Wilson Technology Group and More

Your One Stop IT and Telecommunications Firm

Leave a comment

HHS Office of Civil Rights

Since the compliance date of April 2003, Over 89,045 HIPAA complaints were received in the HHS Office of Civil Rights. What were the results? Nearly 22,000 complaints were resolved through investigation and enforcement. Close to 10,000 complaints were investigated where no violations were founded and nearly 52,000 complaints were closed and were not eligible for enforcement.

The HHS Office of Civil Rights spends most of its efforts investigating the following:
1) Impermissible uses and disclosures of PHI (Personal Health Information)
2) Lack of safeguards of PHI
3) Lack of patient access to their PHI
4) Uses or disclosures of more than the minimum necessary
5) Lack of administrative safeguards of ePHI

Some of the problems identified in the above include:
1) Failure to conduct a Risk Analysis (RA) in response to a new environment
a) BCBSTN – changed offices
b) WellPoint – installed software upgrade
2) Failure to conduct an accurate and thorough RA that incorporated all IT equipment, applications, and data systems utilizing ePHI
a) New York Presbyterian Hospital
3) Workforce Members
a) Failure to train and/or train on an ongoing basis
b) Failure to “apply appropriate sanctions”
c) Failure to install security measures to monitor unauthorized access
i. UCLA case – workforce members repeatedly snooping on patients between 2005-2008
d) Failure to implement appropriate policies and procedures for authorizing access to patient data base
4) Technical/Security Failures
a) Failure to take inventory of equipment that accesses PHI
b) Failure to implement processes to assess and monitor the equipment that accesses PHI
c) Failure to implement appropriate security measures
d) Failure to follow existing policies and procedures on information access management
i. New York Presbyterian Hospital

Why have a policy?
a) Protect clients/patient rights
b) Instill professionalism throughout your enterprise
c) Protect your organization from liability
d) Protect your employees from liability

Find us on LinkedIn, Facebook and www.wilsontechgroup.com


Leave a comment

The Spotlight On Data Security

Why is there a spotlight on data security?  Data breaches plus identity theft equal liability.  Recall the recent data breach with Target.  Seventy million records were compromised along with 40 million cards.  This resulted in 100+ lawsuits and numerous investigations by AG’s, FTC, and more.

HIPAA related breaches are impacting more than 31  million individuals and includes class action law suits and government investigations.

Florida is the number one state for various types of fraud including identity theft, tax fraud, credit card, phone, utilities and more.  Identity theft equals damages.

Protect yourself.  Hire a reputable vendor to proactively protect your data.


For more information, go to http://www.wilsontechgroup.com

Find us on:  Facebook and LinkedIn

Leave a comment

The Second Biggest HIPAA Breach Ever Reported.

In the second biggest HIPAA breach ever reported, one of the nation’s largest healthcare systems is notifying more than four million patients that their protected health information and Social Security numbers have been compromised after the theft of four unencrypted company computers.  Advocate Health System announced that the theft occurred at one of its Advocate Medical Group administrative buildings in Park Ridge, Illinois on July 15th.  Patient names, addresses, dates of birth, Social Security numbers and clinical information- including physician, medical diagnoses, medical record numbers, and health insurance data – were all contained on the computers, official say.  This breach stands as the second biggest HIPAA breach ever reported according to HHS data – just behind the TRICARE Management Activity breach which impacted more than 4.9 million patients back in 2011.


Taken from:  Lorna Waggoner/EC First


Find us on Facebook and LinkedIn


Leave a comment

HIPAA Fine for Lack of Firewall Assessment

Idaho State University ((ISU) has agreed to pay $400,000 to HHS for violations of the HIPAA Security Rule.  The settlement involves the breach of unsecured EPHI of 17,500 individuals who were patients at an ISU clinic.  OCR opened its investigation after ISU notified HHS that the EPHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled.  OCR investigators found that ISU did not apply proper security measures and policies to address risks to EPHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner.  Overall, ISU failed to ensure the uniform implementation of required Security Rule Protections at each of its covered clinics.

A key requirement of the compliance regulations, such as HIPAA, HITECH, or PCI DSS, is that organizations must conduct a comprehensive and thorough assessment of the potential risks and vulnerabilities of the confidentiality, integrity, and availability of all sensitive information such as Personally Identifiable Information.

Learn more by going to:  www.wilsontechgroup.com

Find us on:  Facebook; LinkedIn

Leave a comment

HIPAA: New Requirements for Business Associate Agreements

An organization’s Business Associate (BA) Agreements may need to be amended or updated to comply with the Final Rule.  Under the new regulations, BA Agreements must now require that the BA will do the following:

1)  Comply, where applicable, with the HIPAA Security Rule

2)  Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules

3)  Make certain that any subcontractors that create or receive PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA (there must now be a BA Agreement in place between a BA and its subcontractors in these circumstances)

4)  Comply with the requirements of the HIPAA Privacy Rule whenever the BA is required to perform the Covered Entity’s obligation under the Privacy Rule.  BA Agreeements entered into prior to 1/25/13, between Covered Entities and BA’s (as well as BA’s and their subcontractors) that are not renewed or modified between between 3/26/13 and 9/23/13 and that met the requirements of HIPAA and HITECH prior to 1/25/13, will be granted grandfathered status and deemed to continue in compliance until 9/23/14 or the date the contract is renewed or modified, whichever occurs first.  All other BA Agreements must be in compliance with the new regulations by 9/23/13.

Taken in part from:  Miller & Martin, PLLC   3/8/2013

Leave a comment

HIPAA: Fundraising

The Final Rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission.  The final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials and requires clear instructions on how to opt out.


Wilson Technology Group services include:  business phone systems; computers; networks; security cameras; wired and wireless networks; and more!

Leave a comment

HIPAA: New Requirements for Notice of Privacy Practice

The Final Rule requires Covered Entities (CE) to revise their Notice of Privacy Practices to include a statement that:

1)  Describes the types of uses and disclosures that require authorization under HIPAA (if the CE intends to engage in any of them)

2)  Informs individuals that they have the right to opt out of receiving fundraising communications (if the CE uses PHI to conduct fundraising activities)

3)  Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the CE not submit PHI to the individual’s health plan if they do so

4)  Informs individuals that the CE has a duty to notify affected individuals following a breach of unsecured PHI

Taken in part from:  Miller & Martin, PLLC  3/8/2013