Report on Patient Privacy

  1. Families Detail Years of Anguish, Pain As They Plead for Changes to Privacy Rule

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Theresa Defino  | July 08, 2021 

    “You probably have no idea how horrible it is to go weeks & weeks with the realization that there are only 3 possible scenarios for your loved one. Every time my son’s been hospitalized I knew he would either end up in Jail, Dead or in the Hospital. Please, please, please revise the HIPPA laws to allow family members to be part of the decision making, the conversations & treatment plans!!!”[1]...

  2. ‘I Am Owning Up to My Mistake’: Woman Remorseful Following HIPAA Prosecution

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Theresa Defino  | July 08, 2021 

    Like any mother of young children who shares visitation, Jennifer Lynne Bacor just wanted to make sure her ex-boyfriend was up to the task. So when she learned in 2017 that he had a serious leg wound that wasn’t healing, Bacor expressed her concerns to a family friend, sharing a disturbing photo that showed the seriousness of the injury...

  3. Patient Privacy Court Case: July 2021

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Wogai Mohmand  | July 08, 2021 

    The Supreme Court recently considered an Article III standing issue in data privacy and data breach litigations, establishing that only plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing in federal court.[1]...

  4. Panel: Lay Groundwork for BA Breach Investigation, Notification

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Jane Anderson  | July 08, 2021 

    Business associates (BAs) need to take specific steps to prepare in advance for security incidents and breaches so that they know how to respond—and meet key deadlines—in the event an incident occurs...

  5. Rash of Ransomware Attacks Shows Inevitability, Imperative to Prepare

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Jane Anderson  | July 08, 2021 

    Ransomware experts agree: Bad actors are targeting the health care sector at an accelerated pace, and if an organization lacks safeguards, it is at high risk of a data breach...

  6. Steps for Surviving, Mitigating Ransomware

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Jane Anderson  | July 08, 2021 

    Preventing successful ransomware attacks with robust security measures is the best way to cope with this hacking epidemic. But if attackers are successful, covered entities (CEs) and business associates (BAs) should follow a ransomware recovery road map to make their way back to full operation...

  7. Privacy Briefs: July 2021

    Report on Patient Privacy Volume 21, Number 7. July 08, 2021  | Author: Jane Anderson  | July 08, 2021 

    ◆ Mayo Clinic is facing three lawsuits from patients who say a former surgery resident, Ahmad Alsughayer, viewed hundreds of their nude photographs in electronic health records (EHRs) despite having no professional reason to go into their files.[1] Alsughayer was charged in April by the Olmsted County attorney’s office with a single gross misdemeanor of unauthorized computer access after one of the 1,614 patients whose records he viewed filed a report with the Rochester police. The three civil lawsuits include one from a Rochester-area woman who works at Mayo Clinic. She is suing the health system for failing to use...

  8. ‘Do the Best’ But Mind the Myriad Laws: Grappling With COVID Vaccination Issues

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Theresa Defino  | June 10, 2021 

    “For the first time in the history of the United States, an employer is forcing an employee to participate in an experimental vaccine trial as a condition for continued employment.”...

  9. System Stands By COVID Vaccine Mandate

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Theresa Defino  | June 10, 2021 

    On March 31, Houston-based Methodist Health System became, by its reckoning, the first “major” hospital organization to require employees to be vaccinated against COVID-19 by June 7. Within two weeks of the start of the campaign, 84% of the 12-hospital system’s 26,000 workers had complied...

  10. OCR Enforcement of Gender Protections May Mirror Brooklyn Hospital Settlement

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Theresa Defino  | June 10, 2021 

    Six years ago, the HHS Office for Civil Rights (OCR) entered into a settlement agreement with a New York hospital that allegedly discriminated against a transgender patient.[1] Although it did not pay a fine, a feature common to OCR’s HIPAA settlements, The Brooklyn Hospital Center (TBHC) committed to implementing a two-year corrective action plan (CAP) that contained a number of sweeping requirements, including revising its intake process and room-placement policies.[2]...

  11. New Settlement Shows a Return To Enforcement, Security Basics

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Theresa Defino  | June 10, 2021 

    Remember a time before the HHS Office for Civil Rights (OCR) decided to make patients’ access to medical records a priority?...

  12. Risks Multiplying With Expanded Telehealth, Telemedicine Services

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Jane Anderson  | June 10, 2021 

    Telehealth and telemedicine applications have boomed during the COVID-19 pandemic, creating opportunities for providers and patients to connect more efficiently and effectively, yet potentially opening wide security vulnerabilities that cybercriminals can exploit...

  13. Coordinating Council Issues Telehealth Security Checklist

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Jane Anderson  | June 10, 2021 

    Health care organizations, telehealth vendors and service providers should adopt specific security practices to protect against hacks and breaches, particularly given the massive increase in the use of telehealth and telemedicine stemming from the COVID-19 pandemic, according to the Healthcare and Public Health Sector Coordinating Council, a public-private partnership focusing on critical infrastructure security and resilience...

