Report on Patient Privacy

  1. For Many, 'There Is a Price': Multipronged Efforts Needed to Thwart HIPAA Violators

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Theresa Defino  | September 10, 2020 

    The fact that people are the weakest link in compliance is a truism in the privacy and security world. But just how weak is this link, and how likely is it that workers would violate HIPAA? Pretty likely, it turns out, even if they (mistakenly) think they’ll probably get caught...

  2. Hypothetical Scenarios Used to Test HIPAA Compliance

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Theresa Defino  | September 10, 2020 

    A recent study probing the impact of payments on HIPAA compliance—or noncompliance—posed a series of situations to college students to see how much it might take to get them to violate HIPAA.[1] Across all five scenarios, just 14% didn’t have what the study authors referred to as “a price” to illegally obtain and/or share protected health information...

  3. Monitoring, Awareness, Dedicated Office Can Combat Insider Threats

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Theresa Defino  | September 10, 2020 

    A recent study found that a majority of surveyed individuals, acting as potential employees presented with a financial payment or a pressing need to help a family or friend, would violate HIPAA (see story, p. 1).[1]...

  4. Pandemic Slows But Doesn't Derail State, Federal Efforts to Pass Privacy Legislation

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Jane Anderson  | September 10, 2020 

    As the COVID-19 pandemic took hold earlier this year, state lawmakers shifted their legislative priorities to virus relief efforts rather than privacy legislation. But focus could return late in 2020 or early in 2021, as policymakers at both the state and the federal level consider new privacy legislation...

  5. Patient Privacy Court Case: September 2020

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Wogai Mohmand  | September 10, 2020 

    On August 26, 2020, the Ohio Supreme Court held that an at-will employee has no cause of action for invasion of privacy after an employer requires the employee to submit to a directly observed urine collection drug test. The Ohio Supreme Court reviewed the case on a discretionary appeal from a judgment from the Fifth Circuit Court of Appeals.[1]...

  6. Nonpandemic Security Risks Need Attention Now, Warn FBI, Experts

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Jane Anderson  | September 10, 2020 

    When the COVID-19 pandemic took hold in March, those charged with information technology (IT) security at health care organizations moved quickly to shore up defenses on the particular issues brought to the forefront by the crisis, including those surrounding the increase of telehealth and telework...

  7. Updates, Asset Inventory Key to Countering Security Risks

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Jane Anderson  | September 10, 2020 

    Government and health care industry experts recommend that health care organizations take a variety of steps, ranging from regular patching to better network access, to reduce their nonpandemic-related security risks.[1]...

  8. Health Plans, Labs May Suggest COVID-19 Survivors Donate Plasma

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Theresa Defino  | September 10, 2020 

    As the summer wound down but the COVID-19 pandemic did not, the HHS Office for Civil Rights (OCR) clarified guidance it hopes will aid patients who now have few approved treatment options.[1] On June 12, OCR issued “Guidance on HIPAA and Contacting Former COVID-19 Patients about Blood and Plasma Donation.”[2]...

  9. Privacy Briefs: September 2020

    Report on Patient Privacy Volume 20, Number 9. September 10, 2020  | Author: Jane Anderson  | September 10, 2020 

    ◆ Utah Pathology Services, based in Salt Lake City, has reported a data breach involving approximately 112,000 patients. According to the medical practice’s “Notice of Data Incident,” the practice learned June 30 that “an unknown third party attempted to redirect funds from Utah Pathology.”[1] The practice said that this suspicious activity “did not involve any patient information, or the completion of any financial transactions.” Upon discovery of the attempted fraud, Utah Pathology said that it quickly secured the affected email account and launched an investigation, with assistance from independent information technology security and forensic investigators. “We discovered that the personal...

  10. Once Again, Lack of Proper Affiliations, Loss Of Personal Laptop Lead to $1.04M Settlement

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Theresa Defino  | August 06, 2020 

    In a case that shares at least three common themes with previous settlements, a Rhode Island health care system of teaching hospitals is paying the HHS Office for Civil Rights (OCR) more than $1 million following the 2017 theft of a worker’s personal laptop that contained patient information and implementing a two-year corrective action plan (CAP).[1]...

  11. Small N.C. Health Center Pays Price for 2011 Breach, Noncompliance; 'We Had to Move On'

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Theresa Defino  | August 06, 2020 

    Last month, leaders from Agape Health Services in rural Washington, North Carolina, were happy to share photos of the shell of a building in neighboring Plymouth, that, within a year, will be transformed as the third location for this federally qualified health center (FQHC). “Here we GROW!” proclaimed the Facebook post. “We’re SUPER excited to be able to serve the citizens of Plymouth…and surrounding areas! Services will include: Primary medical care, dental, behavioral health and an on-site pharmacy!”[1]...

  12. How to Comply With HIPAA as a Large Governmental Agency

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Jane Anderson  | August 06, 2020 

    HIPAA compliance poses challenges for large governmental and public-private entities, as some parts of the organizations are covered while others are not. This has become especially true as information systems are linked together, breaking down traditional barriers...

