HIPAA Security and Privacy Advisors, LLC

2013-05-22T09:30:00.000-07:00

HIPAA Security and Privacy Advisors (HSP Advisors) is a specialized Healthcare Privacy and Security consulting firm dedicated to serving the needs of the healthcare industry. Started by Bill Miaoulis, HSP Advisors brings over 19 years experience in Healthcare Security and Privacy. We provide the most cost effective methodologies and experience in completing Mock HIPAA Security and Privacy Audits, Risk Analysis to meet meaningful use, Policy and Procedure Development, Security Staff Augmentation, Security and Privacy Training, Project Management and Disaster Recovery Planning. We would welcome the opportunity to work with you.

*************

Check this page often for the latest Healthcare Security and Privacy related articles.

The modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules are now available (see article below) and will be official published on January 25th. Download you copy now.

one of the current article shows the continued involvement of the Attorney General of the Commonwealth of Massachusetts with heath care practices and their business associates. All organizations should have a process in place to ensure that they and their business associates have the appropriate controls in place. If you need help in developing a process to manage your business associates, contact us today.

Idaho State University (ISU) has agreed to pay $400,000

2013-05-22T05:06:00.002-07:00

Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic.

The Office for Civil Rights (OCR) opened its investigation after ISU notified HHS that the ePHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled. OCR investigators found that ISU did not apply proper security measures and policies to address risks to ePHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner. Overall, ISU failed to ensure the uniform implementation of required Security Rule protections at each of its covered clinics.

The Press Release can be found on the HHS News page:http://www.hhs.gov/news/ and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.html.

Mobile Security: More Than Encryption (PodCast and Article)

2013-05-02T05:17:00.002-07:00

Get the Podcast and Article Here: HealthcareInfo Security

HIPAA-compliance consultant Bill Miaoulis outlines a number of critical steps that many healthcare organizations fail to take to ensure the security of data on mobile devices.

Even when healthcare organizations encrypt their Mobile computing devices, they often neglect other steps that can help prevent data breaches, Miaoulis says.

The Legislation of Privacy: New Laws That Will Change Your Life

2013-03-12T09:36:00.000-07:00

There are more laws and proposed laws that protect Privacy. A good summary can be found at the link below.

http://www.backgroundcheck.org/the-legislation-of-privacy-new-laws-that-will-change-your-life/

Proposed and Current Laws include:
Protect Our Health Privacy Act of 2012

The Protecting Children from Internet Pornographers Act of 2011

Genetic Information Nondiscrimination Act of 2008

The GPS Act

Commercial Privacy Bill of Rights

Electronic Communications Privacy Act

Children's Online Privacy Protection Act

Application Privacy, Protection, and Security Act of 2013

Location Privacy Protection Act of 2011

Cyber Intelligence Sharing and Protection Act (CISPA)

FISA Amendment Act of 2008

Video Privacy Protection Act

HIPAA law possibly violated in UConn/Calhoun case

2013-03-06T13:39:00.000-08:00

By Dennis Dodd | Senior College Football Columnist

Officials at a Tampa, Fla., medical facility might have violated federal law protecting patients' privacy rights by speaking to NCAA investigators about a former basketball recruit, two Connecticut health care attorneys told CBSSports.com.

By discussing Nate Miles' foot surgery and payment details, officials at the Tampa Bay Bone and Joint Center violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to the attorneys. The NCAA deemed that Miles' foot surgery in 2008 was an extra benefit paid for by Josh Nochimson, a former UConn student manager and booster who ultimately became an agent. In its public infractions report dated February 2011, the NCAA infractions committee referred to contact being made with “the doctor who performed the procedure on [Miles].”

READ MORE: http://www.cbssports.com/collegefootball/blog/dennis-dodd/21792318/federal-law-possibly-violated-in-uconn/calhoun-case

“It [violation] would be mainly on the side of the doctors and the surgery center for sure,” Jensen said. “I don't see liability for the NCAA.”

SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS

2013-02-01T07:28:00.000-08:00

FROM OCR:

SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS
(Published January 25, 2013)

Introduction

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

A written contract between a covered entity and a business associate must: (1) establish the permitted and required uses and disclosures of protected health information by the business associate; (2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; (3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; (4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; (5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings; (6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation; (7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule; (8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity; (9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and (10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

This document includes sample business associate agreement provisions to help covered entities and business associates more easily comply with the business associate contract requirements. While these sample provisions are written for the purposes of the contract between a covered entity and its business associate, the language may be adapted for purposes of the contract between a business associate and subcontractor.

