All Posts in Category: Uncategorized

Los Angeles Physical Therapist HIPAA Violation

Los Angeles Physical Therapist HIPAA Violation – Receives $25,000 Fine

Los Angeles-based Complete P.T. Pool & Land Physical Therapy will pay $25,000 to settle HIPAA violations for allegedly posting patient testimonials, including full names and photos, on its website without obtaining authorization.

The Department of Health and Human Services Office for Civil Rights announced the settlement terms on its website on Feb. 16. The settlement also requires Complete P.T. to adopt and implement a corrective action plan, and annual reporting of compliance efforts for one year.

The complaint filed with the OCR on Aug. 8, 2012 said Complete P.T. was required by HIPAA to seek authorization for the testimonials.

OCR’s investigation revealed that Complete P.T failed to reasonably safeguard protected health information, disclosed PHI without authorization,and failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements.

“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes,” said OCR Director Jocelyn Samuels in a statement posted on the OCR website. “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

Original content by Healthcare IT News

Read More

How to Avoid 3 Common HIPAA Compliance Oversights

While advising covered entities and business associates of various sizes about HIPAA compliance issues, we’ve noticed three common bad practices.

Most CEs fail to appropriately vet and oversee their BAs. Most CEs, as well as BAs, address HIPAA compliance as a checklist activity instead of a comprehensive risk management process. And many do not provide effective training or awareness communications.

“A risk assessment is an important tool in identifying risks, but you cannot stop there.”

As a result, I recommend organizations make three New Year’s resolutions to help bolster security and minimize the risk of a data breach:
1. Ramp Up Contractor Scrutiny

Do you know how well your vendors, business associates and contracted third parties – who I will collectively call “contractors” – are protecting the information with which you’ve entrusted them to perform some sort of business activity?

Keep in mind that about 20 percent of breaches on the HHS “wall of shame” of major health data breaches involve a BA.
Also, be aware that your organization will probably share liability for the bad actions of your contractors. Case in point: In November, the Connecticut Attorney General applied penalties against both Hartford Hospital and its business associate, EMC Corp., as a result of a breach that occurred in 2012.
In 2016 make sure your contractors:

  • Have documented policies and procedures. If they aren’t documented they don’t exist.
  • Understand that they must appropriately secure, and not share, the personal information you’ve entrusted to them.
  • Provide regular information security and privacy training to their workers, and regularly send awareness reminders.
  • Have a risk management process in place.
  • Have implemented basic security tools to protect the information you’ve entrusted to them.

2. Go Beyond a Risk Management Checklist

It’s vital to address administrative, technical and physical risks. Significant breaches have occurred as a result of not addressing all of these risks. Of course, a risk assessment is an important tool in identifying risks, but you cannot stop there. You need to implement a risk management program that includes additional activities to manage risks, such as keeping track of mobile computing devices with access to PHI; documenting those using personally owned computing devices; staying on top of new Internet of Things plans; making sure big data analytics is not used in a way that brings unacceptable security and privacy risks; keeping anti-malware updated and applying security patches regularly; and performing audits, just to name a few.
Here’s a perfect case in point. After numerous breaches, on Nov. 30, 2015, Triple-S Management Corp. agreed to pay a $3.5 million HIPAA non-compliance fine and to implement a robust corrective action plan to establish an effective HIPAA compliance program with effective security controls. Among the HHS findings:
Failure to implement appropriate administrative, physical, and technical safeguards;

  • Impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate business associate agreement;
  • Failure to conduct an accurate and thorough risk analysis; and
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its PHI to a reasonable and appropriate level.
  • If the insurer had a comprehensive risk management program in place, including keeping systems patched and up-to-date, Triple-S probably could have prevented the breaches.

3. Educate the Workforce

Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.
In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.” One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).

Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.
Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it’s also a requirement in most data protection laws and regulations to provide such education.

Read More
Privacy and Security in Long-Term Care

Privacy and Security in Long-Term Care

There are three top reasons why protecting health information is important in long term and post-acute care:

  1. It’s the law
  2. Compliance  protects and enhances your reputation
  3. Non-compliance can be costly
Read More

$750,000 HIPAA Fine For A Laptop?

$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.

On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at:

HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis:

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at

Read More
8 Examples of a HIPAA violation

8 Examples of HIPAA Violations

HIPAA, the Health Insurance Portability and Accountability Act of 1996, was passed to protect an employee’s health insurance coverage when they lose or change jobs. It also has provisions to ensure the privacy and confidentiality of identifiable health information.

Everyone’s medical situation is different; however, this article strives to help define HIPAA by providing you with an overview of some common HIPAA violations experienced by health care providers and patients. Links to HFailure to adhere to the authorization expiration date – Patients can set a date when their authorization expires. A violation would be releasing confidential records after that date.
Failure to promptly release information to patients – According to HIPAA, a patient has the right to receive electronic copies of medical records on demand.
Improper disposal of patient records – Shredding is necessary before disposing of patient’s record.
Insider snooping – This refers to family members or co-workers looking into a person’s medical records without authorization. This can be avoided with password protection, tracking systems and clearance levels.
Missing patient signature – Any HIPAA forms without the patient’s signature is invalid, so releasing information would be a violation.
Releasing information to an undesignated party – Only the exact person listed on the authorization form may receive patient information.
Releasing unauthorized health information – This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.
Releasing wrong patient’s information – Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.
Right to revoke clause – Any forms a patient signs need to have a Right to Revoke clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.
Unprotected storage of private health information – A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, thumbnail drive, or any other mobile device.IPAA experts are provided at the end of this article for your specific questions.

8 Common HIPAA Violations

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website