Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in


Log in

HIPAA Blog and Updates

Welcome to out HIPAA blog.  Here we post news, articles, and site updates on HIPAA.  

<< First  < Prev   1   2   3   4   Next >  Last >> 
  • 20 Nov 2023 12:44 PM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of health care services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet.

    “When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

    OCR investigated Saint Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.

    OCR determined that Saint Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider), may not use or disclose protected health information, except either:

    • As the HIPAA Privacy Rule permits or requires; or
    • The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

    Therefore, regulated entities cannot disclose a patient’s protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premise.

    Saint Joseph’s Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. Saint Joseph’s Medical Center also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor St. Joseph’s Medical Center for two years to ensure compliance under the plan and with the law.

    Reference

    HIPAA News Releases & Bulletins


  • 31 Oct 2023 10:20 AM | Zachary Edgar (Administrator)

    OCR Settles with Business Associate in attack affecting over 200,000 individuals.

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. The $100,000 settlement resolves a large breach report regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals. Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. This marks the first ransomware agreement OCR has reached.

    October is Cybersecurity Awareness Month, and OCR has been working with health insurers, providers, and clearinghouses covered by HIPAA to ensure better data security. Ransomware and hacking are the primary cyber-threats in health care. In the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60% increase from last year.

    “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

    On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

    OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

    Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information, including:

    • Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
    • Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
    • Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
    • Provide workforce training on HIPAA policies and procedures.

    OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

    • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
    • Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
    • Ensure audit controls are in place to record and examine information system activity.
    • Implement regular review of information system activity.
    • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
    • Encrypt ePHI to guard against unauthorized access to ePHI.
    • Incorporate lessons learned from incidents into the overall security management process.
    • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

    Reference

    HIPAA News Releases & Bulletins


  • 19 Oct 2023 10:19 AM | Zachary Edgar (Administrator)

    Last year, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief on the different types of social engineering1 that hackers use to gain access to healthcare information systems and data. The threat brief recommended several protective measures to combat social engineering, one of which was holding “every department accountable for security.” An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.

    The HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) require covered entities and business associates (“regulated entities”) to ensure that workforce members comply with the HIPAA Rules. Regulated entities are responsible for protecting the privacy and security of protected health information (PHI)4 by training their workforce, adopting written policies and procedures, and sanctioning workforce members who violate those policies and procedures. 

    Sanction policies are specifically required by both the Privacy Rule and the Security Rule:

    • The Privacy Rule requires covered entities6 to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”7
    • The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”

    The Functions of a Sanction Policy

    Sanction policies can improve a regulated entity’s compliance with the HIPAA Rules.  Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is “a negative consequence to noncompliance enhances the likelihood of compliance.” Training workforce members on a regulated entity’s sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which “actions are prohibited and punishable.” A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance. 

    Content: What Should a Sanction Policy Look Like?

    Because HIPAA regulated entities “are so varied in terms of installed technology, size, resources, and relative risk,” the HIPAA Rules allow for a flexibility of approach to achieve compliance. This flexibility of approach also extends to sanction policies: the Privacy Rule preamble states that “we leave the details of sanction policies to the discretion of the covered entity . . . [that] will be familiar with the circumstances of the violation . . . .” Similarly, the Security Rule preamble states that regulated entities “have the flexibility to implement the standard in a manner consistent with numerous factors, including such things as, but not limited to, their size, degree of risk, and environment.”

    The HIPAA Rules do not require regulated entities to impose any specific penalty for any individual violation, or to implement any particular sanction methodology. Rather, in any individual case “[t]he type and severity of sanctions imposed, and for what causes, must be determined by each covered entity [or business associate] based upon its security policy and the relative severity of the violation.” Regulated entities may structure their sanction policies in the manner most suitable to their organization.

