August 02, 2011, 03:12 AM By Michelle Durand Daily Journal Staff
Documents containing personal information of approximately 1,500 Mills-Peninsula Health Services patients were removed from the facility over the course of a year and taken home by a mailroom employee, according to a hospital spokeswoman.
The worker, who has since been terminated, took the documents between November 2009 and September 2010. The Burlingame hospital learned of the breach June 17 when a relative of the employee discovered the documents at the worker’s home and returned them to the hospital.
The reason for the removal is murky.
“We don’t believe they’ve been used for anything. We believe they just sat in a box,” said Margie O’Clair, vice president of communications for Mills-Peninsula Health Services.
The hospital reported the incident to the Burlingame police who are pursuing a criminal investigation, O’Clair said.
All of the patients whose information was taken have been notified by mail although anyone with questions can contact Mills-Peninsula. The hospital is also offering one year of free credit monitoring and identity protection to the patients whose registration information, including addresses, insurance identification and Social Security numbers, were taken.
http://www.smdailyjournal.com/article_preview.php?id=164202
Wednesday, August 31, 2011
Tuesday, August 23, 2011
OCR HIPAA HotSpots
Nice article from our friends at HCPRO.. Find additional detail at: http://blogs.hcpro.com/hipaa/2011/08/breaking-down-ocrs-hipaa-hotspots/
The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.
Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.
The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.
Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.
- Hotspot: Incident detection and response (OCR’s top issue)
- Hotspot: Review of log access
- Hotspot: Secure wireless network
- Hotspot: Management of user access and passwords
- Hotspot: Theft or loss of mobile devices
- Hotspot: Up-to-date software
- Hotspot: Role based access – lack of information access management
Thursday, August 11, 2011
HIPAA Auditors Responsible For A HIPAA Breach
The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.
OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.
KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
http://www.healthleadersmedia.com/page-1/PHY-269480/HIPAA-Auditor-Involved-in-Own-Data-Breach##
OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.
KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
http://www.healthleadersmedia.com/page-1/PHY-269480/HIPAA-Auditor-Involved-in-Own-Data-Breach##
Monday, August 8, 2011
Hospital to keep outsourcing its paperwork despite security breach
A MAJOR hospital will continue to outsource the transcription of medical reports despite a breach of security involving possibly tens of thousands of patients.
Tallaght Hospital yesterday admitted it had called in the gardai to help find out how sensitive patient information "got into inappropriate hands" in the Philippines.
It has contracted out the transcription of medical reports and doctors' letters to private company U-Scribe since 2004.
However, the hospital terminated this contract last May when concerns emerged about security procedures.
Despite the security breach, the hospital -- which has since appointed a new service provider, Dictate IT -- resisted calls last night for it to keep transcription services in-house.
MIAOULIS NOTE: It is important to document that your business associates have security controls in place. Covered entities should perform some level of validation and discussion. Remember, if your Business Associate (i.e. transcription service) has a breach the Covered entity (Hospital, etc.) is responsible.
A good rule of thumb is that the patient entrusted you (the covered entity, hospital, physicians practice, etc.) and you are responsible for that data.
http://www.independent.ie/national-news/hospital-to-keep-outsourcing-its-paperwork-despite-security-breach-2839315.html
Tallaght Hospital yesterday admitted it had called in the gardai to help find out how sensitive patient information "got into inappropriate hands" in the Philippines.
It has contracted out the transcription of medical reports and doctors' letters to private company U-Scribe since 2004.
However, the hospital terminated this contract last May when concerns emerged about security procedures.
Despite the security breach, the hospital -- which has since appointed a new service provider, Dictate IT -- resisted calls last night for it to keep transcription services in-house.
MIAOULIS NOTE: It is important to document that your business associates have security controls in place. Covered entities should perform some level of validation and discussion. Remember, if your Business Associate (i.e. transcription service) has a breach the Covered entity (Hospital, etc.) is responsible.
A good rule of thumb is that the patient entrusted you (the covered entity, hospital, physicians practice, etc.) and you are responsible for that data.
http://www.independent.ie/national-news/hospital-to-keep-outsourcing-its-paperwork-despite-security-breach-2839315.html
Subscribe to:
Posts (Atom)