Hey Doc! Don’t Talk Loud…

One of the OCR cases we found interesting is reproduced below. It is a lesson for all those who carry PHI that need to know rule applies even for your best friend, a fellow employee or your spouse. So even if you are in the corridors of your hospital – don’t talk loud.
State Hospital Sanctions Employees for Disclosing Patient’s PHI
Covered Entity: Health Care Provider / General Hospital
Issue: Impermissible Disclosure
A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient’s spouse within earshot of other patients without making reasonable efforts to prevent the …Read More

Don’t think compliance can hurt? You are too small to get noticed? Got $5.55 million in savings?

Read the message from OCR at the very end of this article.

On Thursday, August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Advocate Health Care Center (Advocate Health) agreed to pay $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, …Read More

OCR settles two HIPAA breach suits totaling $5.5 million

The Office for Civil Rights used the instances to highlight the importance of holding business associates and research centers accountable to privacy and security laws.
Health and Human Services’ Office for Civil Rights closed a pair of HIPAA breach settlements with North Memorial Health Care of Minnesota and Feinstein Institute for Medical Research.

The larger penalty went to Feinstein, at $3.9 million, OCR said on Thursday. That came just one day after the office announced that North Memorial agreed to pony up $1.55 million.

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated …Read More

HIPAA - Try another doctor

We don’t need no Stinkin HIPAA!!


Today one of our sales team members called to talk about a sales pitch strategy and results.  It was a simple everyday conversation. But before I go into the details of the conversation here is a little background on our sales pitch strategy:

Step one: Find a market of small to mid sized (1 – 8 physicians) clinics and distribute brochures.

Step two: Identify the non-compliant offices.

Step three: Meet with the HIPAA Compliance officer

Step four: COMPLIANCE!

Not having a HIPAA Compliance officer designated to your office is the first red flag! Not because my sales team does not …Read More

HIPAA - Try another doctor

Are you a Doctor or a Medical Practice Owner? Its time to #CYA!

By Ali Khan, CHP, CSCS, CHPSE,

Doctors! It’s time to be HIPAA Compliant.

Think there’s still time to ease your way into compliance? Most physicians I meet truly believe a HIPAA audit will result as a slap on the wrist. Not true. With deadlines long in the rearview mirror, leniency is a thing of the past. So far, OCR has fined $23 million. They have received over 123,065 complaints of which 116,266 have been resolved – some with heavy fines.

You’re probably thinking they will have to catch you first. And they will. They even have help. Now any employee or physician with …Read More

Hackers demand ransom from Hollywood Presbyterian Medical Center

Are you HIPAA secure? Hollywood Presbyterian Medical Center was not. You can outsource your IT worries to Khan & Marshall our trained and certified HIPAA IT experts can help secure your systems and IT infrastructure and make it HIPAA Compliant.

Comments from Bricker & Eckler:

Hollywood Presbyterian Medical Center has been the victim of a recent cyber-attack that shut down the hospital’s network and placed it in a state of crisis. The attack was conducted using a type of malware known as ransomware. The hack has caused a state of emergency for the hospital and has compromised the hospital’s ability to care for …Read More

Patient testimonial postings lead to $25,000 HIPAA privacy fine

Federal regulators have announced a privacy investigation settlement that could affect how any entity that collects protected health information (PHI) uses consumer testimonials.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) says it has negotiated the settlement with Complete P.T., Pool & Land Physical Therapy Inc., a Los Angeles physical therapy practice.

In 2012, the practice posted testimonials from happy patients, including full names and photos, on the Web without getting what OCR classifies as valid authorizations, according to an OCR settlement announcement and a copy of the settlement agreement posted on the OCR website.

OCR officials say the Health …Read More

Reminder: Deadline for Reporting 2015 HIPAA Breaches Fast Approaching

Covered entities which experienced a HIPAA breach in calendar year 2015 are required to report all such breaches affecting fewer than 500 individuals to OCR by Monday, February 29, 2016. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those affecting 500 or more individuals — within 60 days of discovering the breach.

This is also an appropriate time to review and update breach notification policies and procedures to make sure that covered entities have in place the appropriate mechanisms to notify OCR timely and appropriately.

Khan …Read More

HIMSS16 Social Media Ambassador Matthew Fisher: HIPAA audits will reveal mass noncompliance

Matthew R. Fisher chairs the Health Law Group within the firm Mirick O’Connell in Worcester, Massachusetts, a fitting role given his passion for understanding the practicality of healthcare regulations in the real world.

At the end of this month at HIMSS16 he’ll bring this legal background to the Social Media Ambassadors program.

Fisher shared insights including understanding the next steps for IT security in healthcare, the microbreweries he cannot wait to visit in Las Vegas, and what he’s most looking forward to at the conference.

Q: One health IT prediction for 2016?

A: I think the HIPAA audits will finally occur. After the first …Read More

Avoid HIPAA Violation, Billing Issues at Your Practice

By Ericka L. Adler

 I sometimes find myself on the consumer end of the healthcare issues on which I advise my clients. Each experience is a learning opportunity I try to share with them.  For instance, I recently received a bill from a practice in Massachusetts addressed to my 13 year old son.

The bill outlined services provided by various different physicians, previous amounts paid and/or reimbursed by insurance (naming the insurer) and the amount due for services. There was nothing about the patient’s treatment in the past year that I could not tell by looking at this bill, including drugs injected …Read More