Report on Patient Privacy

  1. Security Threats Soar From Nation-State Bad Actors as the New Year Gets Underway

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Jane Anderson  | January 07, 2021 

    Security threats to health care entities will continue to escalate in 2021, as bad actors with significant capabilities target pandemic-weary organizations still struggling with a stay-at-home workforce, cybersecurity experts report...

  2. Health Care Cybersecurity Checklist for 2021

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Jane Anderson  | January 07, 2021 

    Experts interviewed by RPP recommended a variety of strategies to stay ahead of evolving security threats this year, particularly as the COVID-19 pandemic winds down and threats from highly capable bad actors ramp up...

  3. On the Eve of a New Administration, OCR Offers 'Comprehensive Reforms' to HIPAA

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Theresa Defino  | January 07, 2021 

    With barely a month left before the Biden administration is set to take over, the HHS Office for Civil Rights (OCR) announced a proposed regulation that would dispense with the requirement for providers to obtain acknowledgement from patients that they have received a notice of privacy practices (NPP).[1]...

  4. OCR Decries Records Retrieval as 'Cost Center,' Would Require Faster Access

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Theresa Defino  | January 07, 2021 

    Citing “substantial confusion” on the issue of “whether or not a provider can charge a reasonable cost based-fee” for records access, the HHS Office for Civil Rights (OCR) is proposing to revise several requirements related to patient’s access to medical records...

  5. Belated OCR Audits Shine New Light on Old Issues, Including Security Failures

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Theresa Defino  | January 07, 2021 

    It’s been almost 10 years since the compliance community was abuzz with word that the HHS Office for Civil Rights (OCR) was embarking on a program to audit covered entities (CEs) for compliance. Many were anxious about the possibility of enforcement action against those who ran afoul of HIPAA rules governing privacy, security and breach notification. Audits were required by Congress under the 2009 HITECH Act...

  6. Congress Gives Organizations a Break on HIPAA Fines

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Theresa Defino  | January 07, 2021 

    In July, the HHS Office for Civil Rights (OCR) reached a $35,000 settlement with Agape Health Services, a federally qualified health center in rural Washington, North Carolina.[1] In an exclusive interview, Clifton Gray III, the chief compliance officer for Agape, told RPP that OCR initially had proposed a fine of $400,000.[2] Even at $35,000, the payment—accompanied by a two-year corrective action plan—was “devastating,” Gray said...

  7. Privacy Briefs: January 2021

    Report on Patient Privacy Volume 21, Number 1. January 07, 2021  | Author: Jane Anderson  | January 07, 2021 

    ◆ The HHS Office for Civil Rights (OCR) settled its 13th enforcement action in its Right of Access Initiative, first announced in 2019 to support individuals’ rights to timely access their health records at a reasonable cost under the privacy rule.[1] As part of the settlement, announced Dec. 22, Peter Wrobel, doing business as Georgia-based Elite Primary Care, agreed to take corrective actions and pay $36,000 to settle a potential violation of the right of access standard. In April 2019, OCR received a complaint alleging that Elite failed to respond to a patient’s request for access to his medical records,...

  8. New Enforcement Threat: 'Coordinated' AGs Pursuing Settlements Following Big Breaches

    Report on Patient Privacy Volume 20, Number 12. December 10, 2020  | Author: Theresa Defino  | December 10, 2020 

    In late September, Anthem Inc. entered into a $39.5 million settlement for a 2014 data breach that affected nearly 79 million individuals.[1] About a week later, CHS/Community Health Systems Inc. agreed to pay $5 million for a breach that same year; 6.1 million records had been hacked.[2]...

  9. When AGs Call, Know When to Fight, When to Fold

    Report on Patient Privacy Volume 20, Number 12. December 10, 2020  | Author: Theresa Defino  | December 10, 2020 

    Transparency and contrition are two qualities that HIPAA officials at covered entities (CEs) and business associates (BAs) might want to think about expressing should they ever get a call from a state attorney general (AG) investigating a breach...

