All Posts Tagged: hipaa hacks

Prepare for 2016 HIPAA Audits

7 Ways to Prepare for 2016 HIPAA Audits

Phase two of audits for the Health Insurance Portability and Accountability Act (HIPAA) are coming this year as the Office of Civil Rights looks to crack down on violations.

HIPAA was signed into law in August of 1996, and the Privacy and Security Rules were both implemented over a decade ago. Moreover, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which made significant changes to a variety of facets of HIPAA, passed in 2009. Section 13411 of the HITECH Act requires the Office of Civil Rights (OCR)–which is part of the U.S. Department of Health and Human Services (HHS)–to conduct periodic HIPAA audits.

Why is there so much emphasis on meeting standards that have been required for two decades in some instances? It’s due mainly to the increased use of technology in healthcare and accompanying cybersecurity risks. The purpose of this article is to provide an overview of the OCR audit program (phase 2), identify key areas of risk and provide suggestions on how to mitigate adverse findings.

Prepare for 2016 HIPAA Audits

OCR Audit Program

In 2011, OCR launched the requisite OCR Pilot Privacy, Security, and Breach Notification Audit Program. For the first phase, only covered entities were audited. This second phase includes business associates of covered entities.

Regardless of the type of entity, the time frames for the audit are the same. From the time the audit notification letter is sent from OCR, organizations should plan on a 30 day to 90 day process. Analogous to a Recovery Audit Contractor (RAC) audit, an entity has a certain period of time to produce the requested information. The information may be requested either on-site or as a desk audit, which is described below.

Next, OCR reviews the information provided and drafts a report. The entity then has the opportunity to review and respond to the draft report, after which OCR finalizes the report.
The scope of the phase 1 audits was limited to the federal Privacy, Security and Breach Notification Rules. This does not mean that a state law or international law provision may have been violated-it just was not addressed in the phase I audits.

Phase 2 audits will be more robust, in part due to a $4 million increase in OCR’s 2016 budget. Another area of difference will be the number of on site versus desk audits. During the phase 1 audits, covered entities were evaluated by a third party, who visited them on-site. Phase two audits will include a greater number of desk audits – entities responding to the audits from their desks by providing policies and documentation of privacy policies and procedures to HHS.

This serves as a signal —a key administrative area that will be looked at during the audits are the adequacy of policies and procedures. Therefore, the number of administrative and security violations could increase significantly.

Key Areas of Risk

A good place for practices to start is to look at the findings from phase 1, as well as recent penalties that were assessed by HHS for HIPAA violations. Violations occurred in the administrative, technical and physical realms. Primarily, policies and procedures were found to be inadequate; encryption of USB drives, laptops and email was found to be lacking; and inadequate employee security awareness and training were some of the major areas of vulnerability.

Suggestions to Mitigate Adverse Findings

The most prudent approach is to be prepared ahead of time, much like an IRS or Joint Commission audit. Whatever aspect of HIPAA compliance an organization is addressing, a good vantage point from which to start is the patient information. Every action should take into account the confidentiality, integrity and availability of the information. The way to make employees and contractors aware is through training. While the required way to hold business associates and subcontractors accountable is through the contractual obligations in a business associate agreement (BAA). Moreover, an annual risk assessment is a must. And, the HHS website is the ideal place to find explanations of what is set out in the laws and regulations.

Here are some tips to make sure that the practice is HIPAA compliant and avoid an adverse audit outcome:

  1. Begin compliance efforts from the vantage point of the government, who may “review pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation”;
  2. Read Section 164.316 for what is required in relation to policies and procedures from an administrative, technical and physical aspect;
  3. Curtail policies and procedures to your individual practice;
  4. Know where the external and internal sources of protected health information are located;
  5. Encrypt everything both at rest and in transit and make sure that the level of encryption utilized is adequate;
  6. Train employees– Trustwave is a reputable vendor that has online training or various organizations offer live courses; and
  7. Perform due diligence on various third party risk assessors for expertise, price and quality.

