HHS Office of Civil Rights

Since the compliance date of April 2003, Over 89,045 HIPAA complaints were received in the HHS Office of Civil Rights. What were the results? Nearly 22,000 complaints were resolved through investigation and enforcement. Close to 10,000 complaints were investigated where no violations were founded and nearly 52,000 complaints were closed and were not eligible for enforcement.

The HHS Office of Civil Rights spends most of its efforts investigating the following:
1) Impermissible uses and disclosures of PHI (Personal Health Information)
2) Lack of safeguards of PHI
3) Lack of patient access to their PHI
4) Uses or disclosures of more than the minimum necessary
5) Lack of administrative safeguards of ePHI

Some of the problems identified in the above include:
1) Failure to conduct a Risk Analysis (RA) in response to a new environment
a) BCBSTN – changed offices
b) WellPoint – installed software upgrade
2) Failure to conduct an accurate and thorough RA that incorporated all IT equipment, applications, and data systems utilizing ePHI
a) New York Presbyterian Hospital
3) Workforce Members
a) Failure to train and/or train on an ongoing basis
b) Failure to “apply appropriate sanctions”
c) Failure to install security measures to monitor unauthorized access
i. UCLA case – workforce members repeatedly snooping on patients between 2005-2008
d) Failure to implement appropriate policies and procedures for authorizing access to patient data base
4) Technical/Security Failures
a) Failure to take inventory of equipment that accesses PHI
b) Failure to implement processes to assess and monitor the equipment that accesses PHI
c) Failure to implement appropriate security measures
d) Failure to follow existing policies and procedures on information access management
i. New York Presbyterian Hospital

Why have a policy?
a) Protect clients/patient rights
b) Instill professionalism throughout your enterprise
c) Protect your organization from liability
d) Protect your employees from liability

Find us on LinkedIn, Facebook and www.wilsontechgroup.com

Categories: HIPAA | Permalink.

The Spotlight On Data Security

Why is there a spotlight on data security?  Data breaches plus identity theft equal liability.  Recall the recent data breach with Target.  Seventy million records were compromised along with 40 million cards.  This resulted in 100+ lawsuits and numerous investigations by AG’s, FTC, and more.

HIPAA related breaches are impacting more than 31  million individuals and includes class action law suits and government investigations.

Florida is the number one state for various types of fraud including identity theft, tax fraud, credit card, phone, utilities and more.  Identity theft equals damages.

Protect yourself.  Hire a reputable vendor to proactively protect your data.

 

For more information, go to http://www.wilsontechgroup.com

Find us on:  Facebook and LinkedIn

Categories: Computers, HIPAA | Permalink.

The Second Biggest HIPAA Breach Ever Reported.

In the second biggest HIPAA breach ever reported, one of the nation’s largest healthcare systems is notifying more than four million patients that their protected health information and Social Security numbers have been compromised after the theft of four unencrypted company computers.  Advocate Health System announced that the theft occurred at one of its Advocate Medical Group administrative buildings in Park Ridge, Illinois on July 15th.  Patient names, addresses, dates of birth, Social Security numbers and clinical information- including physician, medical diagnoses, medical record numbers, and health insurance data – were all contained on the computers, official say.  This breach stands as the second biggest HIPAA breach ever reported according to HHS data – just behind the TRICARE Management Activity breach which impacted more than 4.9 million patients back in 2011.

 

Taken from:  Lorna Waggoner/EC First

wilsontechgroup.com

Find us on Facebook and LinkedIn

 

Categories: HIPAA | Permalink.

HIPAA Fine for Lack of Firewall Assessment

Idaho State University ((ISU) has agreed to pay $400,000 to HHS for violations of the HIPAA Security Rule.  The settlement involves the breach of unsecured EPHI of 17,500 individuals who were patients at an ISU clinic.  OCR opened its investigation after ISU notified HHS that the EPHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled.  OCR investigators found that ISU did not apply proper security measures and policies to address risks to EPHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner.  Overall, ISU failed to ensure the uniform implementation of required Security Rule Protections at each of its covered clinics.

A key requirement of the compliance regulations, such as HIPAA, HITECH, or PCI DSS, is that organizations must conduct a comprehensive and thorough assessment of the potential risks and vulnerabilities of the confidentiality, integrity, and availability of all sensitive information such as Personally Identifiable Information.

Learn more by going to:  www.wilsontechgroup.com

Find us on:  Facebook; LinkedIn

Categories: HIPAA | Permalink.