This is only sample language and use of these sample provisions is not required for compliance with the HIPAA Rules. The language may be changed to more accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition, these or similar provisions may be incorporated into an agreement for the provision of services between a covered entity and business associate or business associate and subcontractor, or they may be incorporated into a separate business associate agreement. These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.

Sample Business Associate Agreement Provisions

Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions.

Definitions

Catch-all definition:

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Business Associate].

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].

(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Obligations and Activities of Business Associate

Business Associate agrees to:

(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;

(c) Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

[The parties may wish to add additional specificity regarding the breach notification obligations of the business associate, such as a stricter timeframe for the business associate to report a potential breach to the covered entity and/or whether the business associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the covered entity.]

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;

(e) Make available protected health information in a designated record set to the [Choose either “covered entity” or “individual or the individual’s designee”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;

[The parties may wish to add additional specificity regarding how the business associate will respond to a request for access that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to provide the requested access or whether the business associate will forward the individual’s request to the covered entity to fulfill) and the timeframe for the business associate to provide the information to the covered entity.]

(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;

[The parties may wish to add additional specificity regarding how the business associate will respond to a request for amendment that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to act on the request for amendment or whether the business associate will forward the individual’s request to the covered entity) and the timeframe for the business associate to incorporate any amendments to the information in the designated record set.]

(g) Maintain and make available the information required to provide an accounting of disclosures to the [Choose either “covered entity” or “individual”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;

[The parties may wish to add additional specificity regarding how the business associate will respond to a request for an accounting of disclosures that the business associate receives directly from the individual (such as whether and in what time and manner the business associate is to provide the accounting of disclosures to the individual or whether the business associate will forward the request to the covered entity) and the timeframe for the business associate to provide information to the covered entity.]

(h) To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and

(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Permitted Uses and Disclosures by Business Associate

(a) Business associate may only use or disclose protected health information

[Option 1 – Provide a specific list of permissible purposes.]

[Option 2 – Reference an underlying service agreement, such as “as necessary to perform the services set forth in Service Agreement.”]

[In addition to other permissible purposes, the parties should specify whether the business associate is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c). The parties also may wish to specify the manner in which the business associate will de-identify the information and the permitted uses and disclosures by the business associate of the de-identified information.]

(b) Business associate may use or disclose protected health information as required by law.

[Option 1] consistent with covered entity’s minimum necessary policies and procedures.

[Option 2] subject to the following minimum necessary requirements: [Include specific minimum necessary provisions that are consistent with the covered entity’s minimum necessary policies and procedures.]

(d) Business associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by covered entity [if the Agreement permits the business associate to use or disclose protected health information for its own management and administration and legal responsibilities or for data aggregation services as set forth in optional provisions (e), (f), or (g) below, then add “, except for the specific uses and disclosures set forth below.”]

(e) [Optional] Business associate may use protected health information for the proper management and administration of the business associate or to carry out the legal responsibilities of the business associate.

(f) [Optional] Business associate may disclose protected health information for the proper management and administration of business associate or to carry out the legal responsibilities of the business associate, provided the disclosures are required by law, or business associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(g) [Optional] Business associate may provide data aggregation services relating to the health care operations of the covered entity.

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

(a) [Optional] Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information.

(b) [Optional] Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information.

(c) [Optional] Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information.

Permissible Requests by Covered Entity

[Optional] Covered entity shall not request business associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by covered entity. [Include an exception if the business associate will use or disclose protected health information for, and the agreement includes provisions for, data aggregation or management and administration and legal responsibilities of the business associate.]

Term and Termination

(a) Term. The Term of this Agreement shall be effective as of [Insert effective date], and shall terminate on [Insert termination date or event] or on the date covered entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

(b) Termination for Cause. Business associate authorizes termination of this Agreement by covered entity, if covered entity determines business associate has violated a material term of the Agreement [and business associate has not cured the breach or ended the violation within the time specified by covered entity]. [Bracketed language may be added if the covered entity wishes to provide the business associate with an opportunity to cure a violation or breach of the contract before termination for cause.]

