HIPAA laws protect many things – from the rights of individuals to carry health insurance coverage between jobs to the integrity of the Medicare program. However, the HIPAA laws are best known for protecting the privacy of individually identifiable health information maintained by health plans and qualifying health care providers. Strictly speaking, the content of … Read more
The HIPAA training requirements in the Privacy and Security Rules can be a source of confusion for some Covered Entities and Business Associates. This is because, despite stipulating HIPAA training is mandatory for all members of the workforce, the Rules provide few details about specific HIPAA training requirements. The reason the Act is limited with … Read more
To answer the question does HIPAA apply to pharmacies, it is necessary to review the definitions of HIPAA Covered Entities, healthcare providers, and health care in the General Administrative Requirements of the Administrative Simplification provisions. Most people assume that HIPAA does apply to pharmacies because pharmacies have access to health information when they fill prescriptions. … Read more
There is no straightforward answer to does HIPAA apply to dentists because there are times when dentists may not qualify as HIPAA Covered Entities, times when services provided by dentists are not covered by HIPAA regulations, and times when dentists may not have to follow HIPAA privacy or security standards. While healthcare providers are often … Read more
HIPAA compliance software provides a range of tools to help organizations achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) and maintain compliance thereafter. However, because of the complexity of HIPAA, organizations are advised to select a software solution from a vendor who also provides support, training, and guidance. Most HIPAA Covered Entities … Read more
Because the HIPAA Privacy Rule defines students as members of a Covered Entity´s workforce, HIPAA training for students should be the same as that for employees. However, in many cases, students may require additional HIPAA training in order to avoid unintentional violations of HIPAA attributable to a lack of knowledge and experience. When medical students … Read more
The rules regarding HIPAA compliance and patient telephone calls have been clarified with a Declaratory Ruling and Order issued by the Federal Communication Commission (FCC). Many healthcare providers have called on the FCC to clarify the rules regarding HIPAA and patient telephone calls by healthcare providers. Healthcare providers further requested information on how the rules … Read more
Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be … Read more
The Health Insurance Portability and Accountability Act (HIPAA) is an important piece of legislation, first introduced in 1996. But, why is HIPAA so important? How has HIPAA helped to improve the healthcare industry and the care given to patients? HIPAA was designed to address one issue in particular: Insurance coverage for individuals that are “between … Read more
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was introduced. The Act contained many new rules for healthcare organizations across the states, so it is a reasonable take time to consider which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates. Who Enforces HIPAA? The … Read more
Florida Blue, the business name of Blue Cross and Blue Shield of Florida, has recently announced that the personally identifiable information of a nearly one thousand insurance applicants has been exposed online following a data breach of their network. The organisation was alerted to the exposure of patient data in late August. They immediately launched … Read more
Following a break-in at a file storage facility in East Brunswick, New Jersey, the Otolaryngology Associates of Central Jersey is in the process of alerting patients to a breach of their protected health information. The files stolen included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the … Read more
Amazon Web Services has announced that new safeguards have been incorporated into its cloud server that reduce the probability that users to misconfigure their S3 buckets. If their S3 buckets are not configured in the correct manner, users risk accidentally leaving the data they store on the server unsecured. Amazon will sign a business associate … Read more
A report covering data breaches in 2017 has recently been released by Risk Based Security (RBS). The report revealed there has been a 305% increase in the number of records exposed in data breaches compared to 2016. RBS- a provider of real time information and risk analysis tools-analyzed breach reports from the first 9 months … Read more
Are Emails HIPAA Compliant? The changes made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 failed to clear much of the ambiguity regarding the HIPAA compliance of emails. The HIPAA Security Rule has been criticised; it did not explicitly ban the use of email to communicate PHI, but instead introduced several requirements … Read more
Earlier this month, the Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. This waiver is like those issued following Hurricanes Irma … Read more
The use of electronic or “e-signatures” has seen an increase in recent years in many sectors, including the healthcare industry. However, for some time there was concern over whether the use of such signatures was HIPAA-compliant. After much debate, it is widely deemed that they are not a violation of HIPAA, provided the users put … Read more
Cook County Health and Hospitals System has recently alerted patients to a breach of their protected health information (PHI). The organisation consists of a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, and services many patients. The breach occurred at Experian Health, a business associate of … Read more
In August, the Catholic Charities of the Diocese of Albany (CCDA) performed a routine upgrade of its computer security software. While the technicians were working on the upgrade, they discovered that malware had been installed on one of the computer servers used by its Glens Falls office. This office serves patients in Saratoga, Warren and Washington … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement operations in recent years, and 2016 HIPAA settlements were at the highest levels ever recorded. Overall, payments of $22,855,300 were submitted to the OCR during 2016 to settle alleged HIPAA breaches. Seven settlements were over the figure of $1,500,000. … Read more
Telemedicine includes any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centres. The HIPAA Privacy Rule has created some ambiguity about the circumstances and conditions in which it is suitable to transfer ePHI to a patient. Medical professionals often mistakenly believe that communicating ePHI is … Read more
The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has recently announced that it experienced a ransomware attack. The attack caused files on one of the agency’s servers to be encrypted, and thus inaccessible to the agency. They announced that the files contained the protected health information (PHI) of 8,750 patients. The attack occurred … Read more
Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The patient list was created and used by the company to inform patients of a new practice that was opening in the area. In mid-July this year, one of … Read more
Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business … Read more
The Brevard Physician Associates has announced that they have experienced a breach of protected health information (PHI). They state that the breach occurred due to a desktop computer being stolen in a burglary at one of their sites. They have identified nearly 8,000 affected patients. The incident occurred on Labor Day, 2017. As the offices … Read more
An independent care provider, who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has recently been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients. The data was all connected to patients of the TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia … Read more
FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has recently announced that it has experienced a data breach. They have identified the cause of this breach to be the new, rampant, WannaCry ransomware variant. WannaCry ransomware was used in worldwide attacks in earlier this year. More than 230,000 computers were infected … Read more
Briggs Stratton Corporation, a manufacturer of lawnmower engines, has recently reported that they have experienced a breach of PHI, resulting from a malware attack. It is not obvious that the company is a HIPAA covered entity; the firm does not work in the healthcare industry and does not act as a business associate to provide … Read more
Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is … Read more
Phishing-the act of obtaining sensitive information such as usernames, bank details or other private information, often for malicious reasons, by disguising as a trustworthy entity via electronic communication-has become the biggest data security threat faced by healthcare organizations. Phishing attacks commonly take the form of fake invoices and package delivery notifications, to hide their true … Read more
Protenus-an organisation dedicated to patient privacy monitoring of electronic health records-has released its Breach Barometer report. The report shows there was a significant increase in healthcare data breaches in September in comparison to previous months. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and … Read more
Texas Children’s Health Plan has announced a breach of nearly 1,000 patient’s protected health information (PHI). The organisation said that the breach was discover when they identified the information as having been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed … Read more
Amida Care-a not-for-profit community healthcare service based in New York-has reported a HIPAA breach to the Office of Civil Rights (OCR). Their initial report reveals that the breach has affected nearly 6,250 of its patients. The organisation specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions. This includes … Read more
The Advanced Spine & Pain Center (ASPC) has announced that it has experienced a potential breach and unauthorized use of their protected health information. The organisations-based in San Antonio, Texas, has notified as many as 8,362 of their patients that they have been affected by the incident. ASPC became aware of a potential breach … Read more
In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has … Read more
The Man-Grandstaff VA Medical Center in Spokane, WA has announced that it has experienced a breach of PHI. The breach was a result of the theft of two USB drives, which contained the protected health information of almost 2,000 veterans. The devices were stolen on July 18, 2017 from a contract employee while on a … Read more
HIPAA compliance rules for telemedicine-which includes any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centres-also apply to call centres. It affects every company providing an answering service or call-forwarding service for the healthcare industry. In 2013, the Final Omnibus Rule updated the Health Insurance … Read more
Dr Riaz Baber, M.D.-a Naperville, Illinois-based psychiatrist-has recently admitted to a breach of patient protected health information (PHI). The breach was discovered medical files of more than 10,000 patients of have been found in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored … Read more
In the third quarter of 2017, Q3, 2017, HIPPA covered entities reported 99 breaches of healthcare data, each involving more than 500 records, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). These figures bring the total number of data breaches reported in 2017 up to 272 incidents. The 99 … Read more
There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and … Read more
In January 2014, the Department of Health and Human Services proposed a new rule for certification of compliance for health plans to be introduced into HIPAA legislation. The rule was entitled “Certification of Compliance for Health Plans”. This rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS … Read more
Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in … Read more
The radiology center of Mid-Michigan Physicians-managed by McLaren Medical Group-has announced today that they have experienced a breach of protected health information (PHI). They have stated that the PHI of over 100,000 patients has potentially been compromised in the breach. McLaren Medical Group announced earlier this month that the breach affected a system that stored … Read more
Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA … Read more
A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing. The laptop is thought to have stored protected health information (PHI) of patients of the clinic, and its loss raises the possibility of the exposure of this sensitive patient information. The laptop was … Read more
TheDarkOverlord is a hacking group that has been involved in many high-profile cases in recent months, from allegedly accessing the British Royal family’s healthcare information to accessing private user from medical centres, schools, and even Netflix, the online streaming giant. The primary motivation for their attacks is extortion of those whose data they have stolen. … Read more
Our Lady of the Angels Hospital has announced the discovery of a breach of patient protected health information (PHI). The breach occurred when a former employee accessed the medical records of 1,140 patients without proper authorization to do so. In accordance with the HIPAA Breach Notification Rules, the affected patients have been informed of the … Read more
HIPAA Simplified History Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, … Read more
Recently, the MS Center of Saint Louis and Mercy Clinic Neurology Town and County have announced that they have breached HIPAA regulations. Over one-thousand patients of the are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission … Read more
Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule. There exists some ambiguity surrounding Skype and … Read more
