Breaking Compliance News Blog

HIPAA Alert: How many former employees can access your PHI?

Posted by Margaret Scavotto, JD, CHC on 11/17/20 10:00 AM

Hopefully you can answer this question, with 100% certainty, with a single word: Zero.

But that’s often not the case.

Recently, the City of New Haven, CT, entered a $202,400 settlement with the OCR to resolve potential HIPAA Privacy and Security Rule violations.

The New Haven Health Department filed a breach report after “a former employee returned…eight days after being terminated, logged into her old computer with her still active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted diseases test results onto a USB drive.” This former employee also gave her user name and password to an intern.

MPA sees this scenario frequently – an employee leaves, access is not terminated in a timely manner, and the former employee continues to log in (typically out of curiosity).

Read More

Topics: HIPAA, breach notification

HIPAA Lessons from Uber: Don't Sweep Data Breaches Under the Rug

Posted by Margaret Scavotto, JD, CHC on 9/10/20 10:57 AM


n 2016, Uber suffered a data breach affecting the personal information of 57 million drivers and customers. Uber did not announce the breach until November 2017. In August 2020, the United States Department of Justice (DOJ) filed a criminal complaint against Joseph Sullivan, Uber’s Chief Security Officer at the time of the breach. The DOJ has charged Sullivan with obstruction of justice and misprision of a felon for his alleged role in concealing the 2016 breach.

Read More

Topics: Board Involvement, HIPAA, data breach, breach notification

HIPAA reminder: Is your workforce changing?

Posted by Margaret Scavotto, JD, CHC on 5/19/20 10:44 AM

Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.

With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”  45 CFR 160.103

HIPAA training reminders:

  • Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
  • The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
  • The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
  • Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
  • All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).

Read More

Topics: HIPAA, Social Media, security, breach notification, COVID-19, privacy

Know your risk: HIPAA breach stats

Posted by Margaret Scavotto & Scott Gima on 2/6/20 8:15 AM

Read More

Topics: HIPAA, security, breach notification

* Breaking News: OCR announces $1.6 million HIPAA penalty

Posted by Margaret Scavotto, JD, CHC on 11/7/19 3:04 PM

This afternoon, the Office for Civil Rights announced its second HIPAA enforcement this week - this time, with a governmental agency. 

The Texas Health and Human Services Commission (TX HHSC) received a $1.6 million civil monetary penalty from the OCR for HIPAA Privacy and Security violations committed by the Texas Department of Aging and Disability Services (DADS), which is now part of TX HHSC.

In 2015, DADS notified OCR of a breach after it discovered that the ePHI for 6,617 individuals was accessible via the internet. OCR explains:

Read More

Topics: HIPAA, data breach, security, breach notification

OCR announces $2.15 million HIPAA settlement

Posted by Margaret Scavotto, JD, CHC on 10/31/19 1:47 PM


Jackson Health System (JHS), a not-for-profit medical system in Miami, entered a $2.15 million settlement with the OCR to resolve potential violations of the Security and Breach Notification Rules.

In January 2013, JHS lost paper records for 756 patients. JHS reported this breach to the OCR in August 2013. During its investigation, JHS learned that three additional boxes of records affecting 1,436 patients were lost in December 2012; and JHS reported this breach to the OCR in June 2016.

In February 2016, JHS notified the OCR that an employee inappropriately accessed 24,000 patient records since 2011, and sold some patient PHI.


Upon investigating, the OCR found:

Read More

Topics: HIPAA, security, breach notification

    Privacy Policy           Terms of Use