    Regulated entities may want to consider the following when drafting or revising their sanction policies: 

    • Documenting or implementing sanction policies pursuant to a formal process.
    • Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
    • Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation. NOTE: These records should be retained for at least six years.
    • Creating sanctions that are “appropriate to the nature of the violation.”
    • Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information.”
    • Creating sanctions that “range from a warning to termination.”
    • Providing examples “of potential violations of policy and procedures.”

    By making these considerations, regulated entities can craft a thoughtful and well-documented sanction policy that informs workforce members of the regulated entity’s expectations, deters misconduct, and promotes HIPAA compliance through greater understanding and transparency of the policies and procedures that protect the privacy and security of PHI.    

    Execution: Sanctioning Consistently

    How a regulated entity implements its sanction policy is just as important as the policy’s content. It is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies, and how the individuals or departments involved in the sanction processes can work in concert, when appropriate. Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization, to all workforce members, including management. Indeed, sanctioning workforce members inconsistently can undermine the integrity of a regulated entity’s compliance program.

    In 2017 and 2018, OCR resolved two investigations with regulated entities that potentially violated the HIPAA Rules sanctions requirements. In the first case, OCR found evidence that the regulated entity potentially “impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters,” and senior leaders disclosed the patient’s PHI to advocacy groups and in a published statement on their website. OCR also found evidence that the regulated entity potentially “failed to document timely the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule.” In the second case, OCR found evidence of a potential violation of the sanction requirements when a workforce member allegedly disclosed PHI to a reporter, and then the regulated entity allegedly failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity's privacy policies and procedures and the Privacy Rule.”

    Conclusion

    Sanction policies offer a great opportunity for regulated entities to establish and communicate compliance obligations and expectations to their workforce members. The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability, understanding, and transparency. At a time when the need for constant vigilance to protect ePHI is at an all-time high due to hacking and other threats to the privacy and security of health information, regulated entities should make sure that their policies and practices include sanction policies that hold all workforce members accountable for noncompliance with the HIPAA Rules.

    Reference

    HIPAA News Releases & Bulletins


  • 11 Sep 2023 10:17 AM | Zachary Edgar (Administrator)

    LA Care, the largest publicly operated health plan in the country paid $1,300,000 to settle

    Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI).  The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident.  Under the agreement, LA Care agreed to pay $1,300,000 and to implement a corrective action plan, discussed in further detail below, which identifies steps LA Care will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI). 

    “Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

    The potential violations in this case included:

    • Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
    • Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
    • Failure to implement sufficient procedures to regularly review records of information system activity,
    • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
    • Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

    OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across LA Care’s organization, a serious concern given the size of this covered entity.   In addition to the monetary settlement, LA Care has agreed to take the following steps under a comprehensive corrective action plan that will be monitored for three years by OCR to ensure compliance with HIPAA:

    • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
    • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
    • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
    • Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
    • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.

    Reference

    HIPAA News Releases & Bulletins

  • 24 Aug 2023 10:14 AM | Zachary Edgar (Administrator)

    Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has announced a settlement with UnitedHealthcare Insurance Company (“UHIC”), a health insurer that provides insurance coverage to millions of individuals across the U.S., concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. UHIC agreed to implement a corrective action plan and pay $80,000 to resolve this investigation.

    “Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said OCR Director, Melanie Fontes Rainer. “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

    In March 2021, OCR received a complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation.  This was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. OCR's investigation determined that UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

    Reference

    HIPAA News Releases & Bulletins


  • 20 Jul 2023 10:12 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) are cautioning hospitals and telehealth providers about the privacy and security risks related to the use of online tracking technologies that may be integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Tracking technologies are used to collect and analyze information about how users interact with websites or mobile apps. Generally, tracking technologies developed by third parties send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites. 

    OCR administers and enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules which set minimum privacy and security standards for the protection of certain individually identifiable health information. FTC’s mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education. 

    “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

    “When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

    The two agencies sent the joint letter - PDF to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities. These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app.

    OCR highlighted these concerns in a bulletin it issued late last year that reminded entities covered by HIPAA of their responsibilities to protect health data from unauthorized disclosure under the law.  Since that time, OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA.

    Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. Through its recent enforcement actions against BetterHelpGoodRx and Premom, as well as recent guidance from the FTC’s Office of Technology, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

    Reference

    HIPAA News Releases & Bulletins


  • 28 Jun 2023 8:49 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers.  The settlement involved a data breach, where a network server containing the protected health information of 267 individuals was left unsecure on the internet.  The HIPAA Privacy, Security, and Breach Notification Rules set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

    “HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

    In August 2017, OCR initiated an investigation of iHealth Solutions following the receipt of a breach report stating that iHealth Solutions had experienced an unauthorized transfer of protected health information, known as exfiltration, from its unsecured server. The protected health information included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories. In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization.

    iHealth Solutions has paid $75,000 to OCR and agreed to implement a corrective action plan, which identifies steps iHealth Solutions will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information. Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

    • Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
    • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
    • Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
    • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

    The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ihealth-ra-cap/index.html

    OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • 15 Jun 2023 8:48 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima, Washington resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  OCR investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals.  HIPAA is a federal law that protects the privacy and security of protected health information.  The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care organizations and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.  To voluntarily resolve this matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future.

    “Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

    In May 2018, OCR initiated an investigation of Yakima Valley Memorial Hospital following the receipt of a breach notification report, stating that 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.

    As a result of the settlement agreement, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Yakima Valley Memorial Hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:

    • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
    • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
    •  Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
    • Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
    • Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

    The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima-ra-cap/index.html

    OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.  If you believe that you or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • 5 Jun 2023 12:19 PM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announces a settlement with Manasa Health Center, LLC, a health care provider in New Jersey that provides adult and child psychiatric services. The settlement resolves a complaint received by OCR in April 2020, alleging that Manasa Health Center impermissibly disclosed the protected health information of a patient when the entity posted a response to the patient’s negative online review. Following an OCR investigation, potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule include impermissible disclosures of patient protected health information in response to negative online reviews, and failure to implement policies and procedures with respect to protected health information. Manasa Health Center paid $30,000 to OCR and agreed to implement a corrective action plan to resolve these potential violations.  

    “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

    OCR opened an investigation in response to a complaint by a patient alleging that Manasa Health Center posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition. In addition to the patient who filed the complaint, OCR’s investigation found that Manasa Health Center impermissibly disclosed the protected health information of three other patients in response to their negative online reviews. OCR’s investigation also found that Manasa Health Center failed to implement HIPAA Privacy policies and procedures.

    In addition to the monetary settlement, Manasa Health Center will undertake a corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:

    • Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule,
    • Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules,
    • Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
    • Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

    The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/manasa-ra-cap/index.html

    Reference

    HIPAA News Releases & Bulletins


  • 16 May 2023 12:17 PM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecure and accessible on the internet.  HIPAA is the federal law that required the establishment of national standards to protect the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care breaches and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

    The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor. The HIPAA Rules require that covered entities and business associates (person or entity that has access to protected health information as part of their relationship with a covered entity), enter into contracts – or business associate agreements – that generally document the permissible uses and disclosures of protected health information, that appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches.  MedEvolve has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps MedEvolve will take to resolve these potential violations and protect the security of electronic patient health information.

    “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

    In July 2018, OCR initiated an investigation of MedEvolve following the receipt of a breach notification report stating that an FTP server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and in some cases Social Security numbers. OCR investigates every report we receive of breaches of unsecured protected health information affecting 500 or more people. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals. It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.  

    As a result of the settlement agreement, MedEvolve will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule.  MedEvolve has agreed to take the following steps:

    • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
    • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
    • Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules;
    • Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and
    • Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules.

    The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/medevolve-ra-cap/index.html.

    Reference

    HIPAA News Releases & Bulletins


<< First  < Prev   1   2   3   4   Next >  Last >> 

About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More 

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us


Powered by Wild Apricot Membership Software