Note: HIPAA Lawsuit Settled and also involves the Massachusetts Consumer Protection Act law.
PRESS RELEASE:
BOSTON – South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers, Attorney General Martha Coakley announced today. The investigation and settlement resulted from a data breach reported to the AG’s Office in July 2010 that included individual’s names, Social Security numbers, financial account numbers, and medical diagnoses.
“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”
The consent judgment approved today in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.
The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act.
In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them.
The hospital did not inform Archive Data, however, that personal information and protected health information was on the back-up computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.
In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.
The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.
According to the consent judgment, South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.
This matter is being handled by Assistant Attorneys General Shannon Choy-Seymour of the Consumer Protection Division and Lois Johnson of the Health Care Division with assistance from Civil Investigator Jake Harney.
http://www.mass.gov/ago/news-and-updates/press-releases/2012/2012-05-24-south-shore-hospital-data-breach-settlement.html
Wednesday, May 30, 2012
Tuesday, May 22, 2012
HIPAA Audits: Protocol to be Published (20 down, 95 to come)
Protocols to be Published
OCR plans to publish the audit protocol on its website "in the near future," McAndrew says. "As part of this pilot program, OCR has developed a specific audit protocol manual to be used for conducting audits. The protocol is also designed so OCR can use it as the basis for our audit work in the future, regardless of the staffing approach we take long term."
McAndrew declines to discuss whether OCR is moving ahead with plans for continuing the audit program beyond this year. She points out that OCR will offer a report on the aggregate findings of its audits after all of this year's audits are complete.The Department of Health and Human Services' Office for Civil Rights has completed its initial 20 audits that tested the program mandated by the HITECH Act, says Susan McAndrew, deputy director at OCR. But those organizations have not yet received their final audit reports, she notes.
"Data collection on the next wave of 25 has begun," McAndrew tells HealthcareInfoSecurity. The other 70 will be notified in phases in the months ahead.
NOTE: Remember Risk Analysis is the foundation of the rule, documentation of all actions should be maintained. If it is not documented, you may not be able to prove you are following HIPAA and your policies and practices.
Old Chinese Proverb(Modified): The best time to document your HIPAA compliance was 8 years ago, the next best time to start is TODAY.
.http://www.govinfosecurity.com/hipaa-audits-progress-report-a-4783
OCR plans to publish the audit protocol on its website "in the near future," McAndrew says. "As part of this pilot program, OCR has developed a specific audit protocol manual to be used for conducting audits. The protocol is also designed so OCR can use it as the basis for our audit work in the future, regardless of the staffing approach we take long term."
McAndrew declines to discuss whether OCR is moving ahead with plans for continuing the audit program beyond this year. She points out that OCR will offer a report on the aggregate findings of its audits after all of this year's audits are complete.The Department of Health and Human Services' Office for Civil Rights has completed its initial 20 audits that tested the program mandated by the HITECH Act, says Susan McAndrew, deputy director at OCR. But those organizations have not yet received their final audit reports, she notes.
"Data collection on the next wave of 25 has begun," McAndrew tells HealthcareInfoSecurity. The other 70 will be notified in phases in the months ahead.
NOTE: Remember Risk Analysis is the foundation of the rule, documentation of all actions should be maintained. If it is not documented, you may not be able to prove you are following HIPAA and your policies and practices.
Old Chinese Proverb(Modified): The best time to document your HIPAA compliance was 8 years ago, the next best time to start is TODAY.
.http://www.govinfosecurity.com/hipaa-audits-progress-report-a-4783
Thursday, May 17, 2012
Utah tech director resigns in wake of data theft
Utah's chief technology officer has resigned in the wake of the theft of hundreds of thousands of online medical records by unknown computer hackers.
Gov. Gary Herbert on Tuesday announced a "comprehensive" response to the massive data breach, including the resignation of Stephen Fletcher, director of the state's Department of Technology Services.
http://www.businessweek.com/ap/2012-05/D9UPE9PO0.htm
Gov. Gary Herbert on Tuesday announced a "comprehensive" response to the massive data breach, including the resignation of Stephen Fletcher, director of the state's Department of Technology Services.
http://www.businessweek.com/ap/2012-05/D9UPE9PO0.htm
Friday, May 11, 2012
ONC Guide to Privacy and Security - 10 Steps to Meaningful Use
May 9, 2012. The ONC has issued a Guide to Privacy and Security of Health Information which includes the 10 steps to meaningful use and is directed at Eligible Practices. The guidance provided however is valid for Covered Hosptials as well. This is a must read document. Some of the highlights are listed below.
Chapters include:
1. What Is Privacy and Security and Why Does It Matter?
2. Privacy and Security and Meaningful Use.
3. Privacy & Security 10 Step Plan for Meaningful Use.
4. Integrating Privacy and Security into Your Practice.
5. Privacy and Security Resources.
A FEW HIGHLIGHTS:
For privacy and security, the following are the requirements for Stage 1 of Meaningful Use:
Core Objective & Measure 12: Provide patients with an electronic copy of their health information,
upon request.
certified EHR technology through the implementation of appropriate technical capabilities.
FACT: False. Even with a certified EHR, you must perform a full security risk analysis. Security
requirements address all electronic protected health information you maintain, not just what
is in your EHR.
