HIPAA Security and Privacy

Health data breaches in the U.S. increased 97 percent in 2011

2012-02-10T07:31:00.000-08:00

CARPINTERIA, CA – Health data breaches in the U.S. increased 97 percent in 2011 over the year before, according to a new report by Redspin, a leading provider of IT security assessments.

The annual survey, "Breach Report 2011, Protected Health Information,” found breaches in all 50 states, and examined a total of 385 incidents affecting over 19 million individuals since the HITECH Act's breach notification rule went into effect in August 2009.

http://www.healthcareitnews.com/news/health-data-breaches-97-percent-2011

Text Messaging: HHS (Text4Health Task Force Members)

2012-02-10T07:17:00.000-08:00

http://www.hhs.gov/open/initiatives/mhealth/recommendations.html

Recommendation 6: Delineating Privacy/Security Issues. The Task Force recommends that HHS conduct further research into the privacy and security risks associated with text messaging of health information and establish guidelines for managing such privacy/security issues. Furthermore, mHealth issues should be discussed within the HHS Inter-Division Health IT Policy and Security Task Force. The exchange of health information via text messages raises privacy and security issues specific to this medium. Text messaging programs may be subject to numerous privacy and security laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules

US hospital hit by data-stealing malware (Mystery "virus" hits hospital server)

2012-02-09T07:20:00.000-08:00

An Indiana hospital has had to write to 12,000 people after malware breached its security defences to compromise a server used to collect personal data from web forms.

The affected individuals were mostly people who might have applied for jobs at Goshen Hospital in recent years plus some outpatients. Information put at risk includes names, addresses, and social security numbers, the hospital has told local media.

The malware remains unidentified beyond it being described as “a relatively common virus that is malicious,” which suggests an infection that remained undetected for some time. Patient records are isolated from the Internet and were never at risk
http://news.techworld.com/security/3335408/us-hospital-hit-by-data-stealing-malware/

Minnesota Attorney General Sues for Lost Laptop

2012-02-08T07:14:00.000-08:00

The consulting firm that lost a laptop computer with medical data on 23,500 Minnesotans last summer has been sued by Minnesota Attorney General Lori Swanson, who says it violated health privacy laws and state consumer protections.

Swanson said Accretive Health Inc., hired by two Twin Cities hospitals, was compiling individual medical checklists that included a "frailty'' evaluation, a "complexity" score of patients' physical condition and a prediction of whether a person would be hospitalized
http://www.startribune.com/local/137678533.html

The lawsuit stems from an investigation into an unencrypted laptop that was stolen July 25 in Minneapolis from the parked rental car of an Accretive employee.

The computer contained sensitive information on 23,500 Minnesota patients of two Minnesota hospital systems, Fairview Health Services and North Memorial Health Care. Both organizations had contracts with Accretive to help cut costs and boost revenues. Fairview's contract is even deeper, giving Accretive a management role in Fairview's "total cost of care.

MIAOULIS NOTE: This may be a trend in the future. Do due deligence when sharing your patient information with business associates.

Contractor Post Information on Public Website

2012-01-30T07:25:00.000-08:00

REDWOOD CITY -- A contractor working for Sequoia Hospital inadvertently posted the names and Social Security numbers of 391 current and former hospital employees on a public website, where it stayed for four years.

An employee for Towers Watson, an international professional services firm, posted the information in October 2007, according to a statement issued Thursday by hospital CEO Glenna Vaskelis. It was removed Dec. 2 after the hospital learned of the error.

http://www.mercurynews.com/san-mateo-county-times/ci_19829283

MIAOULIS NOTE: WATCH YOUR VENDORS

Smartphones blamed for increasing risk of health data breaches

2012-01-17T08:22:00.000-08:00

Smartphones blamed for increasing risk of health data breaches

The number of physicians using smartphones has reached a near-saturation point. Meanwhile, the number of data breaches is going up.

Coincidence? Leading experts think not.

