook County Health and Hospitals System has recently alerted patients to a breach of their protected health information (PHI). The organisation consists of a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, and services many patients. The breach occurred at Experian Health, a business associate of … Read more

CCDA Servers Experience Malware Attack

In August, the Catholic Charities of the Diocese of Albany (CCDA) performed a routine upgrade of its computer security software. While the technicians were working on the upgrade, they discovered that malware had been installed on one of the computer servers used by its Glens Falls office. This office serves patients in Saratoga, Warren and Washington … Read more

How Many HIPAA Violations Since 2016?

The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement operations in recent years, and 2016 HIPAA settlements were at the highest levels ever recorded. Overall, payments of $22,855,300 were submitted to the OCR during 2016 to settle alleged HIPAA breaches. Seven settlements were over the figure of $1,500,000. … Read more

What is HIPAA compliant telemedicine?

Telemedicine includes any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centres. The HIPAA Privacy Rule has created some ambiguity about the circumstances and conditions in which it is suitable to transfer ePHI to a patient. Medical professionals often mistakenly believe that communicating ePHI is … Read more

ECKAAA’s Servers Attacked by Ransomware

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has recently announced that it experienced a ransomware attack. The attack caused files on one of the agency’s servers to be encrypted, and thus inaccessible to the agency. They announced that the files contained the protected health information (PHI) of 8,750 patients. The attack occurred … Read more

What are the HIPAA Rules for Dentists?

Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business … Read more

Desktop Stolen from Healthcare Office Results in Breach of PHI

The Brevard Physician Associates has announced that they have experienced a breach of protected health information (PHI). They state that the breach occurred due to a desktop computer being stolen in a burglary at one of their sites. They have identified nearly 8,000 affected patients. The incident occurred on Labor Day, 2017. As the offices … Read more

Over 680 Patients Affected by TJ Samson Data Breach

An independent care provider, who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has recently been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients. The data was all connected to patients of the TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia … Read more

New WannaCry Virus Attacks FirthHealth, Carolinas

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has recently announced that it has experienced a data breach. They have identified the cause of this breach to be the new, rampant, WannaCry ransomware variant. WannaCry ransomware was used in worldwide attacks in earlier this year. More than 230,000 computers were infected … Read more

Engine Manufacturing Company Experiences Malware Attack

Briggs Stratton Corporation, a manufacturer of lawnmower engines, has recently reported that they have experienced a breach of PHI, resulting from a malware attack. It is not obvious that the company is a HIPAA covered entity; the firm does not work in the healthcare industry and does not act as a business associate to provide … Read more

Is Dropbox HIPAA Compliant?

Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is … Read more

Email Phishing Scam Results in Healthcare Organisation Breach

Phishing-the act of obtaining sensitive information such as usernames, bank details or other private information, often for malicious reasons, by disguising as a trustworthy entity via electronic communication-has become the biggest data security threat faced by healthcare organizations. Phishing attacks commonly take the form of fake invoices and package delivery notifications, to hide their true … Read more

Protenus Breach Barometer Report Released

Protenus-an organisation dedicated to patient privacy monitoring of electronic health records-has released its Breach Barometer report. The report shows there was a significant increase in healthcare data breaches in September in comparison to previous months. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and … Read more

Former Texas Children’s Health Plan Employee Breaches HIPAA

Texas Children’s Health Plan has announced a breach of nearly 1,000 patient’s protected health information (PHI). The organisation said that the breach was discover when they identified the information as having been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed … Read more

HIV Status of Amida Care Members Revealed Through Mailing Error

Amida Care-a not-for-profit community healthcare service based in New York-has reported a HIPAA breach to the Office of Civil Rights (OCR). Their initial report reveals that the breach has affected nearly 6,250 of its patients. The organisation specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions. This includes … Read more

Server Breach Affects Over 8,000 Patients at ASPC

The Advanced Spine & Pain Center (ASPC) has announced that it has experienced a potential breach and unauthorized use of their protected health information. The organisations-based in San Antonio, Texas, has notified as many as 8,362 of their patients that they have been affected by the incident.   ASPC became aware of a potential breach … Read more

What are the HIPAA breach notification requirements?

In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has … Read more

Stolen USBs Result in Breach of PHI

The Man-Grandstaff VA Medical Center in Spokane, WA has announced that it has experienced a breach of PHI. The breach was a result of the theft of two USB drives, which contained the protected health information of almost 2,000 veterans. The devices were stolen on July 18, 2017 from a contract employee while on a … Read more

What are the rules for HIPAA Compliant Telemedicine?

