HHS Online Data Breach List Thrives

Wednesday, May 19, 2010

Many reported cases involve electronic systems, but paper records are still a security threat. Theft, loss, unauthorized access, or hacking. Whatever the breach is, HHS encourages people to turn to their computers and report it online. HHS then reports the specifics of breaches of security that affect 500 or more individuals. Presently, 64 cases are posted online, which allegedly affected about 1.2 million individuals.

Does OCR Verify PHI Breach Complaints Before Investigating?

Wednesday, April 21, 2010

0 Comments

Question: Does the HHS Office of Civil Rights verify the complaints it gets concerning breaches of private health information in alleged violation of HIPAA’s privacy or security rules before launching an investigation? As a covered entity, we’re concerned that someone might decide to use the breach reporting system on OCR’s web site to make totally unfounded complaints and harass our organization. Read on for the answer, straight from the OCR’s mouth…

Cost of Security Breaches Continues to Escalate

Wednesday, March 3, 2010

0 Comments

Surprise! Stuff on a middle manager’s laptop is more valuable than stuff on a CEO’s. Yet another health care company made the news recently with a stolen laptop: A local Florida paper reported on Feb. 15, 2010 that two laptops stolen from AvMed Health Plans’ corporate office in Gainesville, FL contained personal information — including PHI — of over 200,000 people. Studies show that security breach incidents are costing companies — including health care providers and plans – more and more money, as well as customers. In the AvMed case, the data was not protected properly, according to a statement by AvMed, which began notifying affected patients in early February of the breach, which occurred in late December.

HIPAA Compliance: Practical Breach Notification Tips

Wednesday, January 27, 2010

0 Comments

If a breach involves 500+ people, here’s what your health care organization will suffer. Picture this: A nurse hands a patient someone else’s discharge papers but promptly discovers the error and retrieves the protected health information. Would your health care organization have to report that as a breach of unsecured PHI under HIPAA notification rules? The answer: It depends. The scenario wouldn’t constitute a breach — “if the nurse can reasonably conclude that the patient couldn’t have read or otherwise retained the information,” according to the Health & Human Services’ (HHS) interim final rule implementing the new requirements. But suppose the patient turned the corner and was out of sight momentarily and the discharge orders included “a sensitive diagnosis such as HIV, and the facility was in a small community”— or the nurse had reviewed the discharge orders with the patient, says Chicago attorney Michael Roach. Those scenarios could trigger the notification requirements, he…

If a PHI Breach Fits One of These Exceptions, You May Be Home Free

Wednesday, January 27, 2010

0 Comments

Include this information as part of your risk analysis. Knowing what doesn’t count as a breach under new HIPAA notification rules can help you weigh whether to report a disclosure of unsecured protected health information. The rules include four exceptions, as follows: Exception No. 1. An unintended acquisition, access or use of PHI by a person with authority to handle PHI who is acting in good faith. Also, “there’s no further acquisition, access or use of the PHI,” says attorney Kathryn Solley, with Atlanta law firm Seyfarth Shaw LLP.

Connecticut AG Sues Health Net for Security Breach

Tuesday, January 19, 2010

0 Comments

State prosecutors see HITECH as a big stick. If you practice medicine or run a plan in Connecticut, make sure all your practice or organization’s security breach notification policies are in order: The Attorney General is not messing around when it comes to HIPAA enforcement. Following its loss in May 2009 of a portable disk drive from a corporate office, Health Net of Connecticut, Inc. has become the first health plan to get popped by a state attorney general under the HITECH Act’s new enforcement provisions, which allow state AGs to enforce HIPAA’s penalty provisions for security violations.

Your Hospital’s Quick Start Guide to Information Security Management

Wednesday, December 9, 2009

0 Comments

Do you have a security compliance plan? Take these 5 steps first. Hospitals are understandably spending much time and money these days trying to prepare or go live with an electronic medical records system, but don’t forget that interconnected health records bring a new threat to data security. If you don’t want your facility in tomorrow’s headlines, make sure you have an information security process in place that will guide you if and when you experience data breaches. “In the future, with interconnected health records, when you can go into hospital and they can call up your records from across country, what if a chunk of it is fraudulent?” asked Jim Sheldon-Dean, director of compliance services with Lewis Creek Systems LLC, in a recent audio conference. “The importance of getting this right cannot be overstated.” The possible…

Health Care Organizations Lag on HIT Security

Wednesday, November 11, 2009

0 Comments

Despite new legal requirements like HITECH, health care organizations have not made a lot of progress in the last year in preparing for security challenges such as privacy breaches and electronic PHI, according to a new survey released Nov. 3, 2009 by the Healthcare Information and Management Systems Society. “Healthcare organizations have made relatively little change since the assessment of the market HIMSS conducted in 2008 across a number of important areas of the security environment,” warns the industry group in its 2009 Security Survey. “Respondents characterized their own maturity level as mid-range, budgets dedicated to security remain low, and many organizations still do not have a formally designated CSO/CISO.”

Healthcare IT Update

Tag Archive | "breach notification"