News
OCR Settlements
April has been a busy month for the OCR. As of the writing of this email, there has been 2 HIPAA settlements for potential violations of the HIPAA Security Rules, and 1 settlement for the potential violation of the Privacy Rules. Potential non-compliance of the...
$5.5 million HIPAA settlement shines light on the importance of audit controls
Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and agreed to implement...
Latest HIPAA enforcement action; updated guidance and FAQ; Privacy Policy Snapshot Challenge
First HIPAA enforcement action for lack of timely breach notification settles for $475,000 Guidance on HIPAA, Same-sex Marriage, and Sharing Information with Patients’ Loved Ones Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status,...
Medical Device Security Workshop
Friday, January 27 at 8:00 AM- 4:30 PM, @ Eskenazi Health 720 Eskenazi Avenue REGISTER HERE!! A chance to join other healthcare providers and medical device manufacturers in a free interactive forum. Lunch included. Topics Cybersecurity Landscape Medical Device...
New Fact Sheet on HIPAA and Public Health Permitted Uses and Disclosures
The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released a new Fact Sheet that explains how the HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health...
HIPAA Guidance Focuses on Disclosing PHI for Public Health
Click here to read more
Additional Clarification regarding Phishing Email Alert Audits of Business Associates Are Underway
On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to...
UMass settles potential HIPAA violations following malware infection
The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of...
What Type of Authentication is Right for you?
Over the past years, the healthcare sector has been one of the biggest targets of cybercrime. Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider...
ACA Continues to Break Down Barriers to Health Care for All Americans
By. Jocelyn Samuels Director, HHS Office for Civil Rights All across the country, the Affordable Care Act (ACA) is helping to make health care accessible to millions of people. In fact, six years after its passage, 20 million more Americans now have health care...
$2.14 million HIPAA settlement underscores importance of managing security risk
St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were...
Cloud Computing Guidance
With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing, while complying with the HIPAA Rules. In response, the HHS Office...
New FAQ on Availability of PHI Maintained by a Business Associate
OCR has released a new FAQ addressing whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the protected health information maintained by the business associate for or on behalf of the covered entity, clarifying...
HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements
Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The...
Cyber Threat Information-Sharing
From HHS, Office of Civil Rights…. A recent news report indicated that criminal cyberattacks against health care entities have increased up to 125 percent compared to five years ago, and the average consolidated total cost of data breach was $3.8 million, which is a...
OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals
Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of...
Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million
Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving...
Is your Covered Entity or Business Associate Capable of Responding to a CyberSecurity Incident?
Computer security incident response is an important element of an information technology program. It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited,...
Updates to the HHS Office for Civil Rights Webpages: HIPAA Audit Guidance & FAQ on HIPAA and Unique Device Identifiers
OCR has posted the following information to their website: 1) Guidance for 2016 HIPAA Desk Audits Two weeks ago, covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audits of compliance with the HIPAA...
Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center
The University of Mississippi (UM) Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). During the...
HHS OCR Offers New Materials for Covered Entities
Earlier this year, HHS OCR finalized the rule under Section 1557 to advance health equity and reduce health disparities by strengthening protections for some of the populations that have been most vulnerable to discrimination in the health care context. Section 1557...
Widespread HIPAA Vulnerabilities result in $2.7 million settlement with Oregon Health & Science University
Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services...
OCR’s Phase Two HIPAA Audits Have Begun
Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear. Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program. ...
Your Money or Your PHI: New Guidance on Ransomware
One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware. The FBI has reported an...
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected...
Guidance and Resources for Long Term Care Facilities
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued new guidance to assist long term care facilities in complying with their civil rights responsibilities and obligations under regulations by the HHS Centers for Medicare...
New Consumer Tools Explain HIPAA Right to Access Health Information
Earlier this year, the HHS Office for Civil Rights (OCR) released comprehensive guidance on the right of individuals under the Health Insurance Portability and Accountability Act (HIPAA) to access and receive copies of their health information. Providing individuals...