HIPAA compliance rules for telemedicine-which includes any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centres-also apply to call centres. It affects every company providing an answering service or call-forwarding service for the healthcare industry. In 2013, the Final Omnibus Rule updated the Health Insurance … Read more

PHI Records Found Stored in Basement

Dr Riaz Baber, M.D.-a Naperville, Illinois-based psychiatrist-has recently admitted to a breach of patient protected health information (PHI). The breach was discovered medical files of more than 10,000 patients of have been found in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored … Read more

Healthcare Data Breach Report for Q3, 2017

In the third quarter of 2017, Q3, 2017, HIPPA covered entities reported 99 breaches of healthcare data, each involving more than 500 records, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). These figures bring the total number of data breaches reported in 2017 up to 272 incidents. The 99 … Read more

What is the best HIPAA mobile device policy?

There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and … Read more

HSS Withdraws Proposed Rule Following Public Concerns

In January 2014, the Department of Health and Human Services proposed a new rule for certification of compliance for health plans to be introduced into HIPAA legislation. The rule was entitled “Certification of Compliance for Health Plans”. This rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS … Read more

What is HIPAA compliant text messaging?

Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in … Read more

Mid-Michigan Physicians Announce Data Breach

The radiology center of Mid-Michigan Physicians-managed by McLaren Medical Group-has announced today that they have experienced a breach of protected health information (PHI). They have stated that the PHI of over 100,000 patients has potentially been compromised in the breach. McLaren Medical Group announced earlier this month that the breach affected a system that stored … Read more

Is Google Drive HIPAA compliant?

Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA … Read more

Lost Laptop Leaves Patients Vulnerable to Data Breach

A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing. The laptop is thought to have stored protected health information (PHI) of patients of the clinic, and its loss raises the possibility of the exposure of this sensitive patient information. The laptop was … Read more

TheDarkOverlord Makes Another Extortion Attempt

TheDarkOverlord is a hacking group that has been involved in many high-profile cases in recent months, from allegedly accessing the British Royal family’s healthcare information to accessing private user from medical centres, schools, and even Netflix, the online streaming giant. The primary motivation for their attacks is extortion of those whose data they have stolen. … Read more

Former Employee Accessed PHI of Over 1,100 Patients “Out of Curiosity”

Our Lady of the Angels Hospital has announced the discovery of a breach of patient protected health information (PHI).  The breach occurred when a former employee accessed the medical records of 1,140 patients without proper authorization to do so. In accordance with the HIPAA Breach Notification Rules, the affected patients have been informed of the … Read more

Understanding HIPAA for Dummies

HIPAA Simplified History Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, … Read more

PHI Used for Market Research without Consent

Recently, the MS Center of Saint Louis and Mercy Clinic Neurology Town and County have announced that they have breached HIPAA regulations. Over one-thousand patients of the are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission … Read more

Is Skype HIPAA compliant?

Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule. There exists some ambiguity surrounding Skype and … Read more

HHS Announces Third Hurricane-Related HIPAA Waiver This Year

In response to the devastating Hurricanes Harvey and Irma that hit the United States earlier this year, the U.S. Department of Health and Human Services issued two partial waivers of HIPAA sanctions and penalties in areas affected. Now, following Hurricane Maria’s wreckage of Puerto Rico and the U.S. Virgin Islands, the government department has issued … Read more

Is Microsoft OneDrive HIPAA Compliant?

Microsoft OneDrive is a cloud storage service that has seen its popularity rise in recent years. Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials now includes OneDrive Online, which is a convenient platform for storing and sharing files. It circumvents the traditional issues … Read more

Former Hospital Employee Breaches HIPAA by Emailing PHI

Yolanda Farrar-former employee of the Arkansas Department of Human Services (DHS)-has been fired from her position at the state hospital for breaching HIPAA legislation in March 2017. She was discovered to have emailed spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst … Read more

What happens after an accidental HIPAA violation?

In is in the interest of HIPAA covered entities, business associates, and healthcare employees to take great care to ensure HIPAA Rules are not violated, lest they wish to incur huge fines and possible criminal prosecution. But in the event of an accidental HIPAA violation, what is the best manner for covered entities and their … Read more

Is WhatsApp HIPAA Compliant?

In 2016, WhatsApp announced it was introducing end-to-end encryption for messages sent using its services. This added security measure allows for healthcare organizations to potentially use the platform as a low-cost secure messaging system for the transfer of ePHI. However, there still exists some debate regarding whether WhatsApp is fully HIPAA compliant. With the new … Read more

What are the HIPAA Compliance Rules for Cloud Applications?