HIPAA: New Requirements for Business Associate Agreements

An organization’s Business Associate (BA) Agreements may need to be amended or updated to comply with the Final Rule.  Under the new regulations, BA Agreements must now require that the BA will do the following:

1)  Comply, where applicable, with the HIPAA Security Rule

2)  Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules

3)  Make certain that any subcontractors that create or receive PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA (there must now be a BA Agreement in place between a BA and its subcontractors in these circumstances)

4)  Comply with the requirements of the HIPAA Privacy Rule whenever the BA is required to perform the Covered Entity’s obligation under the Privacy Rule.  BA Agreeements entered into prior to 1/25/13, between Covered Entities and BA’s (as well as BA’s and their subcontractors) that are not renewed or modified between between 3/26/13 and 9/23/13 and that met the requirements of HIPAA and HITECH prior to 1/25/13, will be granted grandfathered status and deemed to continue in compliance until 9/23/14 or the date the contract is renewed or modified, whichever occurs first.  All other BA Agreements must be in compliance with the new regulations by 9/23/13.

Taken in part from:  Miller & Martin, PLLC   3/8/2013

Categories: HIPAA | Permalink.

HIPAA: Fundraising

The Final Rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission.  The final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials and requires clear instructions on how to opt out.

 

Wilson Technology Group services include:  business phone systems; computers; networks; security cameras; wired and wireless networks; and more!

Categories: HIPAA | Permalink.

HIPAA: New Requirements for Notice of Privacy Practice

The Final Rule requires Covered Entities (CE) to revise their Notice of Privacy Practices to include a statement that:

1)  Describes the types of uses and disclosures that require authorization under HIPAA (if the CE intends to engage in any of them)

2)  Informs individuals that they have the right to opt out of receiving fundraising communications (if the CE uses PHI to conduct fundraising activities)

3)  Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the CE not submit PHI to the individual’s health plan if they do so

4)  Informs individuals that the CE has a duty to notify affected individuals following a breach of unsecured PHI

Taken in part from:  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

HIPAA Expanded Patient Rights

Under the Final Rule, a Covered Entity (CE) is required to abide by an individual’s request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the CE in full.  The new regulations also provide that if an individual requests an electronic copy of their PHI, then a CE must provide access to that information in electronic form, if it is readily producible in that form.  So a CE will have to produce PHI in an electronic format if it maintains records electronically (as it is considered readily reproducible in this circumstance).  Further, under the Final Rule, if an individual directs a CE, in a signed writing, to electronically transmit a copy of the PHI to another person designated by that individual, then the CE must transmit the PHI electronically to that party.  Additionally,  HIPAA now permits a CE only one 30-day extension to respond to a request for access.  Finally, the new regulations streamline individuals’ ability to authorize the use of their health information for research purposes and make it easier for parents and others to give permission to share proof of a child’s immunizations with a school.

Taken in part from :  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.

Application of HIPAA to Business Associates

The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates (BA), and provides that if a BA violates any HIPAA provision that is now directly applicable to it, the BA is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH.  Under the revised HIPAA regulations, BA’s are now directly liable for:

1)  Impermissible uses or disclosures of PHI

2)  Failure to provide appropriate access to electronic copy of PHI to a Covered Entity (CE), individual, or individual’s representative

3)  Failure to provide proper breach notification to a CE

4)  Failure to disclose PHI when required by HHS to investigate the BA’s compliance with HIPAA

5)  Failure to comply with the applicable requirements of the Security Rule

Perhaps most significantly, the Final Rule provides that if a BA violates a provision of a BA Agreement, that contractual violation is now a HIPAA violation.  The Final Rule also states that BA’s must comply with HIPAA “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure,or request.

Taken in part from:  Miller and Martin, PLLC   3/8/2013

Categories: HIPAA | Permalink.

HIPAA: Increased Flexibility with PHI of Deceased Patients

Under the Final rule, covered Entities (CE’s) are now permitted to disclose PHI to a decedent’s family members and others who were involved in the patient’s care, or payment for that care, prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the CE.  This is limited to disclosing PHI that is relevant to the family member or other person’s involvement in the individual’s healthcare or payment.  Additionally, under the new HIPAA regulations, health information is no longer PHI after a patient has been dead for 50 years.

Taken from:  Miller & Martin, PLLC  3/8/2013

Categories: HIPAA | Permalink.