The HIPAA Minimum Necessary Rule requires HIPAA Covered Entities and Business Associates to make reasonable efforts to use, disclose, and request only the minimum protected health information needed to accomplish an intended purpose, except in specific situations where the requirement does not apply. The HIPAA Minimum Necessary Rule applies to many routine operational activities, including … Read more
Taking a picture of an X ray is not a HIPAA violation when a HIPAA Covered Entity or Business Associate captures the image for a use or disclosure permitted by the HIPAA Privacy Rule and protects the resulting electronic protected health information under the HIPAA Security Rule, and it can be a HIPAA violation when … Read more
Ransomware attacks in 2024 had an upward pattern and will likely continue in 2025 as many more new victims were listed in ransomware groups’ data leak websites in January and February. Cybersecurity company Cyble recently reported that about 599 victims were added to data leak sites in February and 518 in January. Most of the … Read more
Healthcare organizations do not need HIPAA certification because HIPAA does not establish an official government certification program for organizations, but HIPAA Covered Entities and HIPAA Business Associates must implement and maintain HIPAA Privacy Rule and HIPAA Security Rule compliance through documented policies, procedures, online HIPAA training, risk management, safeguards, and required documentation. HIPAA compliance is … Read more
Harvard Pilgrim Health Care and Point32Health, its parent company, have decided to pay $16 million to settle claims associated with a ransomware attack in 2023 that impacted roughly 3 million individuals. In 2023, hackers accessed systems that contained 2,967,396 health plan members’ protected health information (PHI). After exfiltrating data, the hackers used ransomware to encrypt … Read more
HIPAA compliant email is an email process that permits the use and disclosure of protected health information under the HIPAA Privacy Rule while applying HIPAA Security Rule administrative, physical, and technical safeguards to electronic protected health information and meeting HIPAA Breach Notification Rule requirements when an impermissible disclosure involves unsecured protected health information. HIPAA compliant … Read more
Ransomware groups are attacking healthcare companies for financial profit, accessing networks, stealing information, then employing ransomware for file encryption. Cyber threat actors also attack healthcare systems and steal information via silent attacks, where breached healthcare companies aren’t extorted and hackers stay in their systems longer. Cybersecurity company Forescout researchers have discovered a new threat group … Read more
A 2 TB database containing around 1.6 million clinical trial data was compromised online and accessible to anyone without a password. Cybersecurity researcher Jeremiah Fowler discovered the database and reported that it consists of 1,674,218 records. The compromised records include survey results in PDF format that contain sensitive personal and medical data. The compromised information … Read more
New staff members need HIPAA training even if they have completed a course previously because HIPAA Covered Entities must train workforce members on the organization’s own HIPAA policies and procedures as necessary and appropriate for their job functions, provide training to new workforce members within a reasonable period after joining, and provide updated training when … Read more
Although ransomware continually presents a threat to enterprises, ransomware just accounts for about 9.5% of threats in general. Other threats include remote access trojans (13%), malware (17%), malicious scripts (22%), and infostealers (24%). RATs are also involved in over 75% of remote access cases. Huntress discovered greater exploitation of remote monitoring and management (RMM) assets … Read more
HIPAA training for mental health professionals should be more thorough than for other health care professionals due to the number of times mental health professionals may be required to make decisions about disclosing Protected Health Information based on their professional judgement. Under §164.530(b) of the Privacy Rule, covered entities “must train all members of the … Read more
The HIPAA training requirements for new hires are that new members of the workforce must be trained on HIPAA within a reasonable amount of time of the new member of the workforce starting work with the organization. The HIPAA Journal has the best HIPAA training for new hires because it is the most comprehensive online … Read more
Many factors – both internal and external – can determine how long is HIPAA training good for, including regulatory changes, the introduction of new technologies, the outcome of a risk analysis, and workforce compliance. HIPAA training may also only be good for as long as an individual works for the same organization, as HIPAA policies … Read more
HIPAA training for Business Associates is mandatory because these organizations create, receive, maintain, or transmit Protected Health Information on behalf of HIPAA Covered Entities, and their staff must understand how to protect that information in real work situations. The HIPAA Journal Training has the only HIPAA training with additional modules for HIPAA Business Associate employees … Read more
HIPAA training for healthcare workers is training that healthcare workers undertake to safeguard the privacy and security of Protected Health Information in line with their employer’s HIPAA policies and procedures. Unfortunately, gaps in knowledge and understanding can undermine the benefits of HIPAA training for healthcare workers. Since 2009, HIPAA covered entities have been required to … Read more
