Report on Patient Privacy

  1. FBI: More Awareness, Due Diligence Needed To Fight China in New ‘Space Race’ for Data

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Theresa Defino  | October 14, 2021 

    Conducting a risk analysis is a basic tenet of security compliance, with the overarching goal of understanding where protected health information (PHI) “lives” in an organization, where it moves, where it resides—and then imposing safeguards. Would China be an acceptable final resting place? And would covered entities (CEs) or business associates (BAs), with their often murky subcontractors, even know if the Chinese government was tapping into it?...

  2. List of Federal Cybersecurity Resources

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Theresa Defino  | October 14, 2021 

  3. The Wait Is Over: HHS’s Choice to Run OCR Has Breach, Federal Leadership Experience

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Theresa Defino  | October 14, 2021 

    For the past year, Lisa J. Pino, President Biden’s new choice to lead the HHS Office for Civil Rights (OCR), was the number two health official in the New York State Department of Health.[1] Pino’s career also includes helping to manage the aftermath of the 2015 breach of millions of records maintained by the Office of Personnel Management (OPM)...

  4. First Children’s Hospital Gets Caught In Access Initiative; Cases Reach 20

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Theresa Defino  | October 14, 2021 

    As former Office for Civil Rights Director Roger Severino had predicted,[1] OCR has issued six records access settlements this year, continuing with the initiative he began in 2019. Last month, OCR announced its most recent settlement, for the first time involving a children’s hospital.[2]...

  5. Two Health Care Workers’ Social Media Posts Potentially Expose PHI

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Jane Anderson  | October 14, 2021 

    Workers at two separate health care facilities have been disciplined for incidents where they allegedly posted intimate details about health conditions and procedures on social media...

  6. Severino: Protecting ePHI Starts With Properly Conducted Risk Analysis

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Jane Anderson  | October 14, 2021 

    Guarding electronic protected health information (ePHI) under HIPAA begins with a proper risk analysis, and most settlements issued by HHS Office for Civil Rights (OCR) involve missing or inadequate risk analysis or risk management...

  7. Security Checklist: Nine Required Elements in a HIPAA Risk Analysis

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Jane Anderson  | October 14, 2021 

    The HHS Office for Civil Rights has laid out what it needs to see in a HIPAA risk analysis.[1] Specifically, regardless of the risk analysis methodology employed, the risk analysis must:...

  8. Privacy Briefs: October 2021

    Report on Patient Privacy Volume 21, Number 10. October 14, 2021  | Author: Jane Anderson  | October 14, 2021 

    ◆ A massive data breach at University of New Mexico (UNM) Health may have allowed a third party to obtain medical records from more than 600,000 patients—more than a quarter of the state’s population. UNM Health has been mailing letters to affected patients who had been treated at either UNM Hospital, UNM Medical Group or the UNM Sandoval Regional Medical Center, hospital officials said. The breach occurred on May 2 and was discovered on June 4, according to UNM Health’s statement. Patient names, medical record numbers and Social Security numbers were among the information obtained during the data breach, said...

  9. ‘A Continual Journey’; Info Blocking Rule in Effect; Privacy, Security Exceptions May Apply

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | Author: Theresa Defino  | September 09, 2021 

    With all of the chaos and stress from the COVID-19 pandemic, HIPAA covered entities (CEs) might be forgiven if they haven’t given much thought to implementing the provisions of an information blocking rule that went into effect this spring, after several delays...

  10. USCDI v1 Summary of Data Classes and Data Elements

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | September 09, 2021 

  11. To Combat Cyber Crime, White House Initiative Promises Tools; Some Seek Funding, New Laws

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | Author: Jane Anderson  | September 09, 2021 

    As ransomware attacks become epidemic and breaches get larger, the Biden administration is partnering with private industry to bolster security and education in an effort to step up defenses against cybercrime. As part of the initiative, at least one company that offers cyber insurance will require that its policyholders adhere to a set of standards...

  12. Two Texans Sentenced to Prison for ‘Breach,’ Selling Info to Bill Medicare

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | Author: Theresa Defino  | September 09, 2021 

    A Texas woman will spend more than two years in federal prison in a HIPAA-related case for her part in “breaching” what the federal government called a “protected computer” owned by an unidentified health care provider. The 30-month sentence U.S. District Judge Sean D. Jordan imposed on Amanda Lowry in July stems from her December guilty plea to the charge of conspiracy to obtain information from a protected computer.[1] Two others have also pleaded guilty in the case; one is awaiting sentencing...

  13. Colorado, Virginia, Follow California With Omnibus State Privacy Laws

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | Author: Jane Anderson  | September 09, 2021 

    Colorado is set to become the third state with a robust general privacy law, as legislatures consider and approve privacy legislation during their 2021 sessions. Virginia lawmakers passed comprehensive general privacy legislation earlier this year...

