Trump administration marches ahead with strict HIPAA enforcement and a $2.5 million fine

What’s New?
On Monday, the US Department of Health & Human Services’ Office for Civil Rights announced that CardioNet has entered into a $2.5 million HIPAA settlement. CardioNet provides mobile cardiac monitoring services and is the first wireless health services provider to enter into a settlement with OCR. CardioNet had not performed a risk analysis or adopted a risk management plan; its Security Rule policies and procedures were still in draft form; and CardioNet was unable to show that it had finalized and implemented any policies safeguarding ePHI, including safeguards for mobile devices. This lack of compliance with the Security Rule …Read More

Price of Stolen USB Drive? Just $2.2 Million

A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,200 individuals was stolen from MAPFRE’s IT Department after being left unsecured overnight.  OCR also alleged that MAPFRE did not follow through on representations to OCR regarding its risk analysis and other compliance efforts.

An OCR investigation revealed alleged noncompliance with various HIPAA provisions, including failure to conduct …Read More

Do You Know Who Your Employees Are?

Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven.  Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity and Business Associate and have a negative impact on the confidentiality, integrity, and availability of its ePHI.  According to a survey recently conducted by Accenture and HfS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption.  Further, it was reported by a Covered Entity that one of their employees had unauthorized access to …Read More

12 healthcare ransomware attacks of 2016

Ransomware isn’t a new phenomenon, but its growth throughout 2016 has made its prevalence known throughout the healthcare industry.

In fact, a July 2016 report showed the healthcare industry is hit significantly harder by ransomware than any other sector — approximately 88 percent of attacks hit hospitals.

Here are 12 healthcare-related ransomware attacks reported by Becker’s Hospital Review this year, beginning with the earliest.

1. In January, Mount Pleasant, Texas-based Titus Regional Medical Center was hit with a ransomware attack that prevented the hospital’s access to computer files.

2. In February, hackers shut down the IT systems of Hollywood (Calif.) Presbyterian Medical Center and demanded …Read More

Hey Doc! Don’t Talk Loud…

One of the OCR cases we found interesting is reproduced below. It is a lesson for all those who carry PHI that need to know rule applies even for your best friend, a fellow employee or your spouse. So even if you are in the corridors of your hospital – don’t talk loud.
State Hospital Sanctions Employees for Disclosing Patient’s PHI
Covered Entity: Health Care Provider / General Hospital
Issue: Impermissible Disclosure
A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient’s spouse within earshot of other patients without making reasonable efforts to prevent the …Read More

Don’t think compliance can hurt? You are too small to get noticed? Got $5.55 million in savings?

Read the message from OCR at the very end of this article.

On Thursday, August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Advocate Health Care Center (Advocate Health) agreed to pay $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, …Read More

OCR settles two HIPAA breach suits totaling $5.5 million

The Office for Civil Rights used the instances to highlight the importance of holding business associates and research centers accountable to privacy and security laws.
Health and Human Services’ Office for Civil Rights closed a pair of HIPAA breach settlements with North Memorial Health Care of Minnesota and Feinstein Institute for Medical Research.

The larger penalty went to Feinstein, at $3.9 million, OCR said on Thursday. That came just one day after the office announced that North Memorial agreed to pony up $1.55 million.

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated …Read More

HIPAA - Try another doctor

We don’t need no Stinkin HIPAA!!


Today one of our sales team members called to talk about a sales pitch strategy and results.  It was a simple everyday conversation. But before I go into the details of the conversation here is a little background on our sales pitch strategy:

Step one: Find a market of small to mid sized (1 – 8 physicians) clinics and distribute brochures.

Step two: Identify the non-compliant offices.

Step three: Meet with the HIPAA Compliance officer

Step four: COMPLIANCE!

Not having a HIPAA Compliance officer designated to your office is the first red flag! Not because my sales team does not …Read More

HIPAA - Try another doctor

Are you a Doctor or a Medical Practice Owner? Its time to #CYA!

By Ali Khan, CHP, CSCS, CHPSE,

Doctors! It’s time to be HIPAA Compliant.

Think there’s still time to ease your way into compliance? Most physicians I meet truly believe a HIPAA audit will result as a slap on the wrist. Not true. With deadlines long in the rearview mirror, leniency is a thing of the past. So far, OCR has fined $23 million. They have received over 123,065 complaints of which 116,266 have been resolved – some with heavy fines.

You’re probably thinking they will have to catch you first. And they will. They even have help. Now any employee or physician with …Read More

Hackers demand ransom from Hollywood Presbyterian Medical Center

Are you HIPAA secure? Hollywood Presbyterian Medical Center was not. You can outsource your IT worries to Khan & Marshall our trained and certified HIPAA IT experts can help secure your systems and IT infrastructure and make it HIPAA Compliant.

Comments from Bricker & Eckler:

Hollywood Presbyterian Medical Center has been the victim of a recent cyber-attack that shut down the hospital’s network and placed it in a state of crisis. The attack was conducted using a type of malware known as ransomware. The hack has caused a state of emergency for the hospital and has compromised the hospital’s ability to care for …Read More