tag:blogger.com,1999:blog-33806362026-04-02T15:26:31.985-05:00A discussion of medical privacy issues buried in political arcanaJeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.comBlogger2983125tag:blogger.com,1999:blog-3380636.post-5704390623362194292026-03-17T08:35:00.004-05:002026-03-17T08:35:46.346-05:00

 Epic Ramps Up the Fight: It appears that Epic is not happy simply rousing up some of its customers to sue Health Gorilla regarding potential improper access to PHI through the CareQuality interoperability framework, part of Epic's Health Information Exchange structure, it seems that they are moving forward on multiple fronts.  Background here. A few days ago, it was announced that

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-49216087906521037642026-02-03T22:55:00.003-06:002026-02-03T22:55:58.493-06:00

NoPP Changes Due February 16:  You've likely seen plenty of law firms and others noting that HIPAA covered entities need to make changes to their Notices of Privacy Practices by February 16 to meet certain requirements included in HHS' 2024 changes to HIPAA.  These changes stem from 2 separate rules, one relating to "reproductive rights" and one relating to substance use disorder

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-57999625521608626602026-01-26T10:24:00.003-06:002026-01-26T10:24:19.165-06:00

OCR Chief Paula Stannard:My friend and reporter Theresa Defino recently interviewed Paula Stannard, the (new-ish) current Director of HHS' Office for Civil Rights, the HIPAA enforcement agency.  This is Paula's third stint at OCR.  The interview is available here.  Why do you want to hear what Paula Stannard has to say?OCR directors are political appointees who change with

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-51904923521499744822026-01-24T15:58:00.000-06:002026-01-24T15:58:08.717-06:00

Check out OCR's January 2026 Cybersecurity Newsletter.  A link is here.The tips focus on system hardening, but most of the recommendations are just common sense.Patch softwareRemove unneeded software and servicesEnable and configure security settings

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-42064159158802214512026-01-24T15:53:00.001-06:002026-01-24T15:53:10.474-06:00

"Part 2" Providers: Don't Forget to Update Your NoPPs by February 16.  Are you a "Part 2" provider?  If you don't know, you probably aren't.  "Part 2" refers to 42 CFR Part 2, which is the provision of the Code of Federal Regulations adding specifics to the general confidentiality provisions of 42 USC 290dd-2, requiring hightened confidentiality for the medical records of

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-72232515691455042982026-01-06T09:15:00.002-06:002026-01-06T09:15:58.884-06:00

A Couple of Articles on Healthcare Data Breaches for 2025:  1. Data breaches in the healthcare industry are more expensive, at an average of $9.8 million, than any other industry.2. 57 million people were affected by healthcare data breaches in 2025, although the vast majority of that number came courtesy of the Change Healthcare breach, which affected almost 300 million

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-1701796321683220352025-12-01T08:49:00.002-06:002025-12-01T08:49:39.039-06:00

The Evolving Threat of Ransomware in Healthcare: Attackers are getting faster, and ransomware software is getting trickier and cheaper, but healthcare organizations are getting better at stopping attacks before encryption occurs.  However, attackers are shifting their focus toward an extortion-only model: they don't encrypt your data, but they do access and copy PHI and threaten to release

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-40278734074100259962025-11-25T17:08:00.001-06:002025-11-25T17:08:23.769-06:00

It's not just healthcare providers who suffer data breaches: I've been keeping up a stack of law firm data breaches, meaning to write a post on them.  But I've decided there's really not much to say, other than to note that a data breach can happen to anyone, and anyone who suffers a breach runs a decent likelihood to get sued by any individuals who might plausibly have been damaged by the

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-60705997070175014342025-11-25T08:48:00.003-06:002025-11-25T08:48:44.590-06:00

 Healthcare wins again: Once again, the healthcare industry was the most affected industry when it came to data breaches in 2024.  Many reasons: the amount of personal information; the sensitivity, utility, and value of the information; the many different financial crimes that the information can help (identity theft, insurance fraud, ransom); the large and varied number of

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-79955753513192889382025-09-10T08:49:00.001-05:002025-09-10T08:49:45.580-05:00

HHS' OCR, Asst. Secretary for Health Policy Release Latest Version of Security Risk Analysis Tool: If you've followed HIPAA much, you are aware that Security Rule compliance has always lagged Privacy Rule compliance.  At least part of this is because Privacy Rule requirements are much more of a one-size-fits-all regime, whereas Security Rule compliance requires a lot of individual

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-83220597261867784162025-08-28T10:44:00.003-05:002025-08-28T10:44:57.136-05:00

OCR Named Enforcement Agency for Part 2: When HIPAA was first passed, the Privacy Rule was to be enforced by the Office for Civil Rights within HHS, and the rest of HIPAA was to be enforced by CMS.  I'm not sure why that bifurcation happened, but a few years later HHS decided that OCR should be the enforcement agency for all of HIPAA.Yesterday, HHS announced that OCR is now the enforcement

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-67665233780231787502025-08-01T07:53:00.002-05:002025-08-01T07:53:35.923-05:00

Costs of a Data Breach: According to an IBM study, for the year ended February 2025, an average healthcare data breach costs almost $7.5 million.  Healthcare leads all industries in having the most expensive breaches, and the longest time before breaches are discovered.  

