Breaking Compliance News Blog

Erectile dysfunction prescription privacy: another HIPAA lawsuit proceeds

Posted by Margaret Scavotto, JD, CHC on 5/21/19 11:06 AM

An Arizona patient received a free sample for an erectile dysfunction (“ED”) medication from his doctor. Later, his pharmacy, Costco, called the patient to tell him that his full prescription was ready. The patient told Costco that he did not want the prescription and would not be picking it up.

One month later, the patient called Costco about another prescription. Costco again told the patient that his ED prescription was ready, and the patient again told Costco he did not want that prescription. The next day, the patient called Costco to give his ex-wife permission go pick up is prescription. The patient and his ex-wife were considering reconciling. A Costco employee gave the ex-wife the patient’s prescription – and the ED prescription, and joked with the ex-wife about the patient taking so long to pick it up. The ex-wife ended reconciliation attempts with the patient.

The patient sued Costco for negligence and other claims.

Read More

Topics: HIPAA

Ransomware attack causes doctor’s office to permanently close

Posted by ScottGima on 5/9/19 8:06 AM

After ransomware took over Brookside ENT & Hearing Services’ EMR system, it decided to close its practice for good. The virus deleted and overwrote the medical practice’s medical records, bills and appointments—and the backups. The virus left behind duplicates, which the hacker promised to unlock in exchange for a $6,500 ransom. The two doctors who own the practice wisely refused to pay the ransom. Instead, they called the FBI.

Read More

Topics: HIPAA

*Breaking News: OCR reduces HIPAA penalty caps

Posted by Margaret Scavotto, JD, CHC on 5/6/19 12:55 PM

Effective April 23, 2019, the Office of Civil Rights (OCR) has reduced the annual aggregate HIPAA penalty caps for covered entities and business associates.

Read More

Topics: HIPAA

Women’s Obstetrical Procedures Secretly Filmed

Posted by Margaret Scavotto, JD, CHC on 4/30/19 8:04 AM

A San Diego hospital is being sued for secretly video recording 1,800 patients while they received procedures in three labor and delivery operating rooms. Women were also recorded while undressing, and with their genitals exposed. The lawsuit alleges that the recorded women have suffered anxiety, humiliation, depression, and other harm.

The hospital installed motion-activated cameras on drug carts in the operating rooms, in order to investigate potential employee diversion of propofol from operating room drug carts. The cameras continued to record after the motion stopped. The lawsuit alleges that multiple users – including strangers and non-medical employees – could access the recordings on computers, and the hospital did not track who accessed the recordings.

While we don’t know exactly what procedures were followed in this example, some good HIPAA questions are raised for other providers considering using filming in similar circumstances.

From a HIPAA standpoint, a HIPAA authorization would be required for any such recording to be legally obtained. This story also raises concerns about how the recordings were stored and accessed, and whether access to the recordings was properly limited. And of course, before any new technology is used that will record and store ePHI, it should first be addressed in your HIPAA security risk analysis.

MCS Signature November 2018

HIPAA Handbook CTA

Read More

Topics: HIPAA

Compliance and HIPAA Training Handbooks are Here!

Posted by Margaret Scavotto, JD, CHC on 4/16/19 9:17 AM

MPA's Compliance and HIPAA training handbooks for healthcare staff are here!


Help your staff get HIPAA right, all day, every day.

MPA noticed that most HIPAA training doesn't cover the top calls we get: snooping, selfies, social media, and other common breaches.

This HIPAA training handbook won't tell your staff that HIPAA was enacted in 1996 - because that won't help your staff make good HIPAA decisions on a daily basis. This handbook will, however, provide common sense HIPAA information your staff need to succeed in healthcare.

Each chapter is accompanied by a mini-quiz to test staff knowledge.

Learn more.


Help your staff get compliance right, all day, every day.

MPA noticed that most compliance training does not cover the daily risks most healthcare staff encounter - or is written in legalese that is challenging for many healthcare employees.

This training handbook won't tell your staff that OIG stands for "Office of Inspector General," because that isn't going to help most of your staff understand compliance. This handbook will break down compliance concepts in simple, understandable chapters to help them do their jobs in a way that follows your compliance program. 

Each chapter is accompanied by a mini-quiz to test staff knowledge.

Learn more.

Read More

Topics: Compliance Basics, Training and Education, HIPAA, Culture of Compliance, MPA's Compliance Store

There's no HIPAA for cats, by the way.

Posted by Margaret Scavotto, JD, CHC on 4/2/19 11:18 AM

Last week, my husband and our five year old daughter took our dog to the vet for a check-up. When they came home, my five year old was very excited to tell me that she got to talk to Dr. Julie about Abby's tooth cleaning and Jack's nail trimming.

Abby and Jack are my mother's cats, who, in case it isn't obvious, also see Dr. Julie.

I was astounded! Until my husband reminded me: "There's no HIPAA for cats, Margaret."

That's right. Of course!