Recent reports by Manhattan Research have found more than 81% of physicians use a smartphone, up from 72% in 2010. Also on the rise have been data breaches, which, according to research released in December by Ponemon Institute, have risen 32% in the past year. Ponemon found that 96% of all health care organizations surveyed said they had experienced at least one data breach in the past two years.

http://www.ama-assn.org/amednews/2011/12/19/bil21219.htm

Loma Linda hospital worker fired for taking home private records

2012-01-05T08:14:00.000-08:00

The private medical records belonging to some 1,300 patients and/or their guarantors at Loma Linda University Medical Center in California were compromised when a former hospital employee violated policy and brought the data home.
What was the response? The worker was fired, and the hospital is investigating. Victims will receive one year of credit monitoring services.
http://www.scmagazine.com/loma-linda-hospital-worker-fired-for-taking-home-private-records/article/221841/

Federal agency could investigate online security breach of Lawrence Memorial Hospital

2011-12-23T08:19:00.000-08:00

Officials at the US Lawrence Memorial Hospital said they are anticipating a federal investigation and possible fine after an online security breach potentially compromised 8,000 patients’ financial information.

Officials from the Lawrence Memorial Hospital also believe there was a way to access a database that contained information on every patient who had used the online bill pay system since it was first offered in 2005 from that portal.

The hospital learned about the security breach on 28 October. And guess how: a patient using Google to search her husband’s name found his own financial information online.

http://eeiplatform.com/6525/fbi-to-investigate-security-breach-in-hospital-e-billing-system/

HHS Audits the 1% … and the Rest: First HIPAA Privacy and Security Audits Begin

2011-12-15T06:40:00.000-08:00

By Adam H. Greene
12.13.11
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun the process of notifying covered entities that they are among the unlucky few who have been selected for the first Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security audits under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The selected entities represent a cross sample of the health care industry—from billion-dollar health care systems to small physician practices. Audited entities will undergo comprehensive reviews of their privacy and security policies and procedures, documentation, and operations.

While the first twenty covered entities have been selected, approximately another 130 remain in this audit round. HHS has indicated that it hopes to continue with proactive audits in the future and expects to become more aggressive in its enforcement of complaints.
http://www.dwt.com/LearningCenter/Advisories?find=450543

NIST: New FREE HIPAA Tool Helps Organizations Meet Security Requirements

2011-12-06T07:56:00.000-08:00

From NIST Tech Beat: November 22, 2011

Contact: Evelyn Brown
301-975-5661

A new tool, developed by the National Institute of Standards and Technology (NIST) and offered for free, can help public and private organizations, large and small, to understand and implement the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Congress enacted HIPAA to, among other things, promote efficiency in the health care industry through the use of standardized electronic transactions, while protecting the privacy and security of health information.

The Secretary of Health and Human Services (HHS) published the HIPAA Security Rule, a national set of standards for protecting electronic protected health information (EPHI) that is created, transmitted, or maintained by covered entities and their business associates. HHS recognizes the value of NIST's information security standards and guidelines, and has recommended these as valuable resources for organizations to consider as they implement the HIPAA Security Rule.

The law requires "covered entities" and business associates to follow the HIPAA Security Rule. Covered entities include government agencies involved in health records, health care providers, health plans such as health insurance issuers and Medicaid and Medicare programs, health care clearinghouses and Medicare prescription drug card sponsors. "Our HIPAA Security Rule Toolkit is designed to help organizations of all sizes and with varying levels of security expertise to better protect electronic health information," says NIST information security specialist Kevin Stine. "It leverages many existing security resources and tailors them for use within the context of HIPAA security." He emphasizes that the application is meant as a self-assessment tool, and does not indicate HIPAA Security Rule compliance.

The toolkit is intended to be a resource that organizations can use to support their risk assessment processes by identifying areas where security safeguards may be needed to protect EPHI, or where existing security safeguards may need to be improved. The self-assessment tool presents a series of questions in groups related to each of the HIPAA Security Rule standards and implementation specifications. For simplicity, the toolkit follows the established HIPAA structure of administrative, physical and technical safeguards, organizational requirements, and policies, procedures and documentation requirements.

