Archive for HIPAA News
Organizations in Florida have one more thing to worry about following a breach of personal information or a security breach. The Florida Information Protection Act of 2014 (FIPA), which went into effect July 1, requires covered entities (CE) or third-parties to notify affected individuals and the Florida Department of Legal Affairs (DLA) of a breach of security or PHI within 30 days of discovery unless delayed by law enforcement. Previously, state law required CEs and third-parties to notify affected individuals of a breach within 45 days.
FIPA set forth a detailed definition of “personal information,” which includes an individual’s first name or first initial and last name combined with one of the following:
- Social Security number
- A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
- An individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual
- A user name or email address combined with a password or security question and answer that would permit access to an online account
The law states that the definition of a CE goes beyond healthcare organizations to include “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”
Unlike HIPAA, FIPA places little responsibility for breach notification upon third-parties. FIPA requires third-parties notify the CE of a breach within 10 days of discovery, at which time the CE is responsible for breach notification.
FIPA is enforced by the DLA under the Florida Deceptive and Unfair Trade Practices Act. Violators may face civil prosecution and/or fines not exceeding $500,000 for violating the state breach notification requirements. The DLA will submit a breach report to the Legislature by February 1 each year. CEs and third-parties must still comply with HIPAA regulations in addition to FIPA.
A former East Texas hospital employee faces up to 10 years in prison for HIPAA violations, according to a press release from the U.S. Department of Justice.
Joshua Hippler, 30, formerly of Longview, Texas, faces charges for wrongful disclosure of individually identifiable health information. Hippler was accused of obtaining PHI with the intent to use it for personal gain while employed by the hospital in question from December 1, 2012, through January 14, 2013. A grand jury recently indicted Hippler, according to the press release.
The Office for Civil Rights (OCR) recently named Jocelyn Samuels as the next OCR director, according to govinfosecurity.com.
Samuels currently serves as the acting assistant attorney general for the Civil Rights Division of the U.S. Department of Justice. She will succeed former OCR Director Leon Rodriguez, who was named the director of U.S. Citizenship and Immigration Services, which is a division of Homeland Security.
Samuels will oversee HIPAA compliance at a time when OCR is expected to establish a permanent HIPAA audit program.
The hits just keep on coming. HHS announced June 23 that OCR entered into resolution agreement and $800,000 settlement with Parkview Health System, Inc., in Fort Wayne, Indiana, for alleged HIPAA Privacy Rule violations.
Parkview obtained the medical records of 5,000–8,000 patients while helping Dr. Christine Hamilton transition her patients to new providers upon her retirement. It was believed that the health system was interested in purchasing a portion of Dr. Hamilton’s practice. Parkview failed to safeguard the PHI of these patients when its employees left 71 cardboard boxes of these medical records outside the physician’s home while she was not there. The home is within 20 feet of a public road and is near a shopping center, according to the press release.
The resolution agreement provides that Dr. Hamilton filed the complaint against Parkview. The investigation revealed that when Parkview employees left the medical records at Dr. Hamilton’s home, they were aware that she was not there and had previously refused the delivery of the records.
Parkview’s corrective action plan states that it will do the following:
- Develop, maintain, and revise written HIPAA Privacy Rule policies and procedures for its workforce with HHS approval
- Distribute HHS-approved policies and procedures to members of its workforce
- Ensure that new, approved policies and procedures provide for administrative, technical, and physician safeguards to protect PHI
- Notify HHS in writing within 30 days of a violation of the new, approved policies and procedures
- Provide general safeguards training for its workforce members who have access to PHI
In light of OCR’s recent $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU) for HIPAA violations, one auditing solutions company released a list of five ways to prevent a breach.
Software provider Netwrix Corporation suggests that healthcare organizations and insurance providers take the following steps to maintain HIPAA compliance:
- Create strict policies and procedures to protect your IT infrastructure and minimize risk
- Perform audits to ensure policies have the desired effect
- Prove you are compliant by generating audit report
- Implement an automated change auditing solution to detect breaches sooner
- Be prepared for requirements to become more strict as breaches occur more frequently