  13. Privacy Checklist: Creating and Running a Hybrid Entity

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Jane Anderson  | August 06, 2020 

    There are several steps a governmental or public-private entity must take when converting from a general HIPAA-covered entity to a hybrid covered entity, said Judith Thompson, deputy city attorney and HIPAA specialist in the Los Angeles city attorney’s office. The steps are:...

  14. Patient Privacy Court Case: August 2020

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Wogai Mohmand  | August 06, 2020 

    The Pennsylvania Supreme Court, in a split decision, decided that mental health professionals have a duty to warn others of threats made by patients even if those threats are made toward an unspecified person. The case will now go to a jury.[1]...

  15. Hit with Ransomware? Here's What Your Organization Is Up Against

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Jane Anderson  | August 06, 2020 

    Ransomware attacks are changing and becoming far more sophisticated, meaning hospitals and other health care entities need to step up their games to defend against these potentially crippling security events, the American Hospital Association (AHA) concluded.[1]...

  16. Ransomware Incident Security Tips

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Jane Anderson  | August 06, 2020 

    To manage a ransomware incident, Sanjay Deo, 24By7Security Inc. president and founder, recommended the following to health care entities...

  17. Privacy Briefs: August 2020

    Report on Patient Privacy Volume 20, Number 8. August 06, 2020  | Author: Jane Anderson  | August 06, 2020 

    ◆ HHS changed its tone on care coordination and case management in the final Confidentiality of Substance Use Disorder Patient Records regulation (42 C.F.R. § 2), known as Part 2.[1] In the regulation, which was published in the Federal Register on July 15,[2] care coordination and case management were added to a list of 17 activities, including billing and fraud, waste and abuse activities, that now will be treated as payment and health care operations. When combined with other provisions, this means a patient can consent to share substance use disorder information with a Part 2 entity, and that entity...

  18. Seven Years After PA Hospital Breach, Alleged Hacker Arrested; Class Action Suit Lives On

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Theresa Defino  | July 09, 2020 

    How much would a cybercriminal pay for a person’s name and other information to commit identity fraud? How does $3 sound? That’s how much the Department of Justice (DOJ) alleges that Justin Sean Johnson, 29, charged when he dangled the information of thousands, if not tens of thousands of people for sale on the dark web...

  19. Big Breaches, Down in First Half of 2020, Show Role of BAs; Increase May Be Coming

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Theresa Defino  | July 09, 2020 

    During the first six months of this year, 228 breaches affecting 500 or more individuals were reported to the HHS Office for Civil Rights (OCR), and of the top 20, five involved business associates (BAs), including the largest.[1]...

  20. OCR: Yes, You Can (Contact COVID-19 'Survivors' About Blood Donations)

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Theresa Defino  | July 09, 2020 

    Many a HIPAA covered entity (CE) pulls back from sharing information, even when permitted to do so, because of fear of enforcement action by the HHS Office for Civil Rights (OCR); many a family member is told “HIPAA won’t let me,” when asking for information they are allowed to have...

  21. COVID-19 Pandemic Security Strategies, Checklist

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Jane Anderson  | July 09, 2020 

    Since the COVID-19 pandemic began, health care organizations have been overwhelmed, trying to manage telework, telehealth and ward off increasing threats to their protected health information.[1] But security professionals also are finding organizations are adapting and implementing strategies to safeguard protected health information. Still, there is always more they could do, and the experts recommend a variety of tactics to keep health care entities safe in the coming months, as the pandemic continues...

  22. Patient Privacy Court Case: July 2020

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Wogai Mohmand  | July 09, 2020 

    At the end of June, UnityPoint agreed to pay class members $2.8 million for a data breach.[1] UnityPoint Health, which is also known as Iowa Health System, reached this settlement after there were two data breaches at its health system in 2017 and 2018.[2] These two breaches comprised data on more than one million patients and employees...

  23. Want to Do Business in California? Time to Fully Understand the CCPA

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Jane Anderson  | July 09, 2020 

    The California Consumer Privacy Act (CCPA) adds a significant layer of complication for companies—including health care entities—that conduct business in California. As enforcement of the law ramps up this month, firms need a detailed plan on how to remain compliant...

  24. Checklist for CCPA Compliance

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Jane Anderson  | July 09, 2020 

    Attorney Andrew Clearwater, vice president of privacy at OneTrust, an Atlanta-based privacy and compliance technology company, outlined five broad steps that health care entities and other California companies can follow to comply with the California Consumer Privacy Act (CCPA), which took effect July 1...

  25. Privacy Briefs: July 2020

    Report on Patient Privacy Volume 20, Number 7. July 09, 2020  | Author: Jane Anderson  | July 09, 2020 

    ◆ Concerns about hacking and online security have fallen since the onset of the COVID-19 pandemic, despite the fact that the actual risks have risen, according to the 2020 Unisys Security Index report.[1] The World Health Organization (WHO) and Interpol have warned of increased cyberattack risk during the pandemic, and estimates indicate there have been as many as 192,000 coronavirus-related cyberattacks globally per week in May 2020 alone, a 30% increase compared to April. Google’s Gmail service reported that it saw more than 18 million daily malware and phishing emails related to COVID-19 scams in just one week, and more...