Indiana Security & Privacy Network

News

Jun 15, 2010

Six Major Patient Record Breaches Draw $675,000 In Penalties

Under a law passed after breaches of celebrity medical records, such as those of the late actress Farrah Fawcett, health officials yesterday levied six fines totaling $675,000 against five California hospitals where employees and others gained unauthorized access to sensitive information in patients' electronic medical records. State officials did not name any of the patients involved, but one of them was said to be Michael Jackson, whose records were reportedly accessed illegally at Ronald Reagan UCLA Medical Center in Los Angeles after his death. "These facilities failed to prevent unauthorized access to confidential patient information," Kathleen Billingsley, deputy director of the Center for Health Care Quality, California Department of Public Health, said during a briefing yesterday. "Medical privacy is a fundamental right, and every Californian seeking care in a hospital should not have to worry about who is viewing their medical information, she said. "We remain concerned with violations of patient confidentiality and the potential harm to patients." California may have the most aggressive patient privacy laws in the nation. CDPH spokesman Ralph Montano says state officials "are not aware of any other state with similar laws." [see link for entire article]

Privacy Act Protects Some Practices With Patient Data Breaches

The Office for Civil Rights (OCR) cited a 36-year-old privacy law as the reason why it cannot post on its breach notification Web site the names of private practitioners who report breaches of unsecured PHI affecting 500 or more individuals. See link.

Breach Notification reports due by March 1, 2010

For breaches of less than 500 that occurred between Sept 29 - Dec 31, 2009 are due to be reported by March 1 See link (more) for details

HHS announces breaches over 500 in 2009 - see details on link

36 events were reported by healthcare providers - these occurred between Sept 29- Dec 31, 2009. A substantial number involved laptops and portable devices. Go to the link (more) for details.

InSPN Newsletter

Welcome to the Indiana Security & Privacy Network (InSPN) newsletter. The purpose of this newsletter is to keep you informed about security and privacy concerns that affects your organization. We invite you to participate by sharing information, knowledge and best practices on security, privacy and regulatory compliance that affect all Indiana industries.