Download the entire guidance here:
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Chapters include:
1. What Is Privacy and Security and Why Does It Matter?
2. Privacy and Security and Meaningful Use.
3. Privacy & Security 10 Step Plan for Meaningful Use.
4. Integrating Privacy and Security into Your Practice.
5. Privacy and Security Resources.
A FEW HIGHLIGHTS:
For privacy and security, the following are the requirements for Stage 1 of Meaningful Use:
Core Objective & Measure 12: Provide patients with an electronic copy of their health information,
upon request.
- More than 50 percent of all patients who request an electronic copy of their health information are provided it within three business days.
certified EHR technology through the implementation of appropriate technical capabilities.
- Conduct or review a security risk analysis in accordance with the requirements under theHIPAA Security Rule (45 CFR 164.308(a)(1) (ii) (A)) implement security updates as necessary and correct identified security deficiencies as part of the risk management process.
FACT: False. Even with a certified EHR, you must perform a full security risk analysis. Security
requirements address all electronic protected health information you maintain, not just what
is in your EHR.
Download the entire guidance here:
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Wednesday, May 9, 2012
Why do a HIPAA Risk Analysis?- Meaningful Use - HIPAA - HITECH Audits
Miaoulis Writes:
A recent discussion on the topic of Risk Analysis asked the question "why have so many organizations not completed this important task?" The reasons to complete it are numerous, but here are a few:
MEANINGFUL USE:
Security management process (164.308(a)(1)) – Policies and procedures to prevent, detect, contain, and correct security violations. The following are required:
A recent discussion on the topic of Risk Analysis asked the question "why have so many organizations not completed this important task?" The reasons to complete it are numerous, but here are a few:
- Required by HIPAA and the foundation of the Security Rule and Information Security
- OCR has identified Risk Analysis (as they should) as a target area. (We see the fines)
- Meaningful Use Objective 14 or 15 requiring a risk analysis to meet Stage 1.
MEANINGFUL USE:
- (i) Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
- (ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Security management process (164.308(a)(1)) – Policies and procedures to prevent, detect, contain, and correct security violations. The following are required:
- Risk analysis (R) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Risk management (R) – Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Completing a risk analysis does not have to be complicated. HHS issued guidance on Risk Analsysis. The first question to ask yourself, is do you know where your data resides?
Brief Description of HOW:
Make a list of all places that ePHI resides. Examples can include laptops, home computers, cell phones, servers, backup tapes, application lists, excel spreadsheets, desktop computers, email and thumb drives. The next step you should ask is WHAT controls are in place to keep someone from accessing that protected data? Thirdly ask youself what the risk to the data is (how likely is it and what would be the impact?), then determine a course of action, create a plan and execute the plan.
HHS has published the following guidance on completing a HIPAA Risk Analysis, every security professional should have this informaiton.
Wednesday, May 2, 2012
Judge asked to dismiss attorney general's lawsuit (HIPAA)
ST. PAUL, Minn. — The company that has helped Fairview Health Services and North Memorial Medical Center collect debts from patients has asked a court to dismiss a lawsuit filed by Minnesota Attorney General Lori Swanson.
The lawsuit filed in federal court in January accuses Chicago-based Accretive Health of breaking federal and state health privacy and debt collection laws, including the Health Insurance Portability and Accountability Act (HIPAA).
The lawsuit stemmed from an incident in which a laptop belonging to an Accretive Health employee was stolen out of his car last summer.
http://minnesota.publicradio.org/display/web/2012/04/30/accretive-seeks-lawsuit-dismissal/
The lawsuit filed in federal court in January accuses Chicago-based Accretive Health of breaking federal and state health privacy and debt collection laws, including the Health Insurance Portability and Accountability Act (HIPAA).
The lawsuit stemmed from an incident in which a laptop belonging to an Accretive Health employee was stolen out of his car last summer.
http://minnesota.publicradio.org/display/web/2012/04/30/accretive-seeks-lawsuit-dismissal/
Tuesday, May 1, 2012
HIPAA Modifications: What to Expect
Susan McAndrew of the HHS Office for Civil Rights has provided insights about an omnibus package of regulations - including a revised version of the HIPAA breach notification rule - that's now in the final stages of review.
The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, says McAndrew, OCR's deputy director of health information privacy. The interim final version of the breach rule, now in effect, contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.
"We are hopeful that the standards [in the final rule] will be sufficiently clear for how to determine if a breach is reportable, McAndrew says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). "We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment."
http://www.healthcareinfosecurity.com/articles.php?art_id=4722&rf=2012-05-01-eh&elq=cda2aeb4f9184a7fb76995a2cf3959c5&elqCampaignId=3382
The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, says McAndrew, OCR's deputy director of health information privacy. The interim final version of the breach rule, now in effect, contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.
"We are hopeful that the standards [in the final rule] will be sufficiently clear for how to determine if a breach is reportable, McAndrew says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). "We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment."
http://www.healthcareinfosecurity.com/articles.php?art_id=4722&rf=2012-05-01-eh&elq=cda2aeb4f9184a7fb76995a2cf3959c5&elqCampaignId=3382
Subscribe to:
Posts (Atom)