Archive for HIPAA Violations
CMS has added some new FAQs to its HIPAA Administrative Simplification Subtopic: Enforcement.
HHS reached a settlement with Phoenix Cardiac Surgery of Phoenix and Prescott, AZ, regarding a failure to comply with the HIPAA Privacy and Security rules when posting patient appointments to an online calendar. Phoenix Cardiac Surgery will pay $100,000 to HHS and will implement new policies and procedures to protect patients’ health information.
HHS began investigating Phoenix Cardiac Surgery following a report that clinical and surgical appointments posted by the physician practice were publicly accessible. Phoenix Cardiac Surgery did not have policies in place to safeguard patients’ electronic protected health information, and did not identify a security official or conduct a risk analysis. The organization also failed to document any employee training on its policies and procedures, according to HHS.
The Utah Department of Technology Services (DTS) reported March 30 a patient information breach affecting 24,000 Medicare claims.
DTS does not yet know the extent of personal information accessed, but it could include Social Security numbers, birth dates, tax identification numbers, and addresses. DTS believes hackers operating out of Eastern Europe gained accessed to its server, even though it recently moved the records to a server with a multi-layered security system.
DTS has shut down the affected server and is reviewing other servers to implement new security measures. The Utah Department of Health (UDOH) will notify any individual clients whose information has been accessed and will assist with credit monitoring services. The UDOH has advised all Medicaid clients to monitor their credit and bank accounts.
Source: Utah Department of Health
More than 500 patient records could be compromised after someone stole a computer stolen from a Georgia nurse practitioner’s home January 18, Georgia Health Sciences University reported on its website March 15.
The nurse practitioner works at several sickle cell clinics in George, including the Georgia Health Sciences Adult Sickle Cell Clinic.
The records contained on the laptop include names, dates of birth, diagnosis information, and an internal code associated with patients’ lab tests, but no Social Security numbers, financial information, or addresses. A spokesperson from Georgia Health Sciences University expressed regret for the theft and noted that the organization attempted to personally notify patients of the incident.
Covered entities have reported breaches of unsecured protected health information affecting 500 or more individuals to the Office for Civil Rights (OCR) nearly once every other day since the HIPAA privacy and security enforcer began posting the information 18 months ago.
The list, posted on the OCR breach notification website, hit the 300 mark last week. OCR went live with the site in February 2010, recording breaches that date back to September of 2009.
That’s about 13 breaches per month dating back to the fall of 2009.
The website is part of the breach notification interim final rule, in effect since September 2009. OCR withdrew the rule a little more than one year ago from the hands of the Office of Management and Budget (OMB), which reviews rules for government agencies. OCR wanted more time to pursue changes to the rule.
The provisions in the rule include:
- Notice to patients of breaches “without reasonable delay” within 60 days
- Notice to covered entities by BAs when BAs discover a breach
- Notice to “prominent media outlets” on breaches of more than 500 individuals
- Notice to “next of kin” on breaches of patients who are deceased
- Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
- Annual notice to the Secretary of HHS of breaches of less than 500 of “unsecured PHI” that pose a significant financial risk or other harm to the individual, such as reputation
OCR enforcement by the numbers:
- 420: Complaints alleging a violation of the HIPAA Security Rule made to OCR since October 2009
- 192: Security complaints closed by OCR after investigation and appropriate corrective action
- 294: Open security complaints and compliance as of May 31, 2011
- 61,333: HIPAA Privacy Rule complaints since the compliance date in April 2003
- 55,858: Complaints resolved through investigation and enforcement (13,745); through investigation and finding no violation (7,132); and through closure of cases that were not eligible for enforcement (40,456).