[Option 1 – if the business associate is to return or destroy all protected health information upon termination of the agreement]

Upon termination of this Agreement for any reason, business associate shall return to covered entity [or, if agreed to by covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any form. Business associate shall retain no copies of the protected health information.

[Option 2—if the agreement authorizes the business associate to use or disclose protected health information for its own management and administration or to carry out its legal responsibilities and the business associate needs to retain protected health information for such purposes after termination of the agreement]

Upon termination of this Agreement for any reason, business associate, with respect to protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, shall:

1. Retain only that protected health information which is necessary for business associate to continue its proper management and administration or to carry out its legal responsibilities;
2. Return to covered entity [or, if agreed to by covered entity, destroy] the remaining protected health information that the business associate still maintains in any form;
3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as business associate retains the protected health information;
4. Not use or disclose the protected health information retained by business associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at [Insert section number related to paragraphs (e) and (f) above under “Permitted Uses and Disclosures By Business Associate”] which applied prior to termination; and
5. Return to covered entity [or, if agreed to by covered entity, destroy] the protected health information retained by business associate when it is no longer needed by business associate for its proper management and administration or to carry out its legal responsibilities.

[The agreement also could provide that the business associate will transmit the protected health information to another business associate of the covered entity at termination, and/or could add terms regarding a business associate’s obligations to obtain or ensure the destruction of protected health information created, received, or maintained by subcontractors.]

(d) Survival. The obligations of business associate under this Section shall survive the termination of this Agreement.

Miscellaneous [Optional]

(a) [Optional] Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

(b) [Optional] Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

(c) [Optional] Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Wayne Memorial informing patients CD with records lost

2013-01-23T11:59:00.001-08:00

A compact disc including information on Medicare patients at Wayne Memorial Hospital disappeared recently enroute to its intended recipient. An administrator at Wayne Memorial in Honesdale on Nov. 28 sent the unencrypted disc and related paperwork by certified mail to the Pittsburgh office of Novitas Solutions Inc., a Camp Hill-based Medicare administrative contractor, the hospital reported.

Although it was mailed in a legal envelope, Wayne Memorial officials say it arrived at Novitas' Pittsburgh offices in a cardboard box without the disc. They were notified Dec. 3 that the disc was missing.

Hospital officials suspect the original package was damaged at a postal facility, the disc was lost and the paperwork was inserted into another package, which was delivered to Novitas.

The disc contained the names of 1,182 people who had been Medicare patients at the Honesdale hospital between 2007 and 2012 and have account balances outstanding, hospital spokeswoman Lisa Champeau said. Most of the patients' Medicare account numbers were included on the disc, she said

http://thetimes-tribune.com/news/business/wayne-memorial-informing-patients-cd-with-records-lost-1.1433367

HIPAA Omnibus Bill - PDF Format Available

2013-01-18T04:00:00.000-08:00

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules coming March 25th.

PRESS RELEASE LINK

Download the PDF here: https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf

This document is scheduled to be published in the
Federal Register on 01/25/2013 and available online at
http://federalregister.gov/a/2013-01073, and on FDsys.gov

News Release

FOR IMMEDIATE RELEASE
January 17, 2013

Contact: HHS Press Office
202-690-6343

New rule protects patient privacy, secures health information

Enhanced standards improve privacy protections and security safeguards for consumer health data

The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured hea lth information must be reported to HHS.

Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.

https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules

HHS issues letter to providers on disclosures to avert threats to health or safety

2013-01-16T11:19:00.000-08:00

http://www.hhs.gov/ocr/office/lettertonationhcp.pdf

Message to Our Nation’s Health Care Providers:

In light of recent tragic and horrific events in our nation, including the mass shootings in
Newtown, CT, and Aurora, CO, I wanted to take this opportunity to ensure that you are aware
that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not
prevent your ability to disclose necessary information about a patient to law enforcement, family
members of the patient, or other persons, when you believe the patient presents a serious danger
to himself or other people.