But this got me thinking. If Abby and Jack were people, we would have a pretty big problem on our hands. My mother lives four minutes away. So do my nephews. So do my aunt and uncle. There's some overlap in doctors and dentists in our family (in addition to veterinarians). We bump into each other all over town.

And yet, thanks to HIPAA, we all expect and trust that our medical information will be kept private. Can you imagine it any other way? Can you imagine the chaos that would ensue if everyone discussed everyone else's tooth cleanings and nail trimmings all over town, as if we were cats?

Aristotle said what separates humans from the animals is rationality. I think it's HIPAA, too.


Read More

Topics: HIPAA

HIPAA Alert: Dozens of Northwestern employees potentially fired for accessing Jussie Smollett's records

Posted by Margaret Scavotto, JD, CHC on 3/19/19 12:50 PM

CBS 2 (Chicago) reported that potentially 60 Northwestern Memorial Hospital employees were terminated for accessing Jussie Smollett's medical records, without authorization, during a hospital stay following a highly publicized assault. 

One terminated Northwestern employee reported she was fired after she "went into the charting system and started to search [Smollett]'s name." The fired employee did this out of "morbid curiosity." Others were potentially terminated for asking if the actor was admitted to the hospital under an alias. 

Northwestern has not commented on the alleged firings, and we do not know for sure whether the firings occurred; if so, how many firings occurred; and whether HIPAA was violated.

But we do know that all healthcare providers struggle with the challenge of unauthorized access of patient records (also known as snooping). It happens with celebrities, and other high profile patients: car accident victims, employee relatives and friends, co-workers, and hometown heroes.

What you can do:

  • Admit high profile patients under an alias.
  • Limit access with your EHR controls.
  • Monitor access regularly. Increase monitoring when you have a high-profile patient.
  • Use alerts to warn users and your compliance team when access is exceeded.
  • Have your breach analysis policy and decision tree nearby for when access is exceeded.
  • Train staff on the consequences of exceeding accesses. One "morbid curiosity" click could cost them their job.

Need help reminding your staff not to snoop medical records? HIPAA Every Day, MPA's HIPAA training handbook for healthcare employees, addresses snooping.

Read More

Topics: HIPAA

I’ll have a brown sugar rosemary latte and a HIPAA breach, please.

Posted by Margaret Scavotto, JD, CHC on 3/12/19 8:43 AM

The other day I stopped by my favorite local coffee shop for an afternoon pick-me-up. I ordered my guilty pleasure – a brown sugar rosemary latte – and sat down in the only available seat on the lobby couch to wait.

A few minutes later, a young woman came in and sat down next to me, opened her laptop, and began clack-clacking away (a common occurrence, as this coffee place is known as an unofficial co-working space).

I got up to get my latte, sat back down, and noticed that the woman was on the phone. I began reading an article about a recent HIPAA breach (in a moment you will learn the irony in this), and tried not to be distracted by her call. But, I couldn’t help but notice she seemed to be talking about a patient. She mentioned the patient’s name and birthday, and then scheduled an appointment for him. She went on to do this for several other patients. Then she called a few patients to check on their condition and well-being. I also couldn’t help but notice that she was typing information into some kind of EMR database.

If this was a cartoon, my head would have exploded at this moment.

When my disbelief faded into the reality that this person – perhaps some kind of case worker or social worker – was in fact discussing patients and their health care information – I had a sinking feeling in my stomach. Does this really happen? Am I on some kind of brainy reality TV show for HIPAA professionals? How could two people sitting on the same couch have such different reactions to these phone calls? How could I be so appalled – and this woman be oblivious and even pleased to be accomplishing so much?

I’ll tell you why: awareness and training.

I think about HIPAA all the time. I follow HIPAA settlements and headlines daily, blog about them, and build training programs and policies around them. So, I see HIPAA everywhere.

I don’t know what kind of HIPAA training my couch neighbor has had. It could be she was trained extensively and chose to ignore the advice. Or perhaps it is more likely that she wasn’t trained on HIPAA – or at least, not recently – and not on protecting patient privacy when working remotely.

What about your staff? Would they know what to do?


Read More

Topics: Training and Education, HIPAA, Culture of Compliance

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.




Read More

Topics: HIPAA, Social Media, data breach, security

HIPAA Update: The Cost of Not Encrypting

Posted by Margaret Scavotto, JD, CHC on 11/14/18 10:26 AM

At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).

This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.

Addressable safeguards require covered entities and business associates to:

  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
  • As applicable to the covered entity or business associate—

            (A) Implement the implementation specification if reasonable and appropriate; or

            (B) If implementing the implementation specification is not reasonable and appropriate— (1) Document              why it would not be reasonable and appropriate to implement the implementation specification; and (2)              Implement an equivalent alternative measure if reasonable and appropriate.

45 CFR 164.306(d)(3).

But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.

It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:

And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk. 

It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:

       The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this             context is interpreted to mean some mechanical feature that renders these devices physically impossible           to enter by any persons who are not authorized users. But, these regulations require covered entities to             assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45        C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they          protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms          by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be                  effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective          mechanism to protect its ePHI.

For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.” 

New Call-to-action

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use