Breaking Compliance News Blog

Nurse Unsuccessfully Sues Hospital over HIPAA Firing

Posted by Margaret Scavotto, JD, CHC on 10/17/17 7:03 AM

A nurse was fired from a Kentucky hospital after she told a physician and EKG technician to wear gloves for a procedure – because the patient has Hepatitis C. The patient was behind a privacy curtain, with other patients and staff nearby.

The patient complained to the hospital that the nurse revealed his diagnosis to nearby patients and staff who overheard her. The nurse was fired for violating HIPAA, and sued the hospital for wrongful termination. The nurse argued that she did not violate HIPAA, because her disclosure was “incidental” and permitted under HIPAA.

The nurse lost at trial, and, later, on appeal. The appellate court stated: “…even if [the hospital] were objectively wrong that [the nurse] violated HIPAA’s patient confidentiality provisions, [the nurse] cannot rely on HIPAA as a basis for a wrongful discharge claim, since HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

The nurse also sued the hospital for defamation. The nurse said a hospital employee defamed her when she reported the nurse’s HIPAA-based termination to the Metropolitan Louisville Healthcare Consortium. The Court upheld the trial court’s finding that no defamation occurred, because the hospital told the truth: the nurse was in fact terminated for violating HIPAA after she disclosed more information than the minimum necessary.

This is just one Kentucky court’s opinion – and keep in mind that the OCR has not released any enforcement regarding this instance. But, this lawsuit is an example of two things:

  • A provider successfully firing someone for violating HIPAA; and
  • An ongoing need to train staff on common HIPAA risks

New Call-to-action

Read More

Topics: Training and Education, HIPAA

Do you know your practices as well as your potential whisteblowers?

Posted by Margaret Scavotto, JD, CHC on 10/10/17 7:05 AM

Whistleblowers Going After United Healthcare

United Healthcare (UH) sales agents brought a whistleblower lawsuit against UH, alleging fraud and kickbacks.

For example, the whisteblowers claim a UH sales agent promised iPads to customers who agreed to sign up and remain on the plan for six months.

Another sales agent allegedly forged signatures on enrollment paperwork – enrolling patients without their knowledge.

Perhaps most seriously, UH kept two sets of books: one with misconduct complaints about UH; and another set of books that concealed the complaints from federal agencies. By hiding complaints, UH artificially boosted its quality ratings, which enabled it to receive $1.4 billion in Medicare bonuses in fiscal year 2016. For example, in March 2016, UH identified 776 complaints, but only reported 257 to CMS.

The whistleblowers also alleged that complaints were met with little investigation and little disciplinary action.

UH’s employees knew of these practices, and, in at least some instances, reported them internally. According to the whistleblowers, when UH did not address these concerns, the sales agents went to the federal government.

Whistleblowers are most often employees or former employees. Are you confident that you are aware of your employees’ concerns? Have employees made complaints? Were they resolved? Do employees know you took their concerns seriously?

compliance risk assessment annual review

Read More

Topics: Compliance Basics, Whistleblowers

OCR Publishes Preliminary Results of its Phase 2 HIPAA Audits

Posted by Margaret Scavotto, JD, CHC on 10/5/17 7:05 AM

The OCR recently released an update on Phase 2 of its HIPAA audit program. Updates include:

  • Desk audits for 166 covered entities are complete
  • Desk audits for 41 business associates are underway
  • After the desk audits are finished, on-site audits will begin

The OCR scores entities on their HIPAA compliance on a scale of 1 (in compliance) to 5 (no serious evidence of compliance). Results were mixed:

  • For timeliness of breach notification, 65% of covered entities received a 1 score (the highest score)
  • For content of breach notification, only 14% of covered entities scored a 1
  • For content of notice of privacy practices, only 2% of covered entities scored a 1!
  • Covered entities did better with the provision of notice of privacy practices: 57% received a 1 score
  • Only 1% of covered entities scored a 1 for right of access
  • ZERO covered entities received a score of 1 for their HIPAA security risk analysis
  • For Security risk management, 1% of covered entities earned a 1 score

 What scores would your organization receive?