The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to
ensure that appropriate uses and disclosures of the information still may be made when necessary
to treat a patient, to protect the nation’s public health, and for other critical purposes, such as
when a provider seeks to warn or report that persons may be at risk of harm because of a patient.
When a health care provider believes in good faith that such a warning is necessary to prevent or
lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy
Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert
those persons whom the provider believes are reasonably able to prevent or lessen the threat.
Further, the provider is presumed to have had a good faith belief when his or her belief is based
upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the
patient) or in reliance on a credible representation by a person with apparent knowledge or
authority (i.e., based on a credible report from a family member of the patient or other person).
These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including
information from mental health records, if necessary, to law enforcement, family members of the
patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.
For example, if a mental health professional has a patient who has made a credible threat to
inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental
health professional to alert the police, a parent or other family member, school administrators or
campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most states have laws and/or court decisions which
address, and in many instances require, disclosure of patient information to prevent or lessen the
risk of harm. Providers should consult the laws applicable to their profession in the states where
they practice, as well as 42 CFR Part 2 under federal law (governing the disclosure of substance
abuse treatment records) to understand their duties and authority in situations where they have
information indicating a threat to public safety. Page 2 – Nation’s Health Care Providers
We at the Office for Civil Rights understand that health care providers may at times have
information about a patient that indicates a serious and imminent threat to health or safety. At
those times, providers play an important role in protecting the safety of their patients and the
broader community.

I hope this letter is helpful in making clear that the HIPAA Privacy Rule
does not prevent providers from sharing this information to fulfill their legal and ethical duties to
warn or as otherwise necessary to prevent or lessen the risk of harm, consistent with applicable
law and ethical standards.

THE LETTER WAS SIGNED BY: Leon Rodriguez

Medical Billing and Pathology Groups Fined $140,000

2013-01-10T05:14:00.000-08:00

BOSTON – Former owners of a Marblehead-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump, Attorney General Martha Coakley announced today.

The complaint, filed in Suffolk Superior Court along with consent judgments that were approved today, alleges that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown Transfer Station. The medical records contained information for more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped.

“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” AG Coakley said. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”

This matter came to the public’s attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter.

The other defendants involved in this settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; and Pioneer Valley Pathology Associates, P.C.

The AG’s Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.

According to the complaint, the Gagnons ran Goldthwait Associates – which primarily provided medical billing services for pathology groups – and received sensitive medical records and billing information of clients in order to send medical bills on behalf of the groups. The Gagnons retired from Goldthwait Associates and the medical billing business in 2010.

Each of the four pathology groups and the Gagnons agreed to entry of consent judgments to resolve the AG’s allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.

The AG’s Office is focused on ensuring that health care practices and their business associates abide by the state and federal data privacy requirements. Recent efforts include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the personal and confidential health information of more than 800,000 patients.

AG Coakley is also leading an educational effort in the area of data privacy. A first-of-its-kind data privacy training – sponsored jointly by the AG’s Office and the Massachusetts Medical Society – was held in October 2012 and focused on health care entities, including speakers from state and federal government and the private sector. A second training is being held this Thursday in cooperation with the Massachusetts Hospital Association.

This matter is being handled by Assistant Attorneys General Wendoly Ortiz Langlois of the Health Care Division and Shannon Choy-Seymour of the Consumer Protection Division.

http://www.mass.gov/ago/news-and-updates/press-releases/2013/140k-settlement-over-medical-info-disposed-of-at-dump.html

Hospital Notifies Six Years Worth of Patients After Breach

2013-01-03T11:05:00.001-08:00

The 70-bed Gibson General Hospital in southwest Indiana announced a data breach Friday involving the personal health information (PHI) of some 29,000 patients.

According to a company statement, an unencrypted laptop containing the PHI of the patients was stolen from an employee's home Nov. 27. Patient names, addresses, Social Security numbers and/or clinical treatment data was contained on the laptop.

http://www.healthcareitnews.com/news/indiana-hipaa-breach-involves-29000

NOTE: Encrypt, Encrypt, Encrypt... What are you doing to prevent this type of breach?

HHS announces first HIPAA breach settlement involving less than 500 patients

2013-01-02T12:55:00.000-08:00

Hospice of North Idaho settles HIPAA security case for $50,000

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, visit www.HealthIT.gov/mobiledevices. The Resolution Agreement can be found on the OCR website at
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

Kate Middleton Prank - Hospital Breach of Privacy

2012-12-14T06:53:00.000-08:00

NOTE: American hospitals can certainly learn from this high profile very tragic privacy breach. No-one should give out information about patients without following the Hospital's Policy.
------------
Kate Middleton's privacy has once again been breached after two Australian radio personalities called the hospital where she is staying and were able to obtain private information about the Duchess' condition. Both the hospital and radio station have announced that they regret the incident and are leading investigations into the breach of privacy.

