Breaking Compliance News Blog

HIPAA Lessons from Uber: Don't Sweep Data Breaches Under the Rug

Posted by Margaret Scavotto, JD, CHC on 9/10/20 10:57 AM


n 2016, Uber suffered a data breach affecting the personal information of 57 million drivers and customers. Uber did not announce the breach until November 2017. In August 2020, the United States Department of Justice (DOJ) filed a criminal complaint against Joseph Sullivan, Uber’s Chief Security Officer at the time of the breach. The DOJ has charged Sullivan with obstruction of justice and misprision of a felon for his alleged role in concealing the 2016 breach.

Read More

Topics: Board Involvement, HIPAA, data breach, breach notification

Free Webinar: HIPAA Security - Board of Governance Responsibility

Posted by Margaret Scavotto & Scott Gima on 9/3/20 10:32 AM

Join HIPAAtrek and MPA's Executive VP Scott Gima for a complimentary webinar:

Read More

Topics: HIPAA, security, webinar

I’ll have another rosemary latte and a HIPAA breach, please.

Posted by Margaret Scavotto, JD, CHC on 8/25/20 9:00 AM

As the United States is in varying stages of opening versus shutting down in response to COVID-19, the definition of "workplace" has become a very fuzzy concept. Sometimes I work at home, and sometimes I work at the office. I hear from some parents will be working with a "pod" of children learning virtually in their homes. And yes, some employees have resumed working at coffee shops. This changing reality of where we are working brought this popular blog from 2019 to mind - so here is one from the archives...


The other day I stopped by my favorite local coffee shop for an afternoon pick-me-up. I ordered my guilty pleasure – a brown sugar rosemary latte – and sat down in the only available seat on the lobby couch to wait.

A few minutes later, a young woman came in and sat down next to me, opened her laptop, and began clack-clacking away (a common occurrence, as this coffee place is known as an unofficial co-working space).

I got up to get my latte, sat back down, and noticed that the woman was on the phone. I began reading an article about a recent HIPAA breach (in a moment you will learn the irony in this), and tried not to be distracted by her call. But, I couldn’t help but notice she seemed to be talking about a patient. She mentioned the patient’s name and birthday, and then scheduled an appointment for him. She went on to do this for several other patients. Then she called a few patients to check on their condition and well-being. I also couldn’t help but notice that she was typing information into some kind of EMR database.

If this was a cartoon, my head would have exploded at this moment.

When my disbelief faded into the reality that this person – perhaps some kind of case worker or social worker – was in fact discussing patients and their health care information – I had a sinking feeling in my stomach. Does this really happen? Am I on some kind of brainy reality TV show for HIPAA professionals? How could two people sitting on the same couch have such different reactions to these phone calls? How could I be so appalled – and this woman be oblivious and even pleased to be accomplishing so much?

I’ll tell you why: awareness and training.

I think about HIPAA all the time. I follow HIPAA settlements and headlines daily, blog about them, and build training programs and policies around them. So, I see HIPAA everywhere.

I don’t know what kind of HIPAA training my couch neighbor has had. It could be she was trained extensively and chose to ignore the advice. Or perhaps it is more likely that she wasn’t trained on HIPAA – or at least, not recently – and not on protecting patient privacy when working remotely.

What about your staff? Would they know what to do?


Read More

Topics: Training and Education, HIPAA, Culture of Compliance

HIPAA Reminder: Don’t Forget Students

Posted by Margaret Scavotto, JD, CHC on 8/20/20 9:45 AM

It is common for covered entities and business associates to train employees at hire and (at least) annually. What’s not as common is including other parties in the organization’s HIPAA training program. Contracted staff, temp/agency staff, volunteers, board members, and students can be considered part of an organization’s workforce – meaning, they need to be trained on HIPAA. And, during the pandemic, many providers have expanded the types of individuals that are part of their team.

Read More

Topics: Training and Education, HIPAA, compliance, COVID-19

HIPAA News: Two Settlements and a Fraudulent OCR Postcard

Posted by Margaret Scavotto, JD, CHC on 8/10/20 1:15 PM

Watch Out for Fraudulent OCR Postcards

On August 6th, the OCR issued an Alert: Postcard Disguised as Official OCR Communication. This Alert warns covered entities and business associates that an impostor is sending postcards out, posing to be the OCR. The postcards ask the recipient go visit a website, call, or email “to take immediate action on a HIPAA Risk Assessment.” The postcard is not from the OCR; it is from a consulting company trying to sell services.