  10. New Access Settlements Highlight Third-Party Right, Psych Notes, Need to Respond to OCR

    Report on Patient Privacy Volume 20, Number 12. December 10, 2020  | Author: Jane Anderson  | December 10, 2020 

    The HHS Office for Civil Rights (OCR) continued its laser focus on HIPAA rules involving patient access to medical records with a series of three settlements that spotlighted different aspects of the patient right of access...

  11. Patient Privacy Court Case: December 2020

    Report on Patient Privacy Volume 20, Number 12. December 10, 2020  | Author: Wogai Mohmand  | December 10, 2020 

    On Nov. 27, Attorney General Hector Balderas of New Mexico filed a notice of appeal for a children’s privacy case against Google.[1]...

  12. In Part 2 of Q&A, Data Breaches Blogger Discusses Why Ignoring Her Is a Bad Idea

    Report on Patient Privacy Volume 20, Number 12. December 10, 2020  | Author: Theresa Defino  | December 10, 2020 

    Among a trio of recent settlements the HHS Office for Civil Rights (OCR) announced over hacking incidents was one for $1.5 million with Athens Orthopedic Clinic PA, which involved an intrusion by The Dark Overlord and an unusual tip provided by “Dissent,” a pseudonymous blogger for Databreaches.net—a must-read for HIPAA privacy and security compliance officials.[1] In part one of a wide-ranging Q&A with RPP that ran in the November issue, Dissent, a retired psychologist from New York who does some breach-related consulting work, discussed why she doesn’t use her name, her views on the settlement and the psychology of hackers.[2]...

  13. Privacy Briefs: December 2020

    Report on Patient Privacy Volume 20, Number 12. December 10, 2020  | Author: Jane Anderson  | December 10, 2020 

    ◆ Suspected North Korean hackers have tried to break into the systems of British drugmaker AstraZeneca in recent weeks as the company races to deploy its COVID-19 vaccine, Reuters reported.[1] The hackers posed as recruiters on networking site LinkedIn and WhatsApp to approach AstraZeneca staff with fake job offers, Reuters’ sources said. They then sent documents purporting to be job descriptions that were laced with malicious code. The hacking attempts targeted “a broad set of people,” including staff working on COVID-19 research, according to one of Reuters’ sources, but are not thought to have been successful. The tools and techniques...

  14. From Her Words to OCR's Ears: 'Dissent' Seeks to Hold Hackers, Leakers Accountable

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Theresa Defino  | November 05, 2020 

    In her 14-plus years of investigating and blogging about hacking and breaches, “Dissent” has been yelled at, threatened with lawsuits and accused of being a criminal. But now the self-described “older than dirt” retired New York psychologist, who publishes her work at DataBreaches.net, is enjoying a bit of fame...

  15. Four New OCR Settlements Feature Breaches, Shared Passwords, Records Access—Again

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Theresa Defino  | November 05, 2020 

    Following a month in which it announced eight settlement agreements totaling more than $10 million, the HHS Office for Civil Rights (OCR) continued its enforcement streak in October, dinging a city health department, a large insurer, a hospital system and an orthopedic practice for a variety of alleged HIPAA violations...

  16. After Settlement, New Haven Mayor Pledges 'Action Plan'

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Theresa Defino  | November 05, 2020 

    The city of New Haven is among four covered entities that recently entered into agreements with the HHS Office for Civil Rights to settle allegations of HIPAA breaches.[1] In response to questions from RPP, New Haven Mayor Justin Elicker called it “regrettable” that the city “failed to fully address this security breach at the time,” which was prior to his election in November 2019...

  17. With Trust and Training, MSK Fosters 'Speak-Up' Culture to Address Problems

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Theresa Defino  | November 05, 2020 

    At Memorial Sloan Kettering (MSK) Cancer Center, Jeneeta O’Connor wears many hats. As MSK’s compliance manager, her areas of focus include “controlled substance compliance, diversion prevention, patient privacy, corporate ethics and values.” But a common thread among them is supporting a speak-up culture, one that fosters a feeling that workers are “psychologically safe” to report concerns...

