All Posts Tagged: hippa compliance

false sense of security

Does HIPAA Compliance Give A False Sense of Security?

The fact that HIPAA compliance isn’t bulletproof – that cyber security frameworks around health information require a new level of vigilance – is now axiomatic.Perhaps owing to whatever legislative sausage-making gave birth to HIPAA, to protect the privacy and security of protected health information, the law offers no guidance on how to follow it.

Read More
montana va privacy violations

Missing Box of Records Among Montana VA Privacy Violations

FORT HARRISON – A recent report shows a pattern of patient privacy violations at the Veterans Affairs medical system. And the VA Montana at Fort Harrison has not been immune — with dozens of violations since 2011, including the apparent disappearance of a box containing the records of 171 patients.

Online news organization ProPublica obtained the data from the U.S. Department of Veterans Affairs and the U.S. Department of Health and Human Services Office of Civil Rights, which track violations of the the nation’s main privacy law — the Health Insurance Portability and Accountability Act, or HIPAA.

The report shows 59 HIPAA violations in Montana reported in 2011 or thereafter — 44 of them involving VA Montana (including two violations at the VA’s Denver office that involved Montana patients).

Nearly all of the HIPAA violations involved mistakenly sending information, bills or lab results to the wrong veteran.

But one violation stands out: Back in 2010, the VA in Sheridan, Wyoming sent a box with the records of 171 veterans to the wrong location — a VA warehouse at Fort Harrison, where a VA worker signed for it, according to a letter uncovered by ProPublica.

“Following receipt at the VA’s warehouse, the box was lost and never found,” the regional director of the USHHS Office of Civil Rights recounted in a letter to the VA in November 2011. The letter says it’s possible warehouse personnel forwarded the papers to the correct recipient, the Network Authorization Office. But the NAO was unable to confirm it ever got them. The VA revised its mail procedures as a result of the breach, the letter says, and instituted a new software system to the allow the NAO access to scanned records to perform its audits.

In another case, an unauthorized VA staffer found a patient’s cell phone number in medical records. In all cases, the VA provided credit monitoring services for those affected.

In an email a VA Montana spokesman noted that the most common violation — information mailed to the wrong veteran — occurred in just 18 of the more than 500,000 mailing VA Montana sent in Fiscal Year 2015. “Despite the incredibly low incidence of missed mailings, VA Montana has worked diligently to reduce them entirely by implementing strict staff procedures that emphasize quality and accountability,” the spokesman, Mike Garcia, wrote.

The VA requires annual privacy and information security training for all its employees and contractors, he said, and they are required to report all violations. In addition to the 44 violations connected to the VA, the ProPublica data shows 15 violations at health care providers and others in Montana.

Available details on most of those violations are sparse, but the incidents include the 2014 hack of data at the Montana Department of Public Health and Human Services, in which hundreds of thousands of pieces of sensitive information may have been vulnerable.

Original Content by KBZK

Read More
worst data breaches 2015

The 10 Worst Data Breaches 2015

There’s no sugarcoating the fact that 2015 was a dizzying year for data breaches, and disastrous for many organizations and consumers. In the first half of the year alone, Gemalto NV found that 888 disclosed security incidents compromised nearly 246 million records worldwide.

Read More
november hipaa breaches

November HIPAA Breaches 2015

If you still think HIPAA doesnt apply to you, please take a look at this and think again. These are all current breaches that have been submitted to the OCR within the month of November.

Table items in blue are highlighted to show how many of the breaches are involved with Healtcare IT. Most of the highlighted items could have been prevented with the proper setup. This could have kept these companies in the clear and out of violation fines.

November HIPAA Breaches 2015

Covered Entity State Type Individuals Affected Breach Submission Date Type of Breach Location of Breach
Rush University Medical Center IL Healthcare Provider 1529 11/6/2015 Unauthorized Access/Disclosure Paper/Films
Dean Health Plan WI Health Plan 960 11/11/2015 Loss Paper/Films
Good Care Pediatric, LLP NY Healthcare Provider 2,300 11/12/2015 Hacking/IT Incident Desktop Computer
OH Muhlenberg, LLC KY Healthcare Provider 84,681 11/13/2015 Hacking/IT Incident Desktop Computer, Email, Laptop, Network Server
HealthPoint WA Healthcare Provider 1,300 11/13/2015 Theft Laptop
Midlands Orthopaedics, P. A. SC Healthcare Provider 3,902 11/13/2015 Hacking/IT Incident Network Server
UC Health, LLC OH Healthcare Provider 1064 11/14/2015 Unauthorized Access/Disclosure Email

To view a full list of all reported breaches, visit the OCR Portal.

Read More
Triple-S HIPAA Settlement - CAM HIPAA Solutions

Triple-S HIPAA Settlement: $3.5 Million HIPAA Settlement

Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc.,  has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).  TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.

“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.  TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.

After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:

  • Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
  • Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
  • Use or Disclosure of more PHI than was necessary to carry out mailings;
  • Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:

  • A risk analysis and a risk management plan;
  • A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
  • Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
  • A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.

Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.

“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.  “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”

The Resolution Agreement and Corrective Action Plan can be found on the OCR website.

HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis.

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit H.H.S. at

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website