Archive for HIPAA security
St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.
A California hospital network that agreed to a $4.13 million settlement to a class-action lawsuit for exposing the PHI of more than 32,000 patients is now getting push back from its liability insurance provider about paying the claims.
In December 2013, it was discovered the health system and a third-party vendor, InSync, stored patients’ unencrypted electronic medical records on a database accessible to the Internet. So, potentially, patients’ PHI could have showed up in an online search engine for the world to see. There was no evidence that actually happened at the time, but Cottage Health had to notify 32,755 patients there PHI may have been publicly exposed.
The health system then agreed to settle a class-action lawsuit brought by the patients. Chicago-based Columbia Casualty Company, Cottage Health’s liability insurer, paid the bill but then filed a complaint in federal court in May 2015, seeking repayment of the insurance claims.
Criminal attacks on the healthcare industry have increased 125% since 2010, making these attacks the leading cause of data breaches in the industry, according to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare, sponsored by ID Experts®. The goal of the study is to determine what organizations are doing to protect the privacy and security of PHI and what challenges they may face in doing so, according to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
The study reports on the responses of 90 covered entities (CE), and for the first time includes responses from 88 business associates (BA). The Ponemon Institute conducts as many as 20 separate interviews with each CE and BA involved in the study, Dr. Ponemon says.
Although criminal attacks have been highlighted in the annual study for five years, 2015 marks the first year that these attacks were listed as the top cause of data breaches. Nearly half (45%) of healthcare organizations surveyed listed criminal attacks as the top cause of data breaches, compared to 39% of BAs. Medical identity theft not only has financial repercussions, but has the potential to compromise the accuracy of patients’ records, which can ultimately harm the patient, says Rick Kam, CIPP/US, president and co-founder of ID Experts.
More than 90% of CEs surveyed experienced a data breach, and more than 40% experienced one within the last five years. More specifically, 65% of CEs said they experienced security incidents within the last two years involving the exposure, theft, or misuse of electronic information. The majority of respondents (96% of CEs and 95% of BAs) have experienced an incident involving lost or stolen devices. The study revealed that the average cost of a breach at a healthcare organization is more than $2.1 million, whereas the average cost for BAs is more than $1 million.
The Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information” April 13 to help organizations integrate federal health information privacy and security requirements.
The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.
The guide covers such topics as:
- Increasing patient trust through privacy and security
- Provider responsibilities under HIPAA
- Health information rights of patients
- Security patient information in EHRs
- Meaningful Use core objectives that address privacy and security
- A seven-step approach for implementing a security management process
- Breach notification and HIPAA enforcement
A January 2015 report by the Federal Trade Commission (FTC) about the Internet of Things, which is an object’s ability to connect to the Internet for the purpose of sending and receiving data, highlights the need for updated HIPAA standards.
The report is based on the November 2013 FTC workshop, “The Internet of Things: Privacy and Security in a Connected World,” which was not initially geared toward healthcare. The report focused on security, notice, choice, and data minimization.
The report stated that general privacy legislation should focus on protecting customers’ data. During the workshop, participants pointed out that HIPAA is limited to protecting health information collected by certain covered entities. However, health applications increasingly gather data that is often unprotected by HIPAA. The FTC believes consumers should be aware of how their health information is used regardless of who collects it. The report calls for consistent standards that provide transparency about the use of protect health information regardless of who collects it.