The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more

Hospital Staff Who Shared Photos of a Patient’s Injuries Guilty of Privacy Violations

The University of Pittsburgh Medical Center’s Bedford Memorial hospital has announced that an incident occurred at the facility which was in violation of HIPAA legislation. The incident, in which photographs and videos of a patient’s genitals were taken by hospital staff, occurred in late December 2016. This media was shared with other individuals, including those … Read more

AHA Responds to Increased Regulations on Hospitals

The American Hospital Association (AHA) recently sent an open letter to the House Ways and Means Health Subcommittee, in which they suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. In the letter, the AHA states the regulatory burden on hospitals and health systems is “substantial … Read more

Partial Waiver of HIPAA Privacy Rule Penalties Issued Following Hurricane Harvey

The Department of Health and Human Services has issued a waiver of sanctions and penalties for violations of HIPAA’s Privacy Rule in the Hurricane Harvey disaster zone area. It is often difficult for hospitals to comply all HIPAA Privacy Rule following a natural disaster. Furthermore, following such limitations can potentially have a negative impact on … Read more

What is the HIPAA Breach Notification Rule?

In 1996, the Health Insurance Portability and Accountability Act was introduced into US law. In time since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry, with widespread influence. Despite its importance, many healthcare providers and insurers are still unaware of HIPAA rules, and as a … Read more

Delaware Updates Breach Notification Law

Delaware has amended its data breach notification law by introducing some of the strictest requirements of any state. It is the first time in a decade that any change has been made to the law. According to the update, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or … Read more

What are the most common HIPAA violations?

The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more

Salina Family Healthcare Reports Ransomware Attack

Salina Family Healthcare, based in Kansas, has announced that they were subjected to a ransomware attack earlier this year. They stated that the ransomware was installed on servers and workstations at their offices, resulting in the encryption of their patients’ protected health information (PHI). The healthcare organisation expressed uncertainty as to whether the PHI had … Read more

Jessie’s Law Passed by U.S. Senate

Senators Joe Manchin and Shelley Moore Capito, both of West Virginia, have announced that Jessie’s Law has been passed by the Senate. The legislation was designed to ensure doctors are provided with details of a patient’s previous substance abuse history if the patient has provided consent for the information to be shared. The bill will … Read more

How do you report a HIPAA violation?

It is the responsibility of HIPAA covered entities to ensure that their employees know the correct procedures for reporting a HIPAA violation. It is then the responsibility of the privacy officers of the organisation to make a judgement whether the incident should be directed to the Department of Health and Human Services’ Office for Civil … Read more

OCR Data Breach Portal Updated

In June 2017, the Department of Health and Human Services (HHS) confirmed it was contemplating updating its data breach portal. This section is commonly referred to as the OCR ‘Wall of Shame’, as all data breaches which have involved 500+ records are listed on the breach portal. This list is maintained due to section 13402(e)(4) … Read more

Nearly 300,000 Patients Affected by Ransomware Attack

Women’s Health Care Group of Pennsylvania has announced that they have been subject to a data breach. The organisation states that the breach was noticed in May, and they have notified nearly 300,000 patients that some of their sensitive protected health information has been compromised. The group is one of the largest healthcare networks in … Read more

OCR’s “Wall of Shame” Under Scrutiny

The Office for Civil Rights’ “Wall of Shame” was established in December 2009. This data portal contained summaries of healthcare data breaches published on the website by OCR. The list only provides a short synopsis of data breaches that involved more than 500 documents. The information includes the name of the covered entity, the state … Read more

Mississippi DOM Breaches HIPAA due to Email Error

Earlier this month, the Mississippi Division of Medicaid (DOM) announced that over 5,000 Medicaid recipients have had some of their protected health information (PHI) exposed. They stated that the breach occurred via email because of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to … Read more

Data on Most Common Types of PHI Breach Released

The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more

Healthcare Employee Subject to Investigation by DA’s Office

In addition to having their employment contract terminated, healthcare employees who have been identified as improperly accessing the medical records of patients are also likely to face a criminal investigation into their conduct because of breaching HIPAA rules. This is regardless of the reason why they accessed the medical data in the first place. A … Read more

HITRUST Common Security Framework Updates

The Health Information Trust Alliance (HITRUST) is the most widely adopted privacy and security framework in the United States. Earlier this month, it announced that it has updated the HITRUST common security framework (CSF). Furthermore, they also launched a new CSF initiative specifically designed to aid small healthcare organizations protect their PHI against cyberattacks and … Read more

New Secretary of HHS and HIPAA Changes

On February 10, 2017, Tom Price was appointed as secretary of the Department of Health and Human Services on February. He has replaced Sylvia Matthews Burwell, who held the post for three years. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities … Read more

HIPAA Privacy Rule Updated to Clear Ambiguity

After calls from healthcare professionals to clear the ambiguity surrounding allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones, the Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance surrounding these issues. Most healthcare professionals are aware that the HIPAA Privacy Rule permits … Read more