The target audience includes HIPAA-covered entities and business associates, and organizations that provide Security Rule implementation, assessment and compliance services. Target user organizations can range in size from a large nationwide health plan with vast information technology (IT) resources to a small two-doctor health care provider with limited access to IT expertise.

The free toolkit comes with a comprehensive User Guide and a self-contained, stand-alone software application that can run on Windows, Mac and Linux operating systems. It is available at http://scap.nist.gov/hipaa . Funding for the toolkit was provided by the American Recovery and Reinvestment Act of 2009.

http://www.nist.gov/itl/csd/20111122_hipaa_tools.cfm

Sutter Health Hit With $1B Class-Action Lawsuit

2011-11-29T07:10:00.000-08:00

Miaoulis Note: Hospitals better take extra care, like many profession, Attorney's are aware of this lawsuit and will be evaluating similar type cases. Many questions can be asked, but my first question is why is this much data on a DESKTOP computer and not in the computer room.

Conduct your risk analysis now, that starts with knowing where your data is located. That is the key, identify data on Desktops, Laptops, Flash Drives, Home Computers, Business Associates, Servers, Cell Phones and within application systems and then create strategies to minimize the risks to this data.
------------------
SACRAMENTO, Calif. (KCRA) -- A class-action complaint was filed Monday in Sacramento Superior Court on behalf of Karen Pardieck and 944,000 other patients, KCRA 3 learned Tuesday.

A desktop computer was stolen from a Sutter Medical Foundation administrative office Oct. 15.

Stolen Sutter Computer Has Millions of Patients' Info

It contained a patient database with information including names, addresses, birthdays, email addresses, phone numbers and descriptions of medical diagnoses and procedures.

The lawsuit cites a “failure to safeguard and secure patients’ private information” and “negligent storage practices” that led to an increased risk of a serious information breach.

Sutter has admitted the information lost was unencrypted.

Read more: http://www.kcra.com/news/29835846/detail.html#ixzz1f6i7o4GI

25 "Worst Passwords" of 2011

2011-11-26T12:36:00.000-08:00

If you see your password below, STOP!
Do not finish reading this post and immediately go change your password -- before you forget. You will probably make changes in several places since.....................

Here is a lists compiled by SplashData: http://www.splashdata.com/
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passwOrd
19. shadow s
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
http://finance.yahoo.com/news/25-worst-passwords-2011-revealed-202955980.html

MIAOULIS NOTES: Passwords are one of the two most critical access controls (not logging off is the other) that users must understand to assist their organizations in protecting information (ePHI).

Many organizations have decided (statisticians) that to prevent the above type passwords, that you should change your password every 60-90 days, have a different password for every system you access, have a length between 8 and 12, not allow you to use previous passwords (10 is a common number), require caps, numbers and special characters to force users to use stronger passwords. The problem is that users often use passwords such as their last name and #1. If my password was Miaoulis#1 and I am forced to change it in 60 days, many users simple change the last character Miaoulis#2. This of course defeats the controls that security admininstrators are trying to implement. Some systems require you to change more than a certain number of characters.

Although these technical measures help, it is TRAINING that can change human behavior. HIPAA requires training on passwords, but are employees trained on how to select a good password or just on what NOT to do?
------------------------------------------------------------------------
MIAOULIS NOTE: ONE TECHNIQUE FOR SELECTING A PASSWORD:
There are many ways to select good passwords. One technique that I have used is take a sentence and use the first letter of each word, add a special character and a number.

Bill loves to play golf every day
Becomes BLTPGED#4
There are other techniques such as combining words and mispelling words in combination with the rules.
------------------------------------
Microsoft offers these hints on selecting a strong password:

http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Create strong passwords:
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:

Length. Make your passwords long with eight or more characters.

Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."

Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.

Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

UCLA - warns patients personal information was stolen

2011-11-10T07:20:00.000-08:00

November 05, 2011

By Anna Gorman, Los Angeles Times

Officials say the data, from 2007 through 2011, included first and last names as well as some birth dates, medical record numbers, addresses and medical information. It did not include Social Security numbers, credit card numbers or insurance details.