OCR audits and HIPAA compliance should not be taken lightly. RAC audits also started with a pilot program more than a decade ago and now generate a substantial amount of revenue for the government, as well as serving as a check on providers’ claims submissions. Those submission, by the way, are also required to be HIPAA-compliant.


The overall goal of the phase 2 audits is to raise awareness and provide the opportunity for entities to correct their practices surrounding the creation, receipt, transmission and maintenance of protected health information.

The flip side, however, is that OCR may assess a penalty. Given that there are going to be more on site and business associate audits, the findings may translate into increased scrutiny by OCR on other fronts. Therefore, organizations of all types should look at the OCR audit like an IRS audit: a practice should be prepared for an audit. Failure to do so could be costly.

Original content by Modern Medicine Network

Read More
alj upholds hipaa violations

ALJ Upholds HIPAA Violations: $239,800 In Civil Monetary Penalties

Home health care provider Lincare, Inc. must pay $239,800 in civil monetary penalties for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, according to a February 3, 2016 press release from the U.S. Department of Health and Human Services (“HHS”). The announcement follows a January 13, 2016 administrative ruling granting summary judgment in favor of the HHS’s Office for Civil Rights (“OCR”). This is only the second time that OCR has sought civil monetary penalties for a HIPAA violation; OCR typically resolves violations through undertakings for voluntary compliance.

Lincare, a nationwide provider of respiratory care, infusion therapy, and medical equipment to in-home patients, came under investigation in 2008 after OCR received a complaint from the estranged husband of an Arkansas-based Lincare employee. Based on a subsequent investigation by OCR, OCR alleged that the employee routinely left documents containing 278 patients’ protected health information (“PHI”) in unsecure locations, such as the couple’s shared car and home. It was undisputed that the employee’s husband was not authorized to view the PHI. Moreover, according to OCR, the employee abandoned the documents altogether after moving residences.

In January 2014, after concluding the lengthy investigation, OCR cited Lincare for three violations of HIPAA’s Privacy Rule, which sets standards for the use and disclosure of protected health information. OCR issued corresponding civil monetary penalties for each alleged violation: (1) $25,000 for impermissible disclosure of PHI; (2) $25,000 for failure to safeguard PHI; and (3) $189,800 for insufficient policies and procedures related to the removal of PHI from business premises. In calculating penalties, OCR took into account that Lincare neglected to review and revise its HIPAA policies after learning about the complaint.

On appeal, Administrative Law Judge (“ALJ”) Carolyn Cozad Hughes granted summary judgment in favor of OCR after concluding that, based on the “undisputed evidence,” Lincare violated HIPAA’s Privacy Rule. Specifically, the ALJ found that Lincare failed to safeguard the PHI of patients; a Lincare employee disclosed patient PHI to an unauthorized individual; and Lincare lacked policies and procedures designed to ensure compliance with the Privacy Rule. Lincare waived any challenge to the penalty amount, and the ALJ sustained OCR’s proposed civil monetary penalties of $239,800. Lincare has 30 days to file a notice of appeal with the Appellate Division of the HHS Departmental Appeals Board.

Original content by JDSupra Business Advisor

Read More
university of washington hipaa violations

University of Washington HIPAA Violations: Settlement Over Potential Violations

Dec. 14 — University of Washington Medicine reached a $750,000 settlement with the federal government to resolve allegations it violated the Health Insurance Portability and Accountability Act Security Rule, the government said Dec. 14.

The Department of Health and Human Services Office for Civil Rights began investigating UWM after receiving a November 2013 report of a breach that affected the electronic protected health information (PHI) of roughly 90,000 patients.

Read More
november hipaa breaches

November HIPAA Breaches 2015

If you still think HIPAA doesnt apply to you, please take a look at this and think again. These are all current breaches that have been submitted to the OCR within the month of November.

Table items in blue are highlighted to show how many of the breaches are involved with Healtcare IT. Most of the highlighted items could have been prevented with the proper setup. This could have kept these companies in the clear and out of violation fines.