In response to the devastating Hurricanes Harvey and Irma that hit the United States earlier this year, the U.S. Department of Health and Human Services issued two partial waivers of HIPAA sanctions and penalties in areas affected. Now, following Hurricane Maria’s wreckage of Puerto Rico and the U.S. Virgin Islands, the government department has issued … Read more
Microsoft OneDrive is a cloud storage service that has seen its popularity rise in recent years. Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials now includes OneDrive Online, which is a convenient platform for storing and sharing files. It circumvents the traditional issues … Read more
Yolanda Farrar-former employee of the Arkansas Department of Human Services (DHS)-has been fired from her position at the state hospital for breaching HIPAA legislation in March 2017. She was discovered to have emailed spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst … Read more
In is in the interest of HIPAA covered entities, business associates, and healthcare employees to take great care to ensure HIPAA Rules are not violated, lest they wish to incur huge fines and possible criminal prosecution. But in the event of an accidental HIPAA violation, what is the best manner for covered entities and their … Read more
In 2016, WhatsApp announced it was introducing end-to-end encryption for messages sent using its services. This added security measure allows for healthcare organizations to potentially use the platform as a low-cost secure messaging system for the transfer of ePHI. However, there still exists some debate regarding whether WhatsApp is fully HIPAA compliant. With the new … Read more
The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more
The University of Pittsburgh Medical Center’s Bedford Memorial hospital has announced that an incident occurred at the facility which was in violation of HIPAA legislation. The incident, in which photographs and videos of a patient’s genitals were taken by hospital staff, occurred in late December 2016. This media was shared with other individuals, including those … Read more
The American Hospital Association (AHA) recently sent an open letter to the House Ways and Means Health Subcommittee, in which they suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. In the letter, the AHA states the regulatory burden on hospitals and health systems is “substantial … Read more
The Department of Health and Human Services has issued a waiver of sanctions and penalties for violations of HIPAA’s Privacy Rule in the Hurricane Harvey disaster zone area. It is often difficult for hospitals to comply all HIPAA Privacy Rule following a natural disaster. Furthermore, following such limitations can potentially have a negative impact on … Read more
In 1996, the Health Insurance Portability and Accountability Act was introduced into US law. In time since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry, with widespread influence. Despite its importance, many healthcare providers and insurers are still unaware of HIPAA rules, and as a … Read more
Delaware has amended its data breach notification law by introducing some of the strictest requirements of any state. It is the first time in a decade that any change has been made to the law. According to the update, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
Salina Family Healthcare, based in Kansas, has announced that they were subjected to a ransomware attack earlier this year. They stated that the ransomware was installed on servers and workstations at their offices, resulting in the encryption of their patients’ protected health information (PHI). The healthcare organisation expressed uncertainty as to whether the PHI had … Read more
Senators Joe Manchin and Shelley Moore Capito, both of West Virginia, have announced that Jessie’s Law has been passed by the Senate. The legislation was designed to ensure doctors are provided with details of a patient’s previous substance abuse history if the patient has provided consent for the information to be shared. The bill will … Read more
It is the responsibility of HIPAA covered entities to ensure that their employees know the correct procedures for reporting a HIPAA violation. It is then the responsibility of the privacy officers of the organisation to make a judgement whether the incident should be directed to the Department of Health and Human Services’ Office for Civil … Read more
In June 2017, the Department of Health and Human Services (HHS) confirmed it was contemplating updating its data breach portal. This section is commonly referred to as the OCR ‘Wall of Shame’, as all data breaches which have involved 500+ records are listed on the breach portal. This list is maintained due to section 13402(e)(4) … Read more
Women’s Health Care Group of Pennsylvania has announced that they have been subject to a data breach. The organisation states that the breach was noticed in May, and they have notified nearly 300,000 patients that some of their sensitive protected health information has been compromised. The group is one of the largest healthcare networks in … Read more
The Office for Civil Rights’ “Wall of Shame” was established in December 2009. This data portal contained summaries of healthcare data breaches published on the website by OCR. The list only provides a short synopsis of data breaches that involved more than 500 documents. The information includes the name of the covered entity, the state … Read more
Earlier this month, the Mississippi Division of Medicaid (DOM) announced that over 5,000 Medicaid recipients have had some of their protected health information (PHI) exposed. They stated that the breach occurred via email because of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
In addition to having their employment contract terminated, healthcare employees who have been identified as improperly accessing the medical records of patients are also likely to face a criminal investigation into their conduct because of breaching HIPAA rules. This is regardless of the reason why they accessed the medical data in the first place. A … Read more
The Health Information Trust Alliance (HITRUST) is the most widely adopted privacy and security framework in the United States. Earlier this month, it announced that it has updated the HITRUST common security framework (CSF). Furthermore, they also launched a new CSF initiative specifically designed to aid small healthcare organizations protect their PHI against cyberattacks and … Read more
On February 10, 2017, Tom Price was appointed as secretary of the Department of Health and Human Services on February. He has replaced Sylvia Matthews Burwell, who held the post for three years. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities … Read more
After calls from healthcare professionals to clear the ambiguity surrounding allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones, the Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance surrounding these issues. Most healthcare professionals are aware that the HIPAA Privacy Rule permits … Read more