The UCLA Health System is warning thousands of patients that their personal information was stolen and they are at risk of possible identity theft, officials said in a statement released Friday.

Officials don't believe the information has been accessed or misused but are referring patients to a data security company if their name and credit are affected.
http://articles.latimes.com/2011/nov/05/local/la-me-ucla-medical-data-20111105

OCR Launches Privacy and Security Audits (Announcement)

2011-11-09T07:12:00.000-08:00

November 8, 2011

The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.

More information regarding OCR’s Pilot Audit Program is available on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

MIAOULIS NOTE: The link is a must read for everyone. Major components are provided below.
--------------------------------------

Program Objectives: The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.
----------------------------------
Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.

Business Associates will be included in future audits.
---------------------------------
When Will Audits Begin?
The pilot audit program is a three step process. The first step entailed developing the audit protocols. Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted. The last step will include conducting the full range of audits using revised protocol materials. All audits in this pilot will be completed by the end of December, 2012.

-------------------
How Will the Audit Program Work?
The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity

Co-worker Looking at Records Leads to Notification Letters

2011-11-08T07:14:00.000-08:00

MIAOULIS NOTE: What steps are you taking to prevent authorized users from viewing records? You need strong policies, sanctions and regular review of system activity (HIPAA Requirements).
------------------------------------
On October 31, 2011, notification letters were sent to 175 persons whose Deaconess Health System medical records were inappropriately accessed by a now former employee.

The accesses occurred from April through September of 2011. The problem was discovered September 12, 2011, when a department manager reported that an employee may have made inappropriate access to the record of a co-worker. An initial audit confirmed this and other improper accesses, and the employee was terminated. Deaconess continued its investigation by auditing all electronic record activity by the employee for the duration of her employment. This led to the finding of 175 inappropriately accessed records.

Information viewed by the employee included name, address, dates of birth, last four digits of the Social Security Number and, where available, portions of the clinical records of the affected patients.

http://www.deaconess.com/body.cfm?id=3351

Leak of Emory patient records could affect thousands

2011-10-28T11:48:00.000-07:00

Nine Emory Healthcare patients have become victims of identity theft in a case that could affect the records of thousands, Channel 2 Action News reported Monday.

The hospital bills of 32 patients at Emory’s orthopedic clinic were taken, and the Social Security numbers, dates of birth and other confidential information were used to file fraudulent tax returns in nine patients’ names, the hospital confirmed.

"Because of the heightened level of importance Emory Healthcare places on the protection of private patient data, we have taken the additional measure of notifying by letter more than 7,300 other patients of this situation -– although we have no reason to believe any of these individuals have been impacted in any way," Emory spokesman Lance Skelley said in a prepared statement.

In September, Emory sent a letter out to about 7,000 people -- all of the orthopedic clinic patients from 2008 -- notifying them about the breach of security. The letter advised patients to be vigilant about monitoring their credit and personal data.

"This issue is in no way a breach of Emory’s electronic medical records system, but rather a human failure to properly follow Emory Healthcare’s prescribed duties and responsibilities for protecting private patient information," Skelley said in the prepared statement.

http://www.ajc.com/news/dekalb/leak-of-emory-patient-1209097.html

Monroeville Man Sentenced To Probation For HIPAA Violation

2011-10-28T11:42:00.000-07:00

PITTSBURGH, Pa. - In the first HIPAA prosecution in the Western District of Pennsylvania, a resident of Monroeville, Pa., has been sentenced in federal court to one year of probation on his conviction of knowingly disclosing patient health information to another person in violation of law, United States Attorney David J. Hickton announced today.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) law passed by Congress provides for national standards for electronic health care transactions, and protects patients from the unauthorized disclosure of personal medical information without their consent.

Senior United States District Judge Maurice B. Cohill, Jr. imposed the sentence on Paul C. Pepala, 35.

According to information presented to the court, Pepala disclosed the names and social security numbers of patients at Shadyside Hospital, many of which were then used by other persons to file unauthorized form 1040 electronic tax returns in 2008, in which the filers sought tax refunds.