November HIPAA Breaches 2015

Covered Entity State Type Individuals Affected Breach Submission Date Type of Breach Location of Breach
Rush University Medical Center IL Healthcare Provider 1529 11/6/2015 Unauthorized Access/Disclosure Paper/Films
Dean Health Plan WI Health Plan 960 11/11/2015 Loss Paper/Films
Good Care Pediatric, LLP NY Healthcare Provider 2,300 11/12/2015 Hacking/IT Incident Desktop Computer
OH Muhlenberg, LLC KY Healthcare Provider 84,681 11/13/2015 Hacking/IT Incident Desktop Computer, Email, Laptop, Network Server
HealthPoint WA Healthcare Provider 1,300 11/13/2015 Theft Laptop
Midlands Orthopaedics, P. A. SC Healthcare Provider 3,902 11/13/2015 Hacking/IT Incident Network Server
UC Health, LLC OH Healthcare Provider 1064 11/14/2015 Unauthorized Access/Disclosure Email

To view a full list of all reported breaches, visit the OCR Portal.

Read More
November HIPAA Settlement - CAM HIPAA Solutions

November HIPAA Settlement: Reminder for Users of Medical Devices

Lahey Hospital and Medical Center (Lahey)  has agreed, in it’s November HIPAA Settlement, to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).  Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.  Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts.

Read More
hipaa breaches 2015

HIPAA Breaches 2015 – October

If you still think HIPAA doesnt apply to you, please take a look at this and think again. These are all current breaches that have been submitted to the OCR within the month of October.

Table items in blue are highlighted to show how many of the breaches are involved with Healtcare IT. Most of the highlighted items could have been prevented with the proper setup. This could have kept these companies in the clear and out of violation fines.

HIPAA Breaches 2015 – October

Covered Entity State Type Individuals Affected Breach Submission Date Type of Breach Location of Breach
Baptist Health & Arkansas Health Group AR Healthcare Provider 6,500 10/1/2015 Unauthorized Access/Disclosure Electronic Medical Records
Sentara Healthcare VA Healthcare Provider 1,040 10/2/2015 Theft Other Portable Electronic Devices
CarePlus Health Plans KY Health Plans 2,873 10/6/2015 Unauthorized Access/Disclosure Paper/Films
Insurance Data Services MI Business Associates 2,918 10/8/2015 Theft Paper/Films
Anne Arundel Health Systems MD Healthcare Provider 2,208 10/8/2015 Unauthorized Access/Disclosure Paper/Films
Aspire Home Care & Hospice OK Healthcare Provider 4,278 10/9/2015 Hacking/IT Incident Email
The John Hopkins Hospital MD Healthcare Provider 571 10/9/2015 Theft Laptop
SSM Health Cancer Center MO Healthcare Provider 643 10/9/2015 Unauthorized Access/Disclosure Paper/Films
University of Oklahoma Department of Urology OK Healthcare Provider 9,300 10/10/2015 Theft Laptop
Nephropathology Associates, PLC AR Healthcare Provider 1,260 10/16/2015 Unauthorized Access/Disclosure Email
Emergence Health Network TX Healthcare Provider 11,100 10/16/2015 Hacking/IT Incident Network Server
Woodhull Medical & Mental Health Center NY Healthcare Provider 1,581 10/19/2015 Theft Laptop
BeHealthy Florida, Inc. FL Health Plans 835 10/19/2015 Unauthorized Access/Disclosure Paper/Films
North Carolina Deparment of Health & Human Services NC Health Plans 1,615 10/19/2015 Hacking/IT Incident Email
OsteoMed LP TX Health Plans 1,134 10/20/2015 Theft Other
Indian Territory Home Health & Hospice OK Healthcare Provider 4,500 10/22/2015 Hacking/IT Incident Email
Envision RX OH Business Associates 540 10/23/2015 Unauthorized Access/Disclosure Paper/Films
Children’s medical Clinics of East Texas TX Healthcare Provider 16,0000 10/28/2015 Unauthorized Access/Disclosure Desktop Computer
Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website