You can read the OCR’s findings, and its desk audit protocol, here:

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA

Equifax Breach Debacle Continues to Unfold

Posted by Scott Gima on 10/3/17 12:55 PM

Equifax Chief Executive Richard F. Smith announced his retirement this week. The Equifax board has said that it could retroactively classify Smith’s retirement as a firing – jeopardizing his compensation

Here’s what happened

The scope of the massive Equifax breach, which directly affected 143 million people, is incredible. Equifax publicly reported the breach on September 7, stating it was discovered on July 29th. It is believed that the breach started in mid-May and continued until its discovery in late July. My initial reaction was that this must have been a sophisticated cyberattack. How else could an organization such as Equifax, that handles millions of data rich information, allow this to happen? A company that large should have unlimited resources to have the most sophisticated high-tech strategies to secure their data. After all, is any data more high risk or high demand than credit reports and social security numbers? And if Equifax cannot prevent a breach, what does that mean for the small companies or healthcare providers who have very limited budgets and are frequently required to outsource their IT security?

According to the Wall Street Journal, the breach was caused by an unpatched flaw in the Apache struts web application software used by Equifax customers to dispute credit report errors. The flaw was first discovered by Cisco security researchers on March 8. On that same day, Apache released a patch. The U.S. Computer Emergency Readiness Team also released a vulnerability security bulletin on March 8. 

Wired magazine reported: “it would have been simple for an attacker to exploit the flaw and get into the system.” Wired also wrote:

        "This vulnerability was disclosed back in March. There were clear and simple instructions of how to  remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly," says Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm. "The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred."

Lessons for your organization

The investigation continues, and if the cause of the breach is confirmed to be unpatched software, this breach provides a very strong reminder to everyone - including small providers - that reducing the odds of a breach requires a straightforward strategy of installing all operating system and application software updates. Make sure there is a policy and procedure addressing this. The policy should include receiving emails from the US Computer Emergency Readiness Team (US-CERT). If not already part of your policy, sign up here. Make sure your Security Officer, Privacy Officer, Compliance Officer and IT Support are subscribers.

 Keep in mind that software patching is only one small element of a data security management plan. There are many other risk areas. HIPAA security readiness is not just an IT responsibility. It requires attention from management and IT. The first step in developing a security management plan is to complete or update your Security Risk Analysis

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA

When Healthcare Hacking Means Life and Death

Posted by Scott Gima on 9/18/17 10:00 AM


On August 28, 2017, the Department of Homeland Security’s Industrial Control systems Cyber Emergency Response (ICS-CERT) team released a safety notice regarding Abbott Laboratories (formerly St. Jude Medical) pacemakers manufactured before August 28, 2017. The affected pacemakers, which include include Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI, require a firmware update to address vulnerabilities.

ICS-CERT stated:“Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.” Fortunately, a hacker must be within inches of the device/patient in order to exploit the firmware vulnerability. Unfortunately, if the vulnerability is exploited, a patient could die. Patients with one of the affected devices should visit their physician and ask whether their device needs a firmware update.

Healthcare security research company MedSec, who played a role in exposing the risk of Abbott’s pacemakers, adds: “For years this company has continued to put patients at risk by profiting from the sale of devices and a device eco-system which has little to no built-in security.”

The scope of cyber vulnerabilities facing the healthcare industry is increasing in fearsome ways. Providers should maintain an inventory of all medical devices and update software or firmware as prescribed by the vendor or manufacturer. Review your contracts to include language that requires timely provider notification of software and firmware updates.