The California Department of Corrections and Rehabilitation (CDCR) decided to resolve a class action lawsuit associated with negligence for not preventing a data breach in 2022. The data breach happened in January 2022 after hackers accessed CDCR systems comprising the protected health information (PHI) and personally identifiable information (PII) of people imprisoned in the State … Read more
HIPAA privacy and security training is sometimes treated as two separate units of the HIPAA training requirements inasmuch as HIPAA privacy training has to fulfil the requirements of the HIPAA Privacy Rule, while HIPAA security training has to fulfil the requirements of the HIPAA Security Rule. This is an incorrect interpretation of the HIPAA training … Read more
HIPAA training for employees is necessary for all employees of organizations that qualify as HIPAA covered entities or business associates, regardless of employees’ roles or their access to Protected Health Information. HIPAA training is also necessary for members of the workforce that do not qualify as employees (volunteers, students, directors, etc). The HIPAA Journal Training … Read more
Who needs HIPAA training is all members of a covered entity’s or business associate’s workforce – even if they have no access to Protected Health Information (PHI). This is because the General Requirements of the HIPAA Security Rule mandate that security awareness training must be designed to protect against uses and disclosures of PHI not … Read more
HIPAA training is not required by law but by regulation. The HIPAA “law” passed by Congress in 1996 instructed the Secretary for Health and Human Services to make recommendations and adopt standards for safeguarding the privacy and security of individually identifiable health information. These evolved into the HIPAA Administrative Simplification Regulations – which include the … Read more
HIPAA training needs to be completed within “a reasonable period of time” after a person joins an organization’s workforce and thereafter whenever there is a material change to policies and procedures, whenever a need for training is identified, and whenever HIPAA training is imposed as a workforce sanction. All workforce members must also participate in … Read more
At the beginning of November 2023, Mulkay Cardiology Consultants based in New Jersey reported a ransomware attack that resulted in unauthorized access to around 79,582 individuals’ protected health information (PHI). Breach victims took legal action against Mulkay Cardiology Consultants which ended in a settlement to conclude the litigation. Based on forensic investigation, a threat actor … Read more
HIPAA training is important because if workforce members fail to comply with HIPAA policies and procedures due to a lack of knowledge, understanding, or care, it can result in operational disruptions, medical identity theft, and the loss of trust in patient-physician relationships – any of which can have adverse consequences for patients. HIPAA covered entities … Read more
HIPAA training is not required annually at present, but it is recommended when no other HIPAA training has been provided during the year due to policy changes, the outcomes of risk assessments, the introduction of new technologies, or workforce sanctions. Shortly however, proposed changes to the HIPAA Security Rule could mandate annual HIPAA training for … Read more
HIPAA compliance training for dental offices is the same as for any organization that qualifies as a HIPAA covered entity inasmuch as all members of the workforce must be trained on policies and procedures with respect to Protected Health Information that are applicable to their roles. Workforce members must also participate in a security awareness … Read more
The law firm Wolf Haldenstein Adler Freeman & Herz LLP (Wolf Haldenstein) located in New York City encountered a data breach affecting the personal data and protected health information (PHI) of 3,445,537 people. The law firm submitted a breach notice not long ago to the Maine Attorney General. A few states post data breach reports … Read more
The nonprofit blood donation organization called OneBlood based in Florida suffered a ransomware attack that is impacting its capacity to supply blood to hospitals. OneBlood provides blood to about 250 hospitals located in Alabama, Georgia, North and South Carolina, and Florida. OneBlood reported on July 31, 2024 that a ransomware attack impacted its software program. … Read more
HIPAA refresher training for nurses is commonly provided at least annually as an industry best practice for workforce members with routine contact with protected health information, with additional training required when a nurse’s job functions change, when the organization makes a material change to HIPAA policies or procedures, or when incidents and compliance monitoring show … Read more
In 2024, OCR received 13 data breach reports that affected over 1 million healthcare records each. The biggest healthcare data breach impacted an approximated 100,000,000 million people. The total of exposed or compromised records of U.S. residents for those 13 data breaches is 146,463,977, which is about 42% of the U.S. population. Change Healthcare Data … Read more
The Conceptions Reproductive Associates of Colorado fertility clinic recently announced that it suffered a ransomware attack. The threat actor gained unauthorized access to its system and stole the data of about 80,000 present and past patients, including their associates. The fertility clinic detected the incident in the middle of April 2024 when it affected some … Read more
