Breaking Compliance News Blog

Email HIPAA Breaches On the Rise

Posted by Margaret Scavotto, JD, CHC on 9/18/19 7:29 AM

According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), email breaches are on the rise.

The OCR maintains a database of breaches of unsecured protected health information affecting at least 500 individuals. MPA crunched some numbers, looking at OCR breach reports still under investigation for each six month period for the past 24 months. The number of email breaches reported to the OCR between the second half of 2017 and the first half of 2019 more than quintupled.

Let’s look at some real world examples to see how email use can breach HIPAA.

Read More

Topics: HIPAA, data breach, security

* Breaking News; OCR enters first HIPAA settlement in Right of Access Initiative

Posted by Margaret Scavotto, JD, CHC on 9/9/19 12:36 PM

* Breaking News *

The Office for Civil Rights (OCR) just announced its first settlement in the HIPAA Right of Access Initiative. 

Bayfront Health St. Petersburg paid an $85,000 settlement and entered a corrective action plan with the OCR to resolve allegations that it violated the HIPAA Privacy Rule by denying a patient the right to timely access to the medical records of her unborn child.

Read More

Topics: HIPAA

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 

 

The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

Nursing home sued after aides taunt resident on Snapchat

Posted by Margaret Scavotto, JD, CHC on 8/22/19 7:37 AM

Two nursing home certified nurse aides were fired and charged with disorderly conduct after filming a 91-year old resident in distress and posting the video to Snapchat. 

The two aides allegedly took a video recording of the resident in distress, while they waved a gown in her face - and the resident tried to push it away. The video caption read: "[Resident name] hates gowns," and was accompanied by laughing/crying emojis. Staff at the nursing home were aware that this resident did not care for hospital gowns.

Read More

Topics: HIPAA, abuse, skilled nursing

"Taxi!" and other wrong ways to handle reports of misdirected PHI

Posted by Margaret Scavotto, JD, CHC on 7/17/19 9:45 AM

In Canada (where privacy laws are similar to HIPAA), a man requested his surgery records, and soon received a package in the mail from the hospital. When he opened the package, however, he did not find his surgery records—he found another man’s autopsy.

Read More

Topics: HIPAA

Abuse by Smartphone

Posted by Margaret Scavotto, JD, CHC on 7/9/19 9:57 AM

Four nurse aides commit abuse with Facebook Live

The family of an Illinois nursing home resident who appeared in a caregiver’s Facebook Live video is suing the home. Four nursing aids allegedly participated in a video of the resident, who is a stroke survivor with dementia. The lawsuit asserts that the video shows the resident in bed, holding a diaper, surrounding by employees who are harassing him. One of the caretakers is heard yelling “Take off your pants, [resident name].”

This example poses HIPAA concerns and abuse concerns. Without a patient authorization, it is a potential HIPAA violation to record the resident and share that recording with third parties. In addition, CMS made it clear in its Survey & Certification Memo 16-33 that humiliating or demeaning photos or recordings of nursing home residents are mental abuse.

Snapchat use leads to criminal charges

Read More

Topics: HIPAA, Social Media, abuse

Hot HIPAA Issues: Employee Credentials & Business Associate Management

Posted by ScottGima on 6/4/19 7:54 AM

In late 2018, the OCR entered an $111,400 settlement with Pagosa Springs Medical Center (PSMC), a Colorado critical access hospital. The OCR alleged that the hospital failed to terminate a former employee’s remote access to the hospital’s scheduling calendar, which includes patient PHI. The OCR also alleged that the hospital failed to enter a Business Associate Agreement with the scheduling calendar vendor.

Read More

Topics: HIPAA, business associates

Erectile dysfunction prescription privacy: another HIPAA lawsuit proceeds

Posted by Margaret Scavotto, JD, CHC on 5/21/19 11:06 AM

An Arizona patient received a free sample for an erectile dysfunction (“ED”) medication from his doctor. Later, his pharmacy, Costco, called the patient to tell him that his full prescription was ready. The patient told Costco that he did not want the prescription and would not be picking it up.

One month later, the patient called Costco about another prescription. Costco again told the patient that his ED prescription was ready, and the patient again told Costco he did not want that prescription. The next day, the patient called Costco to give his ex-wife permission to pick up is prescription. The patient and his ex-wife were considering reconciling. A Costco employee gave the ex-wife the patient’s prescription – and the ED prescription, and joked with the ex-wife about the patient taking so long to pick it up. The ex-wife ended reconciliation attempts with the patient.

The patient sued Costco for negligence and other claims.

Read More

Topics: HIPAA

Ransomware attack causes doctor’s office to permanently close

Posted by ScottGima on 5/9/19 8:06 AM

After ransomware took over Brookside ENT & Hearing Services’ EMR system, it decided to close its practice for good. The virus deleted and overwrote the medical practice’s medical records, bills and appointments—and the backups. The virus left behind duplicates, which the hacker promised to unlock in exchange for a $6,500 ransom. The two doctors who own the practice wisely refused to pay the ransom. Instead, they called the FBI.

Read More

Topics: HIPAA

*Breaking News: OCR reduces HIPAA penalty caps

Posted by Margaret Scavotto, JD, CHC on 5/6/19 12:55 PM

Effective April 23, 2019, the Office of Civil Rights (OCR) has reduced the annual aggregate HIPAA penalty caps for covered entities and business associates.

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use