Prior to imposing sentence, Judge Cohill considered the remorsefulness of the defendant and that the maximum sentence was only one year in prison for the HIPAA violation.

Assistant United States Attorney Gregory C. Melucci prosecuted this case on behalf of the government.

United States Attorney Hickton commended the United States Postal Inspection Service, Internal Revenue Service and Secret Service for the investigation leading to the successful prosecution of Pepala.

http://www.justice.gov/usao/paw/news/2011/2011_october/2011_10_20_01.html

FBI Investigating Florida Hospital Breach

2011-10-21T11:26:00.000-07:00

CELEBRATION, Fla. -- Osceola County deputies on Wednesday identified three people accused of stealing private information from patients at Florida Hospital in Celebration, which is now being investigated by the FBI.

Former hospital employees April Baker and Katrina Munroe, and her husband, Dale Munroe, were fired after 2,252 patients, mostly victims of car accidents, had their information siphoned to an attorney referral service, deputies said.

The breach started in January 2010, however, the hospital did not notify the public until September when it took out a small ad in the Orlando Sentinel.

Now, the FBI is investigating.

“The Orlando FBI office recently received information alleging that patient records may have been compromised and we are coordinating with Florida Hospital representatives to investigate the matter,” an FBI spokesman said in a statement.

Investigators said Wednesday that they could not find anything criminal, because privacy laws prevent the hospital from releasing patients' personal information. So far, the hospital has not found any cases of fraud. It has also restricted office workers from getting access to patient records.

http://www.clickorlando.com/health/29535235/detail.html

Stanford Hospital sued $20M over data breach

2011-10-10T11:29:00.000-07:00

Twenty million dollars for 20,000 patients: That's how much Stanford Hospital & Clinics stands to owe if the patients win the class-action lawsuit against the leading hospital. Stanford is vowing to fight the lawsuit filed by the patient, who represents thousands of patients whose information was exposed online for almost an entire year, reports Palo Alto Daily News.

The data breach was discovered on Aug. 22, and the information was removed the next day when Stanford Hospital began an "aggressive investigation," according to a Stanford press release.

Stanford pointed to the billing contractor (and co-defendant) Multi-Specialty Collection Services LLC (MSCS) as the culprit for mishandling patients' data. The hospital sent the encrypted data to MSCS, according to Stanford Hospital. MSCS's executive vice president allegedly created an unencrypted electronic spreadsheet and sent it to an unauthorized person to create bar graphs and charts. The unnamed third party allegedly posted it to the public Student of Fortune, a homework help site.

Read more: Stanford Hospital sued $20M over data breach, faults billing contractor - FierceHealthcare http://www.fiercehealthcare.com/story/stanford-hospital-sued-20m-over-data-breach-faults-billing-contractor/2011-10-07#ixzz1c6QcGZdb

Subscribe: http://www.fiercehealthcare.com/signup?sourceform=Viral-Tynt-FierceHealthcare-FierceHealthcare

TRICARE breach puts 4.9M military clinic, hospital patients at risk

2011-10-03T11:31:00.000-07:00

FAllS CHURCH, VA – TRICARE, which provides civilian health benefits for military personnel, military retirees and their dependents, announced on Wednesday that Science Applications International has reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients.

The breach was reported by SAIC on Sept. 14 and involved backup tapes from an electronic healthcare record used in the military health system (MHS) to capture patient data from 1992 through Sept. 7, 2011, from patients who received care in the San Antonio area military treatment facilities (including the filling of pharmacy prescriptions) and others whose laboratory workups were processed in these same facilities even though the patients were receiving treatment elsewhere.

http://healthcareitnews.com/news/tricare-breach-puts-49m-milatry-clinic-hospital-patients-risk

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance

2011-09-08T11:29:00.000-07:00

Get the full report (PDF) Here:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancerept.pdf

For Calendar Years 2009 and 2010:

The Department investigated and resolved over 150 cases involving allegations of violations of the Security Rule by requiring changes in security practices and other corrective actions by covered entities. The Department has successfully enforced the Security Rule in all cases where an investigation indicated noncompliance by providing technical assistance to and requiring the covered entity to take corrective actions. Corrective actions taken by covered entities include: correcting any problems indicated by evidence in the investigation; training employees; sanctioning employees; revising policies and procedures; and mitigating any alleged harm. Corrective actions obtained by the Department from covered entities have improved the privacy protection of health information for individuals served by such covered entities. The Department has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

In another 139 cases, investigations by the Department found that no violation of the Security Rule occurred.