  14. Privacy Briefs: June 2021

    Report on Patient Privacy Volume 21, Number 6. June 10, 2021  | Author: Jane Anderson  | June 10, 2021 

    ◆ Scripps Health in San Diego experienced what it called “an information technology security incident” from ransomware that was detected May 1, forcing some of its operations offline. The attack crippled the health care system’s networks, and the system still was struggling to bring everything back online in late May. “We suspended user access to our information technology applications related to operations at our health care facilities, including MyScripps and scripps.org,” the health care system said on Twitter on May 1.[1] “While our information technology applications are offline, patient care continues to be delivered safely and effectively at our facilities,...

  15. OCR Investigator: Goal Is to Uncover ‘Root Cause,’ Remedy Harm From Violations

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Theresa Defino  | May 06, 2021 

    Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights takes annually, the odds are exceedingly slim that an organization will find itself in a formal sanctions process with OCR...

  16. The Fine Art of Responding to an OCR Data Request

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Theresa Defino  | May 06, 2021 

    The HHS Office for Civil Rights (OCR) tries to resolve complaints and concerns about possible HIPAA violations through informal means, a process that can involve providing technical assistance (TA) to a covered entity (CE) or business associate (BA)...

  17. Growing List of What Isn’t Under HIPAA Creates ‘Tensions,’ New Oversight Potential

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Nina Youngstrom  | May 06, 2021 

    When employees are required to show their employers proof of a positive COVID-19 test before they get sick leave or a vaccination before returning to work, the implications are profound—but they don’t enter the realm of the HIPAA privacy rule...

  18. Patient Privacy Court Case: May 2021

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Wogai Mohmand  | May 06, 2021 

    On April 26, the Second Circuit Court of Appeals stated that the risk of identity theft after a data breach may be grounds to sue.[1] The three-judge panel held that plaintiffs can establish Article III constitutional standing on the theory that a data breach put them at an increased risk of identity theft or fraud if the data are sensitive and have been misused, or if there is reason to believe the data will be misused...

  19. Before Pursing M&As, Consider Security Practices, Breach Risks

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Jane Anderson  | May 06, 2021 

    Cybersecurity issues within the context of mergers and acquisitions (M&A) often are overlooked, but they’re tremendously important to consider, because poor cyber hygiene or unmitigated breaches are costly and could compromise the entire deal...

  20. Stark Rules Now Allow Donations of Security Equipment, Services

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Jane Anderson  | May 06, 2021 

    Long sought-after changes in the anti-kickback physician self-referral regulations now allow large health care entities, such as health systems, to donate cybersecurity equipment and services to smaller entities, such as physician practices, in an effort to strengthen those practices against cyberattacks...

  21. Privacy Briefs: May 2021

    Report on Patient Privacy Volume 21, Number 5. May 06, 2021  | Author: Jane Anderson  | May 06, 2021 

    ◆ An investigation by a Pittsburgh-based television news team discovered that health and other personal information of about 70,000 people collected during COVID-19 contact tracing have been compromised.[1] Multiple investigations are underway by the Pennsylvania Health Department and the company hired to collect the information and data, according to WPXI-TV. The reporter who discovered the breach, Rick Earle, said he was able to view the spreadsheet-based information, which contained names, phone numbers and health information collected from contacts between September 2020 and March 2021. Insight Global, a staffing company based in Atlanta, received a $23 million contract to hire 1,000...

  22. OCR Weighing Options After MD Anderson Loss, Writing Rules for ‘Safe Harbor’ Law

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Theresa Defino  | April 08, 2021 

    A loss in a court case, two new federal laws and their own thoughts on how to revise the privacy rule will be keeping officials from the HHS Office for Civil Rights (OCR) busy in the coming months writing rules and regulations. The range of topics OCR will address includes its enforcement approach, harmonization of 42 C.F.R. Part 2 regulations governing substance use records, security practices that would mitigate sanctions, and changes to medical records access requirements, among others...

  23. As Pandemic Enters 2nd Year, CISOs Face Ongoing Telework, Telemedicine Challenges

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Jane Anderson  | April 08, 2021 

    As the COVID-19 pandemic progressed from its urgent beginning to almost a “new normal,” chief information security officers (CISOs) at health systems have been fighting to combat emerging cyberthreats while supporting the sudden shift to telemedicine and working from home. In doing so, the officers said, the experience offers lessons for the path forward...

  24. Does 18th Right of Access Settlement Provide Needed ‘Gentle Nudging’?

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Theresa Defino  | April 08, 2021 

    The steady stream of resolution agreements between providers and the HHS Office for Civil Rights (OCR) for failures to provide patients their medical records might strike some as overkill. As of the end of March, there were 18 such settlements, which collectively brought OCR $918,500. But because OCR is 10 years late drafting a regulation for sharing penalties, none of that money went to the individuals who struggled to get their protected health information (PHI)...

  25. AHA: Privacy NPRM May Worsen Regulatory ‘Patchwork’

    Report on Patient Privacy Volume 21, Number 4. April 08, 2021  | Author: Theresa Defino  | April 08, 2021 

    The notice of proposed rulemaking (NPRM) revising the privacy rule has some provisions worth supporting, but shortening by half the time frame providers would have to respond to an access request isn’t one of them. And if the HHS Office for Civil Rights (OCR) isn’t careful, it may add to the already confusing and burdensome “patchwork of health information privacy requirements” in effect today...