Daniel Christian Hulea, 30 years old, from Romania, was sentenced to 20 years imprisonment for executing ransomware attacks on healthcare companies and educational organizations during the pandemic. The man was an affiliate of the NetWalker ransomware-as-a-service (RaaS) operation. The U.S. Department of Justice reported in January 2021 that over $450,000 in cryptocurrency was seized during … Read more
Texas Tech University Health Sciences Center, the university’s academic health institution and med school, reported a theft involving a large volume of patient data during a September ransomware attack. The cyberattack targeted the systems used by UMC Health System, Texas Tech Physicians, and Texas Tech University Health Sciences Center in El Paso. The HHS’ Office … Read more
A 45-year-old hacker named Robert Purbeck was sentenced to 10 years in prison for attacking several U.S. healthcare companies, breaching their systems, stealing sensitive information, and trying to extort from them. Purbeck is an IT expert who previously worked for Ada County in Idaho. He hacked no less than 19 companies from 2017 to 2018 … Read more
Texting is not a HIPAA violation by itself, but a text message that creates, uses, or discloses protected health information violates the HIPAA Privacy Rule and the HIPAA Security Rule when the disclosure is not permitted or the organization does not apply administrative, physical, and technical safeguards that reduce unauthorized access and transmission risk to … Read more
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has charged Gulf Coast Pain Consultants, LLC with a $1.19 million civil monetary penalty for failing to block ex-employee members’ access to systems that contain electronic protected health information (ePHI) and for violating other HIPAA Security Rules. Pain management practice Gulf … Read more
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has audited the HHS Office for Civil Rights (OCR) to evaluate if OCR has accomplished its requirement to perform audits of HIPAA-covered entities to examine HIPAA compliance. A prior HHS-OIG audit was conducted in 2013 to investigate compliance with the Health Information … Read more
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) charged a Californian mental health center a $100,000 civil monetary penalty for not providing prompt access to a patient’s healthcare records. On March 18, 2020, a Rio Hondo Community Mental Health Center patient submitted a request for a copy of her medical … Read more
New York-based reproductive healthcare provider, Planned Parenthood of Montana, has given additional information about the RansomHub ransomware attack that was initially reported at the beginning of September. During the initial security breach report, the investigation just started and it was not confirmed if the attacker stole any patient information. Now, there is confirmation from Planned … Read more
Multiple class-action lawsuits had been filed against Gryphon Healthcare based in Houston, TX, a revenue cycle management and medical billing solutions provider to healthcare companies. The lawsuits are associated with a data breach in August 2024 involving unauthorized access to almost 400,000 individuals’ protected health information (PHI). The breached data contained names, contact data, Social … Read more
In late October, the National Institute for Standards and Technology (NIST) and the Department of Health and Human Services (HHS)hosted a conference called “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024”. Participants received information about the present state of cybersecurity in healthcare and the role of the HIPAA Security Rule in helping HIPAA-covered entities … Read more
Multi-specialty pediatric group Boston Children’s Health Physicians (BCHP) based in Valhalla, NY provides services to newborns and children in New York and Connecticut. BCHP has reported that its IT vendor encountered a cyberattack. The IT vendor informed BCHP on September 6, 2024, that strange activity was noticed in the IT vendor’s network. On September 10, … Read more
Network of behavioral health facilities, AXIS Health System based in Colorado, has published a notification on its website about encountering a cyber incident. Not much information is provided about the nature of the attack except the initiation of incident response protocols. Investigation is ongoing to know the nature and extent of the breach. In case … Read more
Ponemon Institute conducted a new survey for Proofpoint, which revealed that almost all U.S. healthcare organizations faced a cyberattack in the past year. Of the 648 IT and IT Security experts surveyed, 92% reported at least one cyberattack in the last 12 months, compared to 88% of survey respondents in 2023. The report found that … Read more
A new update to the National Institute of Standards and Technology (NIST) password security guidelines now recommends longer passwords over the previous focus on using a mix of uppercase and lowercase letters, numbers, and special characters. While using multiple character types makes the password more complex, it often results in predictable patterns, which weakens security. … Read more
Because of a massive data breach, Change Healthcare is facing dozens of lawsuits filed by plaintiffs across multiple districts. The cyberattack in question resulted in the theft of 6 TB of sensitive data, including personal and protected health information (PHI) of millions of individuals throughout the United States. The lawsuits allege that Change Healthcare failed … Read more