What’s in Your Third-Party Application Software?
Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices. For...
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option of Up to $6.50 is Not a Cap on All Fees for Copies of PHI
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option of Up to $6.50 is Not a Cap on All Fees for Copies of PHI Earlier this year, OCR released a fact sheet and two sets of Frequently Asked Questions (FAQs) to clarify aspects of individuals’...
OCR Cyber-Awareness Monthly Update
Read the Article
Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital
Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film...
King’s Daughters’ Health (Madison, Indiana) suffers ransomware attack
Read more
$750,000 settlement highlights the need for HIPAA business associate agreements
Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health...
OCR Launches Phase 2 of HIPAA Audit Program
As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. Audits are an important...
Stolen Premier Healthcare laptop returned; no evidence of data breach
Read the Article
OCR Cyber-Awareness Monthly Update
Read the Article
Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement
Read the Article
$1.55 million settlement underscores the importance of executing HIPAA business associate agreements
Read the Article
OCR releases new HIPAA guidance to reiterate patients’ right to access health information and clarify appropriate fees for copies
Read the Article
HIPAA Audits: A Progress Report – Devin McGraw interview
Read the Article
Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework
Review the Article
Physical therapy provider settles violations that it impermissibly disclosed patient information
Read the Article
OCR Adds New Health App Use Scenarios to Developer Portal
Today, OCR posted new guidance on our mHealth Developer Portal [http://HIPAAQsportal.hhs.gov] to provide scenarios where the Health Insurance Portability and Accountability Act (HIPAA) regulations might apply to mobile health applications. We hope these new scenarios...
OCR Launches A New Cyber-Awareness Initiative
As we begin the New Year, OCR is launching a new Cyber-Awareness initiative to help our regulated community become more knowledgeable about the various security threats and vulnerabilities that currently exist in the healthcare sector; what security measures can be...
Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800
Learn more
INSPN Meeting
November 3, 2016 8:00 AM - 2:00 PM Agenda: [ws_table id="7"] Location: NEW MEETING LOCATION 500 North Meridian Street Indianapolis, IN 46204 Meeting will be in conference center in the basement of the building For questions about parking or the new location...
New Guidance from OCR: Understanding Individuals’ Right under HIPAA to Access their Health Information
New Guidance from OCR: Understanding Individuals’ Right under HIPAA to Access their Health Information By: Jocelyn Samuels, Director, Office for Civil Rights Find the Guidance at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html ...
Understanding Individuals’ Right under HIPAA to Access their Health Information
The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. This right is critical to enabling individuals to take ownership of their health...
OCR Launches Newly Redesigned Website!
Over the past several months, the HHS Office for Civil Rights has undertaken a full redesign of our website. We are thrilled to share with you the new www.hhs.gov/ocr, a more responsive, user-friendly platform. “Our website is a critical component of our outreach,...
$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis
Learn More
Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement
Learn more
Lahey Hospital And Medical Center Settles Lawsuit With HHS Over HIPAA Non-Compliance
Learn more
OCR invites Developers to ask questions about HIPAA Privacy and Security
BULLETIN – October 5, 2015 OCR has launched a new platform http://HIPAAQsportal.hhs.gov for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy protection. We are experiencing an explosion of technology...
OIG report indicating OCR should do more to enforce HIPAA
Learn More
OIG Says Phase Two of HIPAA Audits Coming Soon
Learn More
Comcast Settles California Privacy Breach for $33M
Learn More
UCLA Health faces lawsuit for privacy breach in recent cyber attack
Learn More
No More ClipBoard Security Breach
No More ClipBoard Security Breach - July 23, 2015 Notice Learn More
HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications BULLETIN – July 10, 2015 St. Elizabeth’s Medical Center (SEMC) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)...
NIST, HHS & OCR Announce the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference
NIST, HHS & OCR Announce the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference September 2 & 3, 2015 - Grand Hyatt, Washington D.C. The conference will explore the current health information technology security...