Read more at http://global.christianpost.com/news/kate-middleton-prank-call-causes-embarrassment-to-hospital-breach-of-privacy-audio-86112/#yasBgPufBJmbDKcQ.99 ----------------------- Jacintha Saldanha, the nurse who took her own life after being duped by two radio presenters and connecting a call to the nurse attending Kate Middleton, died after hanging herself in wardrobe, an inquest heard today. She had slashed her wrists.

http://www.thedailybeast.com/articles/2012/12/13/kate-middleton-suicide-nurse-slashed-wrists-then-hung-herself.html

$7 Billion Potential Annual Cost of Healthcare Breaches

2012-12-10T06:47:00.000-08:00

TRAVERSE CITY — The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute, sponsored by Portland, Ore.-based ID Experts, reports that healthcare organizations face an uphill battle in their efforts to stop data breaches.

Ninety-four percent of healthcare organizations surveyed suffered at least one data breach; 45 percent of organizations experienced more than five data breaches during the past two years.

Data breaches are an ongoing operational risk that could be costing the U.S. healthcare industry an average of $7 billion annually.

http://detroit.cbslocal.com/2012/12/06/ninety-four-percent-of-hospitals-surveyed-suffered-data-breaches/

Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA

2012-11-28T14:55:00.003-08:00

November 26, 2012
Today, OCR released guidance regarding methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. This guidance fulfills the American Recovery and Reinvestment Act of 2009 (ARRA) mandate that HHS issue such guidance. In response to this mandate, OCR collected research and views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns. OCR solicited stakeholder input from experts with practical technical and policy experience to inform the creation of guidance materials by organizing an in-person workshop consisting of multiple panel sessions, each addressing a specific topic related to de-identification methodologies and policies. The workshop was open to the public and was held March 8-9, 2010 in Washington, DC. The guidance synthesizes these diverse perspectives. It can be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

Laptop Stolen From Home

2012-10-25T05:47:00.000-07:00

Tennessee's Blount Memorial Hospital recently announced [PDF file] that a laptop containing registration records was stolen from a hospital employee's home on August 25, and has not been recovered. "Although the laptop was password-protected and contained no medical information, it did contain some patient and responsible party non-medical information," the hospital states.

"The ... laptop contained registration records from Blount Heart Consultants on approximately 22,000 patients -- including their names, dates of birth, responsible party names, addresses, physician names and billing information," writes The Knoxville News Sentinel's Hayes Hickman. "The laptop also held records on approximately 5,000 additional patients, including the above information along with their Social Security numbers and other nonmedical data." http://www.esecurityplanet.com/network-security/blount-memorial-hospital-suffers-security-breach.html NOTE: Have a policy for home computers, encrypt, encrypt, encrypt.

Massachusetts provider settles HIPAA case for 1.5 million

2012-09-18T01:42:00.001-07:00

Massachusetts Eye and Ear Infirmary (MEEI) and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. MEEI also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

The investigation by the HHS Office for Civil Rights (“OCR”) followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response . OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

In addition to the $1.5 million settlement, the agreement requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

HHS OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HIPAA Breach Notification Rule requires covered entities to report a breach of unsecured protected health information to affected individuals, the Secretary, and, in certain circumstances, to the media.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

The HHS Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/MEEI-agreement.html.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

ARRESTED: investigation into hospital security breach

2012-08-22T07:52:00.000-07:00

Fla. — After a 10-month FBI investigation into a major security breach at Florida Hospital Celebration, WFTV learned agents have arrested a former hospital employee.

Dale Munroe is accused of accessing more than 700,000 patient records in two years and then selling them.

He worked in the emergency intake area, but investigators said he accessed patient records from several different hospitals across the state.

http://www.wftv.com/news/news/local/former-employee-arrested-after-fbi-investigation-h/nRD34/

Stolen laptop leads to health data breach at Apria Healthcare

2012-08-22T05:38:00.003-07:00

According to a company press release, the theft occurred on June 14, 2012, in Phoenix, Arizona; however, its ramifications could extend to California, New Mexico, and Nevada because of the laptop’s use in billing services. A report in the Arizona Daily Star has noted that 4,178 of the approximate 11,000 patients affected reside in Arizona. The California-based company immediately notified local law enforcement and began its own internal investigations, which revealed that PHI included Social Security numbers and names. Potentially, it also comprises dates of birth and other personal information.

http://ehrintelligence.com/2012/08/14/stolen-laptop-leads-to-health-data-breach-at-apria-healthcare/

Cancer Center Reports 2nd Data Breach

2012-08-21T07:47:00.003-07:00

The University of Texas MD Anderson Cancer Center has reported its second data breach since April involving an unencrypted mobile device.