  14. Report: BAs Should Take Specific Steps to Bolster HIPAA Compliance

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | Author: Jane Anderson  | September 09, 2021 

    Business associates (BAs), which are responsible for a growing number of breaches as they become higher-profile targets of cyber criminals, nonetheless continue to struggle with cybersecurity, a report concludes. Consequently, BAs should take a series of steps to bolster their compliance, security and compliance firm Clearwater concluded in a report issued this summer.[1]...

  15. Privacy Briefs: September 2021

    Report on Patient Privacy Volume 21, Number 9. September 09, 2021  | Author: Jane Anderson  | September 09, 2021 

    ◆ DuPage Medical Group in Chicago said that the personal information of more than 600,000 patients may have been compromised in a July cyberattack. The medical group, which is Illinois’ largest independent physician group, experienced a computer and phone outage that lasted nearly a week in mid-July. When the group worked with digital forensic specialists to investigate the incident, it found that the outage was caused by “unauthorized actors” who accessed its network between July 12 and 13. The investigators determined on Aug. 17 that certain files containing patient information may have been exposed. Compromised information may have included names,...

  16. HHS: Conti Takes Ransomware to New Level; No Easy Decryption, Beware Triple Extortion

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Jane Anderson  | August 12, 2021 

    The Conti ransomware strain poses a significant and growing threat to health care organizations in the United States, and entities should take specific steps now—including increased phishing training and other security measures—to guard against attacks, the federal government is warning...

  17. Conti Defense Security Checklist

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Jane Anderson  | August 12, 2021 

    To defend against ransomware threats such as Conti, the HHS publication Health Industry Cybersecurity Practices recommends the following best practices:...

  18. Still Missing a New Leader, Former OCR Directors, Experts Offer Advice, Task List

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Theresa Defino  | August 12, 2021 

    Issue a final rule revising the privacy regulation and write guidance on the information blocking rule. Formalize the fledgling audit program required by Congress more than 10 years ago. Engage with providers and other HIPAA-regulated entities. And by all means, get cracking...

  19. What Does It Take to Run OCR?

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Theresa Defino  | August 12, 2021 

    As the HHS Office for Civil Rights and the HIPAA-regulated community continue waiting for the appointment by HHS of a permanent OCR director,[1] two former leaders shared with RPP some of their on-the-job experiences and offered advice for an incoming leader...

  20. Former OCR Director: Expect More Records Access Settlements

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Theresa Defino  | August 12, 2021 

    In June, the HHS Office for Civil Rights announced a $5,000 settlement with a West Virginia diabetes practice OCR said took nearly two years to honor a patient’s medical records request[1] —the 19th such agreement since former Director Roger Severino launched the initiative in September 2019 and the agency’s 20th overall...

  21. Panel Offers Strategies to Ensure Privacy in Research Recruitment

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Theresa Defino  | August 12, 2021 

    As academic medical centers (AMCs), hospitals and other sponsors of clinical trials increasingly turn to third-party vendors to find patients and other individuals to enroll in research, they need to take extra steps to safeguard privacy, including signing detailed business associate agreements (BAAs). This may also mean empowering institutional review boards (IRBs) to push back against activities that go too far...

  22. Facing Both Sharks and Mosquitos: Mitigate Common, ‘Actionable’ Threats

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Jane Anderson  | August 12, 2021 

    Some 12,723 security vulnerabilities were disclosed during the first half of 2021, indicating slow growth of disclosures but a seemingly insurmountable mountain of work for security personnel seeking to minimize risk, according to a report released in August by Risk Based Security Inc.[1]...

  23. Privacy Briefs: August 2021

    Report on Patient Privacy Volume 21, Number 8. August 12, 2021  | Author: Jane Anderson  | August 12, 2021 

    ◆ IBM Security reported that the total cost of a data breach increased by nearly 10% year-over-year in 2021, the largest single-year cost increase in the last seven years.[1] In its annual Cost of a Data Breach report, IBM and the Ponemon Institute said that remote working and digital transformation due to the COVID-19 pandemic increased the average total cost of a data breach. There was a $1.07 million cost difference in breaches where remote work was a factor in causing the breach, the report said. The percentage of companies where remote work was a factor in the breach was...

  24. Families Detail Years of Anguish, Pain As They Plead for Changes to Privacy Rule

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Theresa Defino  | July 08, 2021 

    “You probably have no idea how horrible it is to go weeks & weeks with the realization that there are only 3 possible scenarios for your loved one. Every time my son’s been hospitalized I knew he would either end up in Jail, Dead or in the Hospital. Please, please, please revise the HIPPA laws to allow family members to be part of the decision making, the conversations & treatment plans!!!”[1]...

  25. ‘I Am Owning Up to My Mistake’: Woman Remorseful Following HIPAA Prosecution

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Theresa Defino  | July 08, 2021 

    Like any mother of young children who shares visitation, Jennifer Lynne Bacor just wanted to make sure her ex-boyfriend was up to the task. So when she learned in 2017 that he had a serious leg wound that wasn’t healing, Bacor expressed her concerns to a family friend, sharing a disturbing photo that showed the seriousness of the injury...