Deven McGraw to Join the HHS Office for Civil Rights as the Deputy Director for Health Information Privacy
Deven McGraw to Join the HHS Office for Civil Rights as the Deputy Director for Health Information Privacy The HHS Office for Civil Rights (OCR) announced today that Deven McGraw will join the OCR team as the Deputy Director for Health Information Privacy effective...
Update of ONC’s Guide to Privacy and Security of Electronic Health Information
Update of ONC’s Guide to Privacy and Security of Electronic Health Information The HHS Office of the National Coordinator for Health Information Technology (ONC) released Version 2.0 of their Guide to Privacy and Security of Electronic Health Information. In the...
HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records
HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records Cornell Prescription Pharmacy (Cornell) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule...
Office of the National Coordinator (ONC) announces revision of: “Guide to Privacy and Security of Electronic Health Information”
Office of the National Coordinator (ONC) announces revision of: “Guide to Privacy and Security of Electronic Health Information" Learn more
Office of Civil Rights Delays Phase Two HIPAA Audits
Office of Civil Rights Delays Phase Two HIPAA Audits Learn More
Anthem Hit by Hackers resulting in Data Breach
Anthem Hit by Hackers resulting in Data Breach Learn more
OCR Director Samuels to Present at Second National Summit on Health Care Price, Cost and Quality Transparency
OCR Director Samuels to Present at Second National Summit on Health Care Price, Cost and Quality Transparency Over the past year there have been significant strides to make health care more transparent, especially in regard to cost and quality of care. OCR Director...
Congress begins work on a National Breach Notification Law
Congress begins work on a National Breach Notification Law Learn more
Indiana Dentist fined for mishandling patient records
Indiana Dentist fined for mishandling patient records Learn more
New OCR fine against provider who did not have adequate security on its network
New OCR fine against provider who did not have adequate security on its network. Learn More
Landmark decision in Indiana violation of privacy affirms judgment of $1.4M against Walgreens
Landmark decision in Indiana violation of privacy affirms judgment of $1.4M against Walgreens Learn More
Reminder of End of NPP Enforcement Delay for CLIA Labs
Reminder of End of NPP Enforcement Delay for CLIA Labs Learn more
IHIMA Release of Information Guide
IHIMA Release of Information Guide The 2013 IHIMA Release of Information Guide has been updated in its entirety from the 2008 version. Indiana Health Information Management Announces a comprehensive publication revision will be delivered in a pdf format containing the...
HITECH Act Report to Congress
HITECH Act Report to Congress The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the Secretary of the Department of Health and Human Services ("the Secretary") to prepare and submit annual reports on breach notifications and...
HIPAA and Same-sex Marriage: Understanding Spouse, Family Member, and Marriage in the Privacy Rule
HIPAA and Same-sex Marriage: Understanding Spouse, Family Member, and Marriage in the Privacy Rule The HIPAA Privacy Rule contains several provisions that recognize the integral role that family members, such as spouses, often play in a patient’s health care. For...
Sophisticated Chinese Hackers Infiltrate Community Health Systems — 4.5 Million Patients Affected
Sophisticated Chinese Hackers Infiltrate Community Health Systems -- 4.5 Million Patients Affected This one is unusual because it is the second largest HIPAA breach reported thus far, and the only one thus far involving sophisticated criminal hackers who are...
SecureWorld Indianapolis, 2014
SecureWorld Indianapolis, 2014 SecureWorld is again coming to Indianapolis, October 1, 2014. Keynote speakers include Dr. Larry Ponemon, founder of The Ponemon Institute, and Carl Herberger, Vice President of Security Solutions-Radware. CPE credits are available....
The OCR announces the 7th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference Sept 23 & 24
The OCR announces the 7th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference Sept 23 & 24 The conference will explore the current health information technology security landscape and the Health Insurance Portability and...
The OCR Names New Director
The OCR Names New Director The Office for Civil Rights named Jocelyn Samuels as the next OCR director, according to govinfosecurity.com. Ms. Samuels formerly served as the acting assistant attorney general for the Civil Rights Division of the U.S. Department of...