The latest incident, which occurred in July, affected about 2,220 patients and involved a USB thumb drive. An April laptop incident affected 30,000 individuals.

In the latest breach, the Houston-based cancer center says a thumb drive containing patient data and research information was lost on one of its shuttle buses on July 13. After learning of the incident on July 14, the cancer center says it launched a search for the missing device and conducted a thorough investigation, but it did not locate the missing drive, according to a statement on its website. http://www.healthcareinfosecurity.com/cancer-center-reports-2nd-data-breach-a-5048?goback=%2Egde_2729867_member_149604827

Patient Files Held for Ransom

2012-08-13T07:28:00.001-07:00

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.

Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

http://www.businessweek.com/news/2012-08-10/hackers-encrypt-health-records-and-hold-data-for-ransom?goback=%2Egde_2729867_member_145623159
NOTE: This is a twist, but certainly shows that we need to protect our information.

Burglary Leads to 2 Hospital Data Breaches

2012-08-10T07:58:00.000-07:00

Two more hospitals have been hit with a data breach, and both were caused by burglary. Officials at the Portland-based Oregon Health & Science University Hospital (OHSU) announced that a USB drive containing data for more than 14,000 patients, 200 employee and specific patient information for 702 pediatric patients was stolen from the house of an employee recently.

http://www.healthcare-informatics.com/news-item/data-breach-hits-oregon-stanford-hospitals.

In addition, there was also a recent data breach at the Stanford Medical School. Hospital officials recently announced laptop containing information of 2,500 patients was stolen from a doctor’s office on July 15. The officials, who are notifying patients by letter, say based on tracking information installed within the software, they do not believe any information has been accessed.

Conn. AG has questions about hospital security breach

2012-08-03T07:45:00.000-07:00

HARTFORD, Conn. (Legal Newsline) - Connecticut Attorney General George Jepsen has requested information from Hartford Hospital about why the unencrypted personal health information of approximately 9,000 patients was located on a laptop stolen from a third-party vendor.

Jepsen sent a letter to the hospital on July 16, which was also the day he was notified about the breach discovered by the hospital in late June. The letter outlined the scope of the request ranging from how the breach occurred to the steps that have been taken by the hospital and its vendors to safely guard such sensitive information.
http://www.legalnewsline.com/news/236901-conn.-ag-has-questions-about-hospital-security-breach

Hartford Breach Affecting 9,558 Includes

2012-08-02T05:11:00.001-07:00

MidState Medical Center has begun sending letters to 93,500 patients whose personal information may have been compromised following the accidental loss of a computer hard drive, the hospital said in a letter to employees Tuesday.

Meantime, the offices of the Connecticut attorney general and the Department of Consumer Protection are demanding more details about what happened and what data may have been compromised.

The misplaced hard drive, which has not yet been recovered, contains patient's names, addresses, birthdates, social security numbers and medical record numbers, hospital spokeswoman Pamela Cretella said.

http://hbweb.sx2.atl.publicus.com/article/20110405/NEWS01/304059982

Boston hospital loses laptop with patients' personal information

2012-07-25T09:16:00.002-07:00

A physician’s unencrypted personal laptop that may have contained protected health information on 3,900 patients at Boston-based Beth Israel Deaconness Medical Center was stolen, the hospital admitted Monday.

The laptop, which was stolen in May from the physician’s office, has not been recovered; however, law enforcement has arrested a suspect, the hospital said in a statement. The laptop contained a tracking device, which unfortunately was not activated. The hospital has employed a forensic firm to determine whether the data were compromised.
http://www.infosecurity-magazine.com/view/27164/boston-hospital-loses-laptop-with-patients-personal-information/

NOTE: Nice control to put a tracking device, but would still have been a reportable breach. The key is that it is unencrypted... Remember, encrypt, encrypt, encrypt any device that stores PHI and that includes BYOD devices.