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-86009429990339226812025-07-14T09:20:00.001-05:002025-07-14T09:20:41.047-05:00

400 Large Breaches so far in 2025: HHS has announced that during the first six months of 2025, there were 400 "large" breaches (500 or more individuals affected) added to the HHS "Wall of Shame."  Breaches happen, so the fact that you have one doesn't mean you did anything wrong,  But it might: show me a copy of your most recent security risk assessment.  If you can't, then

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-38699562156808464502025-07-08T19:38:00.009-05:002025-08-26T17:02:17.735-05:00

Let's catch up on some recent HIPAA enforcement actions:Deer Oaks, a HIPAA covered healthcare provider that provides behavioral health services primarily to residents in nursing homes and other facilities, misconfigured its IT systems to allow discharge summaries of 35 patients to be accessible online.  A few months later, Deer Oaks suffered a ransomware attack that affected the PHI of

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-72178947627182242492025-06-20T07:25:00.002-05:002025-06-20T07:25:40.527-05:00

Finally!! Biden Administration's HIPAA Abortion Stupidity Negated: As I previously wrote about at length, the asinine Biden Administration HIPAA abortion regulation has been overturned by a Federal judge in Texas.  The judge said the regulations were clearly intended to provide special protections for "politically favored procedures," which is a power HIPAA does not grant to HHS.  

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-31540119477446568772025-05-26T11:55:00.000-05:002025-05-26T11:55:21.188-05:00

Happy Memorial Day!Sorry I've not posted in forever, and when I do it's few and far between, but it has been a very busy spring and when I've had time, I didn't think about the blog.  But here's a compilation of stuff that's happened since the beginning of the year (and a few things from the end of last year):Access cases: Oregon Health & Science University got tagged with one of the

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-65423887823184846852025-05-21T07:07:00.002-05:002025-05-21T07:07:23.092-05:00

Kettering Health (Ohio) Ransomware Event: Kettering Health, which operates 9 hospitals and a handful of other sites in and around Dayton, Ohio, has reported a ransomware event that happened May 20, preventing elective procedures.  The hospitals' emergency rooms continued to be open.  It's unclear at this point whether data was lost to the hackers, but the hackers apparently claim

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-84228888875375522982025-03-21T08:39:00.002-05:002025-03-21T08:39:15.241-05:00

Email As a Data Breach Vector: Almost 200 healthcare organizations suffered a cyberbreach involving their email systems over the last year.  Phishing is probably the biggest type of incident, mainly those that allow hackers to gain credentials and thus establish email rules that allow for data theft and potentially insertion of ransomware.  Tightening systems helps, but even

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-33660617888874839962025-03-14T09:39:00.000-05:002025-03-14T09:39:01.841-05:00

Information-blocking news: EMR company must allow client's BAs to access PHI: I must admit I haven't been following this at all, but it's an interesting bit of news from the intersection of HIPAA privacy and 21st Century Cures Act interoperability.  As you know, HIPAA tries to put the brakes on data sharing, while the Cures Act tries to increase data sharing.  In this case, Real

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-17111131761097612562025-03-14T09:30:00.001-05:002025-03-14T09:30:36.344-05:00

PE-owned healthcare entities need to improve cybersecurity: I hate to say it, but at this point cybersecurity protections are more important than regular HIPAA blocking-and-tackling.  And apparently, private equity backed healthcare companies are worse than others, which is in many ways surprising.  Solid cybersecurity shouldn't be a heavy lift for nimble, tech-related companies, and

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-746723006566205832025-02-21T08:51:00.003-06:002025-02-21T08:51:51.563-06:00

Warby Parker Pays $1.5 to Settle HIPAA ViolationI wasn't involved in this matter, so I don't have inside information and I'm just speculating here.  But a couple of things stand out to me:What makes sense: the breach came about from a pretty common variety of illegal access: "credential stuffing," where someone gets access to one website, steals credentials (of either a massive amount

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-46539463347213634652025-01-28T08:18:00.002-06:002025-01-28T08:18:09.122-06:00

Change Healthcare's Breach Victim Count Reaches 190,000,000.  US population is about 340 million, which means the breach affected about 56% of the US population.  So, if you're an American, it's more likely than not that your PHI was exposed in the Change breach.  A few months ago, a ransomware negotiator mentioned something to a client of mine that was a bit of a revelation.&

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-2363778043861398592025-01-21T10:05:00.002-06:002025-01-21T10:05:40.348-06:00

Texas Health and Human Services Commission Suffers HIPAA Breach: If you haven't figured it out yet, anyone with health data is potentially susceptible to a data breach, and that includes governmental entities.  The Texas Health and Human Services Commission, which oversees health and welfare programs in the state (including state Medicaid), reported recently that in November 2024, bad

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-65484967089454813402025-01-09T13:08:00.003-06:002025-01-09T13:08:37.928-06:00

PHI Deletion Nets $337,750 Fine: This is a bit of an odd one: a Florida HIPAA business associate, USR Holdings, discovered that an unauthorized third party had access to its database for 3-4 months and deleted PHI of 2903 people.  The normal problems were there: failure to conduct a risk assessment, no risk management plan, no system activity review, and no backups.  The result was a $

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0tag:blogger.com,1999:blog-3380636.post-1088864178209863182025-01-09T12:57:00.002-06:002025-01-09T12:57:36.657-06:00

9th Ransomware Case: Virtual Private Network Solutions:  HHS has entered into a settlement agreement with a HIPAA business associate who was hit with a ransomware attack in 2021 that resulted in the encryption of PHI.  VPN Solutions provides data hosting and cloud services to HIPAA covered entities, and in October of 2021 was hit by a ransomware attack that resulted in encryption of

Jeffhttp://www.blogger.com/profile/12067054401696214042noreply@blogger.com0