  18. Updated ONC Security Risk Assessment Tool Improves Navigation, File Recovery

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Jane Anderson  | November 05, 2020 

    The HHS Office of the National Coordinator for Health Information Technology (ONC) has released a new version of its Security Risk Assessment (SRA) Tool, adding features that make it easier for organizations—particularly smaller ones—to use. New features include flexible section navigation and a file recovery system, developers told attendees at a recent webinar describing the changes.[1]...

  19. Agencies Warn of New Ransomware Targeting Health Care Organizations

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Jane Anderson  | November 05, 2020 

    Health care organizations are the targets of an aggressive new ransomware campaign, and bad actors are seeking not only to lock up data and demand a ransom, but to steal it as well, three federal agencies warned.[1]...

  20. Patient Privacy Court Case: November 2020

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Wogai Mohmand  | November 05, 2020 

    On Oct. 8, Tennessee Attorney General Herbert Slatery III, along with the AGs of 27 other states, reached a settlement with CHS/Community Health Systems Inc. and CHSPSC LLC.[1] This settlement is a result of a data breach that affected approximately 6.1 million patients. CHS and CHSPSC LLC recently settled with the HHS Office for Civil Rights for $2.3 million regarding this same data breach.[2]...

  21. Privacy Briefs: November 2020

    Report on Patient Privacy Volume 20, Number 11. November 05, 2020  | Author: Jane Anderson  | November 05, 2020 

    ◆ HHS Office of the National Coordinator (ONC) for Health Information Technology (ONC) is giving health care organizations more time to meet new rules on information blocking and conditions and maintenance of certification requirements.[1] The 21st Century Cures Act mandated the new requirements, and ONC released the final rule on March 9. However, health care organizations have lobbied for an extension, saying the COVID-19 pandemic has complicated their implementation. An interim final rule, which ONC released Oct. 29, extends compliance dates until April 5, 2021, for most parts of the regulations, and for more than a year for certain sections...

  22. Failure to Plug Security Gaps Leads to Large OCR Settlements for Premera, CHSPSC

    Report on Patient Privacy Volume 20, Number 10. October 08, 2020  | Author: Jane Anderson  | October 08, 2020 

    A large covered entity and a CE-affiliated business associate (BA) each paid multimillion-dollar settlements and agreed to two-year corrective action plans following prolonged cyberattacks that resulted in huge breaches...

  23. New Agreements Signal OCR's Impatience With Thwarted Access to Patients' Records

    Report on Patient Privacy Volume 20, Number 10. October 08, 2020  | Author: Theresa Defino  | October 08, 2020 

    Two psychiatrists, two federally qualified health centers (including one that’s part of a housing nonprofit serving the homeless and AIDS patients) and a behavioral health practice are the latest HIPAA covered entities (CEs) to feel the wrath of the HHS Office for Civil Rights (OCR) for allegedly failing to provide patients or parents access to records in a timely manner.[1] Payments from the five collectively total $136,500...

  24. Psychiatrist in Access Settlement 'Never Saw a Request'

    Report on Patient Privacy Volume 20, Number 10. October 08, 2020  | Author: Theresa Defino  | October 08, 2020 

    Last month, the HHS Office for Civil Rights (OCR) announced five settlement agreements with organizations it said had violated the right of access to medical records included in the privacy rule.[1] Of these, Dr. Brian Wise, a psychiatrist in Centennial, Colorado, shared his experiences with RPP...

  25. Settlement Involves 'Dark Overlord' Hack, Tip by Breach-Tracking Journalist

    Report on Patient Privacy Volume 20, Number 10. October 08, 2020  | Author: Theresa Defino  | October 08, 2020 

    September was quite the month for enforcement actions by the HHS Office for Civil Rights (OCR). The agency announced eight settlements totaling more than $10 million. Five of these were released in a batch to show that OCR means business when it comes to covered entities and business associates failing to provide patients access to their records or those of their loved ones.[1]...