Archive for HIPAA Violations
An October 24 U.S. House of Representatives hearing on HealthCare.gov sparked a debate over whether the Obamacare website violates users’ privacy, International Business Times has reported. During the hearing, Rep. Joe Barton, R-Texas, said a source code in the Obamacare website states that users have “no reasonable expectation of privacy about communication or data stored on the system,” the online newspaper reported. However, users of the website cannot view this portion of the source code. Barton alleged that the website violates HIPAA, according to the article.
Rep. Diana DeGette, D-Colo., said during the hearing that HealthCare.gov does not violate HIPAA because the only medical information users enter when using the site is whether they are smokers, International Business Times reported.
Department of Veterans Affairs (VA) employees or contractors are responsible for 14,215 HIPAA privacy violations at 167 facilities from 2010 through May 2013, according to a recent Pittsburgh Tribune-Review investigation. The violations affected at least 101,018 veterans and 551 VA employees, the newspaper reported.
Reporters analyzed the VA Risk Management and Incident Response Resolution Team reports, which revealed a history of medical record snooping and the loss of sensitive data such as Social Security numbers. Since 2010, criminal investigators found 11 instances of VA employees stealing veterans’ identities or prescriptions, according to the report.
The newspaper uncovered the following information during its investigation of records from 2010 through May 2013:
- The VA reported one in every 365 privacy violations to the OIG.
- Providers violated the privacy of 2,856 veterans by illegally releasing patient information or failing to obtain patient consent for studies.
- The VA compromised the PHI of 16,183 veterans by failing to encrypt data on electronic media that were lost or stolen.
- VA employees compromised the PHI of 836 veterans and two VA employees when they lost paperwork in restrooms.
- VA employees compromised the PHI of 1,118 veterans by faxing medical records to the wrong destinations.
- The VA provided prescriptions or paperwork of 5,254 veterans to the wrong person. One in five of these incidents resulted in the disclosure of veterans’ birth dates, complete or partial Social Security numbers, or diagnoses.
An unknown number of Tampa General Hospital (TGH) patients treated by University of South Florida (USF) physicians could be at risk for identity theft, according to an ABC Action News report. TGH and USF have not announced the details of the breach of PHI on their websites, but USF sent letters to affected patients to notify them that they may be at risk for identity theft, according to the news report.
Sharee Chapman was seen at TGH for hip replacement surgery May 16, according to the report. She contacted ABC Action News after receiving a two-page letter from USF. The letter stated that a USF employee was stopped by Hillsborough County sheriff’s deputies May 24 and a search of the employee’s vehicle revealed TGH patients’ Social Security numbers, names, dates of birth, and medical record numbers.
HIPAA requires covered entities to report a breach of PHI to affected individuals within 60 days of discovery. Chapman told ABC Action News that the letter she received was dated July 26 but postmarked August 13, which was nearly three months after the breach was discovered.
The employee, who has since been terminated, was not authorized to access the PHI, ABC Action News reported. The employee has not been identified. No medical records were discovered in the vehicle, but USF stated in its letter that some of the documents found were used for patient billing, the report said.
Cogent Healthcare notified 32,000 patients of a data breach caused by a security lapse at M2Comsys, the vendor hired to transcribe the company’s physician notes, The Tennessean reported. PHI including physician’s name, patient date of birth, diagnosis, treatment, medical history, and medical record number were compromised when what should have been a secure website was accessible to the public May 5 to June 24, according to the report.
Cogent is a hospitalist company based in Brentwood, Tenn. The company terminated its relationship with M2Comsys as a result of the breach, according to The Tennessean. Cogent is still investigating the breach, which impacted partners and patients in 48 states, and has yet to identify who may have accessed the PHI. Patients affected by the breach will receive a one-year membership to Experian’s ProtectMyID Alert, the newspaper reported.
The U.S. Department of Health and Human Services (HHS) and Affinity Health Plan, Inc., entered into a $1,215,780 settlement and corrective action plan over potential HIPAA violations, according to an August 14 HHS press release.
Affinity, a managed care company based in New York, filed a breach report with the HHS Office for Civil Rights (OCR) April 15, 2010. The report stated that a CBS Evening News representative notified Affinity that CBS purchased a photocopier that was once leased by the managed care company and PHI was found on the copier’s hard drive, according to the press release.
Approximately 344,579 people were impacted by the breach, based on an estimate by Affinity. OCR’s investigation revealed that Affinity impermissibly disclosed PHI by failing to erase patient information from hard drives of multiple photocopiers prior to returning the machines to the leasing company. OCR also found that Affinity neglected to include electronic PHI (ePHI) in its risk analysis, which is required under the HIPAA Security Rule, and failed to implement appropriate policies and procedures for returning the machines to the leasing agent, according to HHS.
An OCR corrective action plan requires Affinity to make an effort to retrieve all hard drives from leased photocopiers and take measures to safeguard ePHI, according to HHS.