Free  HIPAA Checklist

Read More

Topics: HIPAA

HIPAA Security Alert: BlueBorne - Bluetooth Vulnerability

Posted by Scott Gima on 9/13/17 4:19 PM

Armis Labs, an Internet of Things (IoT) security company, has publicly revealed a new Bluetooth vulnerability called “BlueBorne.” This vulnerability allows hackers to take complete control over Bluetooth enabled devices. This vulnerability affects all devices with Bluetooth capabilities including smartphones, laptops, smart watches, and TVs. Google, Microsoft and Linux will be releasing patches. Apple devices have been patched since the roll out of iOS 10 in September 2016. According to Armis, there are approximately 2 billion Android and Linux devices that cannot be patched.

Since its inception in 1982, Bluetooth has been plagued with security issues and this latest flaw is further proof of the security risks with Bluetooth. Remember that exploitation of any this and any Bluetooth vulnerability requires proximity to the device, depending on whether the device is indoors or outdoors.

What you can do

When conducting a HIPAA security risk analysis, make sure an inventory of Bluetooth capable devices is covered. Patch all devices and if that is not possible, the best defense is to turn off Bluetooth.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit


Read More

Topics: HIPAA

Guest Blog: Is HIPAA Suspended During a Hurricane?

Posted by Margaret Scavotto, JD, CHC on 9/7/17 2:01 PM


Today's HIPAA blog comes from guest blogger Maggie Hales. Maggie Hales is a lawyer and CEO of ET&C Group LLC which helps untangle the laws of HIPAA for the healthcare industry. She graduated from Webster University with Honors, and St. Louis University School of Law.

Is HIPAA Suspended During a Hurricane?

The short answer is “no.” But the full answer is more mixed.

The U.S. Department of Health and Human Services (HHS) learned lessons during Hurricane Katrina (2005), Hurricane Sandy (2012) and the Ebola crisis (2014-16) that have guided its policies around exceptions to the Privacy Rule during disasters. 


Hurricane Harvey's destruction may surpass that of Katrina and Sandy, and HHS has just today issued a Bulletin outlining its policy on waivers for hospitals in Texas and Louisiana. HHS issued  Bulletins during other emergencies, including two in 2005 resulting from Hurricane Katrina, one in 2013 related to law enforcement, and one in 2014 related to privacy in emergency situations. All of these Bulletins and additional guidance may be found here HHS Bulletins and Guidance

During a public health emergency or disaster, there are exceptions to HIPAA that permit covered entities like hospitals to share protected health information with other providers, public health authorities and certain other designated parties. On the other hand, even during a disaster, the majority of HIPAA requirements will remain in effect so covered entities must remember they are responsible for fulfilling HIPAA obligations even in the midst of a disaster.


In the last several days, pictures of nursing home residents and patients in Texas have been posted on Facebook and other social media by health care providers. Whether an appeal for help, or for publicity, even if well intentioned, these are blatant violations of patient privacy and are unjustified by the emergency. 

Click here to read more.

Read More

Topics: HIPAA

HIPAA News: NIST Wants Simpler Password Rules

Posted by Scott Gima on 8/29/17 7:00 AM

The National Institute of Standards and Technology (NIST) is a federal agency within the U.S. Department of Commerce that recommends security controls for federal agency information systems. These standards are also frequently used as security best practices in the private sector.

Read More

Topics: HIPAA

MPA Blogs for HCCA: Forgotten Physical Safeguards Lead to Stolen Records

Posted by Margaret Scavotto, JD, CHC on 8/23/17 12:50 PM


In June 2017, an Illinois mom found two medical records in her middle schooler’s belongings.

This mom discovered that some of her daughter’s peers had stolen nursing home records from an abandoned nursing home, and passed them around at school.  The records included medications, doctor’s notes, diagnoses, social security numbers, addresses and other protected health information.

Read more at the Compliance and Ethics blog.

Are you HIPAA  compliant?  Free HIPAA  Assessment

Read More

Your Ransomware Defense: SLOW DOWN

Posted by Margaret Scavotto, JD, CHC on 8/16/17 7:00 AM

Ransomware is a numbers game for hackers.

Read More

Topics: HIPAA

Read the Breaking Compliance News Blog disclaimer here.