Other Security Rule Resolutions

From April 20, 2005, the compliance date of the HIPAA Security Rule, to December 31, 2010, OCR received 803 complaints alleging violations of the Security Rule. The Department resolved 577, or seventy-two percent, of the complaints received.

In the remaining 288 resolved cases, the Department determined that the complaints did not present eligible cases for enforcement of either the Security Rule or the Privacy Rule. In these cases, the Department also lacked jurisdiction under the Rules, because the complaint alleged a violation prior to the compliance date, alleged a violation by an entity not covered by the Rules, was untimely or withdrawn, or because the activity described in the complaint did not violate the Rules. Also during this time period, the Department opened 38 compliance reviews and closed 23 compliance reviews.

Case Examples

The following examples are summaries of actual Privacy and Security Rule cases investigated and resolved by the Department in 2009 and 2010.

An individual filed a complaint with OCR alleging that a private practice physician denied her access to her medical records because she had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the individual was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual with access to her medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.

An individual who was both a patient and an employee of the hospital filed a complaint with OCR alleging that her PHI was impermissibly disclosed to her supervisor. OCR’s investigation revealed that the hospital distributed an Operating Room (OR) schedule to employees via e-mail; this OR schedule contained information about the individual’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR schedule with the individual’s supervisor, who was not part of the employee’s treatment team, and did not need the information for payment, health care operations, or other permissible purposes. The hospital disciplined and retrained the employee who made the impermissible disclosure. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have “a need to know.”

A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient’s silence. OCR required the covered entity to cease using the patient agreement that conditioned the entity’s compliance with the Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices.

Media reports indicated that computer backup tapes containing electronic PHI for two million individuals were stolen from a vehicle used by a hospital’s off-site storage vendor. OCR investigated the surrounding circumstances and subsequently instituted a compliance review to evaluate the hospital’s overall compliance with the Security Rule. The compliance review revealed gaps in the hospital’s Security Rule compliance program. As a result of the review, the hospital developed a corrective action plan, which included: the adoption of encryption technologies on all backup tapes that contained electronic PHI; termination of the off-site storage contract and reevaluation of contactor requirements to transport and store backup tapes; improvements to security awareness training policies; and revision of the process for periodic review and updates of policies and procedures.

An individual filed a complaint with OCR after receiving a letter from a health care clinic reporting the theft of a computer that held PHI. OCR’s investigation determined that the computer had been stolen while a reception desk was left unattended and that the electronic PHI on the computer’s hard drive was not encrypted. OCR’s investigation revealed that, following the theft, the covered entity took corrective actions to improve its physical security safeguards and prevent similar unauthorized disclosures from occurring in the future. The entity retrained its employees on privacy and security policies and procedures, encrypted its computers and electronic devices, installed locking mechanisms, and instituted a policy of closing and locking doors when offices were unattended.

An individual filed a complaint with OCR alleging that the PHI of health plan members was available on the internet through online searches. OCR’s investigation of the complaint revealed gaps in the covered entity’s Security Rule compliance program. Specifically, the entity implemented system changes to its web servers without analyzing the associated risks, and without performing an evaluation of how well its securitymeasures responded to the changes, as required by the Security Rule. As a result, the entity was unaware that unsecured member information was exposed on the internet and did not take actions to evaluate and revise its practices until several months later, when it was notified of the impermissible disclosure. At the conclusion of the investigation, OCR obtained assurances from the entity that it had initiated evaluations of its existing security measures and modifications of its policies, procedures, and system designs to secure its members’ PHI.