Read More

Topics: HIPAA

Sign up for MPA's free webinar: HIPAA & PR Pitfalls

Posted by Margaret Scavotto, JD, CHC on 7/28/20 8:53 AM

Sign up for the next webinar in MPA's Free Compliance Webinar Series:

August 11 at 11 a.m. CST: HIPAA & PR Pitfalls

The OCR has entered multiple HIPAA settlements with healthcare providers who violated HIPAA with public relations campaigns and media communications. This was an issue before COVID-19, and the pandemic has only increased media attention and the need for effective HIPAA protocols.

Learn how to stay on the good side of the news.

Sign up here.

Read More

Topics: HIPAA, Culture of Compliance, compliance

Has your HIPAA training kept up with COVID-19?

Posted by Margaret Scavotto, JD, CHC on 7/23/20 10:15 AM

During the pandemic, healthcare providers have seen countless headlines announcing both HIPAA guidance related to COVID-19, and HIPAA breaches. For example:

If your HIPAA training hasn't changed in response to this guidance and headlines, that could be a problem.

Read More

Topics: HIPAA, data breach, COVID-19

Train Remotely with Compliance and HIPAA Training Handbooks

Posted by Margaret Scavotto, JD, CHC on 7/21/20 9:45 AM

The pandemic has led covered entities and business associates to rethink training.

For starters, in-services are not always practical right now. With more remote employees, and concerns about trying to contain spread of the virus, in-person, classroom-style training is not working for everyone.

Plus, many providers are dealing with an evolving workforce: more agency/temp staff, more healthcare professionals newly hired due to loosened education or certification requirements during COVID-19. All of these people need training - and providers have less time to train.

Compliance and HIPAA training does not have to be in the form of a live in-service to be effective. 

MPA's Compliance and HIPAA Training Handbooks can help.

Read More

Topics: Compliance Basics, Training and Education, HIPAA, Culture of Compliance, MPA's Compliance Store, COVID-19

Download MPA's HIPAA, COVID-19 & Social Media Roadmap

Posted by Margaret Scavotto & Scott Gima on 7/8/20 8:38 AM

The rise of social media has revolutionized the way people connect. In the health care workplace, social media also brings countless opportunities for employees to violate HIPAA. Balancing this new landscape of increased sharing through technology and unchanged patient privacy rights is a minefield for healthcare providers.

Without education and policies from their employers, health care employees can easily get into trouble, quickly putting their employers at risk for HIPAA penalties, lawsuits, and devastating PR consequences. The pandemic has only exacerbated the privacy challenges associated with social media. MPA’s HIPAA, Social Media & COVID-19 Roadmap tells you what you need to know about this challenge, and what you can do about it.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't - than to do nothing and wait to hear it from the patients (or the media).

Click here to download.

Read More

Topics: HIPAA, COVID-19

HIPAA News: Who Leaked Ezekiel Elliott’s COVID-19 Results?

Posted by Margaret Scavotto, JD, CHC on 7/2/20 9:30 AM

It’s not often that I cite a Sports Illustrated article in a HIPAA blog – but last week, the compliance and sports worlds collided when Dallas Cowboys Running Back Ezekiel Elliott’s COVID-19 results went viral

Elliot issued his official, one-word response to the news on twitter: “HIPAA ??” Elliot went on to deny reports that his own agent leaked the news about his COVID-19 status, tweeting that his agent confirmed the information AFTER it was leaked to the media.

We do not know how this happened, but healthcare providers should think through the possibilities and look inward.

  • Did an employee of a healthcare provider treating (or testing) Elliott leak the information? Could this happen within your organization?
  • Are your employees trained about the consequences of breaching patient information in this way? What would your employees find more compelling – your HIPAA policies, or a bribe from a reporter? (To be clear, we have no knowledge that this is what happened here – but it is a possibility).
  • Are your employees trained to understand that COVID-19 status is sensitive PHI – with higher stakes for the patient?
  • Does your organization segregate patient records access to minimize the likelihood of a breach?
  • When your organization treats high-profile patients, are extra precautions taken to protect their PHI (for example, admitting/treating them under an alias)?
  • Do you conduct regular information system activity review audits, to both prevent and detect unauthorized records access?

We don’t know how Zeke Elliott’s records were leaked – but we know it’s wrong, and healthcare providers should take all steps to avoid a similar problem. Keep in mind that breaches of high-profile individuals will continue to be a challenge after COVID-19. As the 4th of July approaches, you might remember Jason Pierre-Paul, the NY Giants player who sued ESPN after a reporter tweeted a picture of his medical record when he was treated for a fireworks injury to his hand.

MPA can help with HIPAA training. We offer interactive, customized Zoom training sessions with current real-world examples and pre- and post-testing.



Read More

Topics: HIPAA, COVID-19

    Privacy Policy           Terms of Use