Texas Attorney General Ken Paxton has initiated a lawsuit against the Department of Health and Human Services (HHS), its Secretary Xavier Becerra, and Director Melanie Fontes Rainer of the Office for Civil Rights (OCR). The lawsuit challenges the long-standing HIPAA Privacy Rule and the 2024 HHS final rule concerning reproductive healthcare privacy. Paxton contends that … Read more
Lehigh Valley Health Network (LVHN) agreed to pay $65 million to settle a class action lawsuit over a data breach in 2023. This settlement of a HIPAA violation will compensate plaintiffs whose sensitive data, including nude photos, was stolen and later posted on the dark web. The breach, caused by a Blackcat ransomware attack, exposed … Read more
The Ransom Hub ransomware group continues to target the healthcare sector, with its latest victim being Planned Parenthood, a reproductive healthcare provider based in New York. The group added Planned Parenthood to its data leak site, claiming responsibility for stealing 93 GB of sensitive information. CEO Martha Fuller of Planned Parenthood of Montana reported the … Read more
An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian … Read more
McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and … Read more
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies. The FBI and CISA initially alerted about the Royal … Read more
United of Omaha Life Insurance Company located in Nebraska submitted a phishing attack report that indicated the compromise of the protected health information (PHI) of 107,894 people. The insurer discovered the breach on April 23, 2024 after identifying suspicious activity in an employee’s email account. United of Omaha noticed that a third party accessed the … Read more
The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office … Read more
The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor … Read more
UnitedHealth Group (UHG) has given an update about the response costs associated with the February 2024 ransomware attack involving Change Healthcare. The overall response cost is forecasted to be $2.3 billion to $2.45 billion this 2024, over $1 billion more than the figure reported earlier. UHG already paid more or less $2 billion handling the … Read more
DaVita has discovered that tracking tools used on its web pages and mobile app might have transmitted user information to third-party providers. On July 2, 2024, kidney dialysis service provider DaVita Inc. based in Denver, CO informed 67,443 patients concerning a pixel-related data breach. With the 2,800+ outpatient dialysis centers in the U.S., DaVita serves … Read more
Emailing medical records is not a HIPAA violation when the disclosure is permitted under the HIPAA Privacy Rule, the transmission is safeguarded in line with the HIPAA Security Rule when electronic protected health information is involved, and the sender uses policies and controls that limit access, apply the HIPAA Minimum Necessary Rule when applicable, and … Read more
Accurate HIPAA violation statistics can be difficult to come by due to the way in which HHS´ Office for Civil Rights reports violations. It can also be the case that the cause of a violation is miscategorized by the entity reporting it – who may not be the entity responsible for the violation. As of … Read more
HIPAA does not apply to entities or individuals that do not meet the definition of a covered entity (such as healthcare providers, health plans, and healthcare clearinghouses) or a business associate handling protected health information (PHI) on behalf of a covered entity, which includes employers, life insurers, schools, and certain technology platforms when they do … Read more
HIPAA obligations do not end when a business closes because protected health information that remains in the possession or control of a HIPAA Covered Entity or HIPAA Business Associate must continue to be safeguarded, used and disclosed only as permitted, made available for individual rights when required, and disposed of securely when no longer maintained, … Read more
Text messaging platforms used in healthcare must support compliant handling of Protected Health Information by restricting access, securing transmission and storage, and enabling organizational controls required by the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. Text messages can contain Protected Health Information in patient scheduling, care coordination, referrals, discharge follow up, … Read more
This is a list of the most common HIPAA training questions and the corresponding HIPAA training answers: The HIPAA Journal provides HIPAA training that includes test questions, certification, and CEUs.
How many healthcare data breaches occurred in 2017 and how many of those violated HIPAA rules resulted in financial penalties? It’s difficult to get accurate data about HIPAA violations for several reasons. First, many data breaches are not reported. The Department of Health and Human Services’ Office for Civil Rights only publish on its breach … Read more
The HIPAA Security Rule requires the effective management of information access. Employees who are granted access to protected health information must have proper authorization. But what happens when employees leave their work? The organization needs to make sure that PHI access privileges are terminated immediately. If procedures to terminate access to PHI are not implemented, … Read more
Bill Clinton signed the Health Insurance Portability and Accountability Act or HIPAA on August 21, 1996. The HIPAA ensured the continuity of health insurance coverage for everyone, especially the employees that were between jobs. It also accomplished the following: set standards as to the amount of pre-tax medical savings that could be saved prohibited tax-deduction … Read more
The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more