An individual filed a complaint with OCR alleging that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.

A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients and diagnostic codes to a contract research organization to telephone patients for recruitment purposes. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. Activities considered "preparatory to research" include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. Further, a researcher may not remove PHI from the covered entity. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. Under the revised policies and procedures, the practice may disclose PHI to an outside researcher for research recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board.

Annual Report to Congress on Breaches of Unsecured Protected Health Information

2011-09-08T11:17:00.000-07:00

September 8, 2011

The Department of Health and Human Services' Office for Civil Rights provided a report to Congress on health information breaches from September 2009 through 2010, as required under the HITECH Act. Nearly 7.9 million Americans were affected by almost 30,800 health information breaches, according to the report.
You can register and get a copy here:
http://www.govinfosecurity.com/regulations.php?reg_id=2539

Nearly 7.9 million Americans were affected by almost 30,800 health information breaches between September 2009, when a federal healthcare breach notification rule took effect, and the end of 2010, according to a new report to Congress.

The report from the Department of Health and Human Services' Office for Civil Rights shows about 7.8 million individuals were affected by 252 major breaches (incidents affecting 500 or more). In addition, about 62,000 individuals were affected by 30,521 smaller incidents.

OCR reveals in the report that it has closed its investigation of only about 30 percent of the larger incidents, confirming that corrective action is complete.

The office regularly updates a list of major healthcare information breaches on its website. That "wall of shame" now shows 314 major breaches from September 2009 to July 2011, affecting a total of almost 11.7 million individuals.

Under the HITECH Act, enacted in early 2009 as part of the economic stimulus package, OCR was required to provide Congress with annual updates about breach reports it receives as a result of the HITECH-mandated breach notification rule. This week's report, however, is the first OCR has submitted to Congress.

http://www.govinfosecurity.com/articles.php?art_id=4032

Hospital reports security breach: 1,500 Mills-Peninsula Health Services patients

2011-08-31T14:11:00.000-07:00

August 02, 2011, 03:12 AM By Michelle Durand Daily Journal Staff

Documents containing personal information of approximately 1,500 Mills-Peninsula Health Services patients were removed from the facility over the course of a year and taken home by a mailroom employee, according to a hospital spokeswoman.

The worker, who has since been terminated, took the documents between November 2009 and September 2010. The Burlingame hospital learned of the breach June 17 when a relative of the employee discovered the documents at the worker’s home and returned them to the hospital.

The reason for the removal is murky.

“We don’t believe they’ve been used for anything. We believe they just sat in a box,” said Margie O’Clair, vice president of communications for Mills-Peninsula Health Services.
The hospital reported the incident to the Burlingame police who are pursuing a criminal investigation, O’Clair said.

All of the patients whose information was taken have been notified by mail although anyone with questions can contact Mills-Peninsula. The hospital is also offering one year of free credit monitoring and identity protection to the patients whose registration information, including addresses, insurance identification and Social Security numbers, were taken.

http://www.smdailyjournal.com/article_preview.php?id=164202

OCR HIPAA HotSpots

2011-08-23T07:51:00.000-07:00

Nice article from our friends at HCPRO.. Find additional detail at: http://blogs.hcpro.com/hipaa/2011/08/breaking-down-ocrs-hipaa-hotspots/

The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.

Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.

Hotspot: Incident detection and response (OCR’s top issue)
Hotspot: Review of log access
Hotspot: Secure wireless network
Hotspot: Management of user access and passwords
Hotspot: Theft or loss of mobile devices
Hotspot: Up-to-date software
Hotspot: Role based access – lack of information access management

MIAOULIS NOTE: Great place to focus your current risk assessment. Ask yourself, how are you doing in each of these areas.

HIPAA Auditors Responsible For A HIPAA Breach

2011-08-11T06:03:00.000-07:00

The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.

OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
http://www.healthleadersmedia.com/page-1/PHY-269480/HIPAA-Auditor-Involved-in-Own-Data-Breach##