$800,000 HIPAA settlement in medical records dumping case
$800,000 HIPAA settlement in medical records dumping case Parkview Health System, Inc. has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the U.S. Department of Health and Human...
HHS Office for Civil Rights Releases 2011-2012 HITECH Reports to Congress on Breach Notification and HIPAA Compliance
HHS Office for Civil Rights Releases 2011-2012 HITECH Reports to Congress on Breach Notification and HIPAA Compliance The U.S. Department of Health and Human Services, Office for Civil Rights, has issued two Reports to Congress called for by the Health Information...
Data breach results in $4.8 million HIPAA settlements
Data breach results in $4.8 million HIPAA settlements Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure...
Stolen laptops lead to important HIPAA settlements
Stolen laptops lead to important HIPAA settlements Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act...
County Government Settles Potential HIPAA Violations
County Government Settles Potential HIPAA Violations Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed...
HHS Issues Model of Notices of Privacy Practices in Spanish
HHS Issues Model of Notices of Privacy Practices in Spanish A Spanish version of the Model Notices of Privacy Practices (NPP) has been issued by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and Office for the National Coordinator for...
HHS Issues HIPAA Guidance on Sharing Information Related to Mental Health
HHS Issues HIPAA Guidance on Sharing Information Related to Mental Health The U.S. Department of Health and Human Services (HHS) has released new guidance explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their...
It looks like Leon Rodriguez leaving HHS Office of Civil Rights where he was the lead enforcer of patient privacy rights.
OCR Director Leon Rodriguez’s departure would leave big void A few federal government employees were put in position to play musical chairs of sorts this week and the potential upheaval would have a major impact on healthcare IT security in 2014. President Barack...
Ohio Edgepark Medical Supplies reported in January that hackers gained access through Adobe software being used on its website by installing malware which intercepted users’ login data.
January 16, 2014 Card data among info accessed in malware attack on medical supplier The information – including payment card data – of more than 4,000 individuals was inappropriately accessed after malware was introduced into the computer systems of Ohio-based...
Unity Health Insurance (Wisconsin) – an unencrypted hard drive containing the health records of over 40,000 members went missing.
Unity Health Insurance Disclosure Notice SAUK CITY, Wisconsin -- On December 12, 2013, Unity Health Plans Insurance Corporation received a report that a portable computer hard drive containing limited information for a subgroup of Unity members was missing from the...
HHS Privacy breach involving a dermatology office includes their payment of $150,000 to settle the matter.
Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules with the Department of...
HHS settles with health plan in photocopier breach case
HHS settles with health plan in photocopier breach case Aug, 14, 2013 Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act...
Wellpoint settles HIPAA claim with HHS for $1.7M
Wellpoint settles HIPAA claim with HHS for $1.7M Jul 11, 2013 The managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and...
HHS Announces $400,000 HIPAA Enforcement Action
HHS Announces $400,000 HIPAA Enforcement Action May 22, 2013 HHS Announces $400,000 HIPAA Enforcement Action On Tuesday, May 21, 2013, the Department of Health and Human Services ("HHS") announced that it had reached a settlement with a State University ("University")...
Feds ask firms about HIPAA audit experience
Feds ask firms about HIPAA audit experience March 20, 2013 By Joseph Conn Posted: March 20, 2013 - 12:01 am ET The top federal healthcare privacy and security regulator wants to know what officials from more than 100 organizations that have undergone privacy and...
New Rule Protects Patient Privacy, Secures Health Information
New Rule Protects Patient Privacy, Secures Health Information Jan 17, 2013 The U.S. Department of Health and Human Services (HHS) has announced a new rule to strengthen the privacy and security protections for health information established under the Health Insurance...
HHS announces first HIPAA breach settlement involving less than 500 patients
HHS announces first HIPAA breach settlement involving less than 500 patients January 2, 2013 The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance...