Health Law Gurus

Health Law Gurus

Health Law: News,
Commentary & Insights

Category Archives: Security

Subscribe to Security RSS Feed

Securing ePHI in a Mobile Health World

Posted in HIPAA, Privacy, Security, Technology, Telemedicine
Could a lost cell phone or laptop cost your organization millions of dollars? Mobile devices have enabled vast improvements in the efficiency and quality of healthcare delivery. Through the use of mobile devices, patients and providers can access real-time information that can lead to better health outcomes through improving medication compliance and understanding of treatment… Continue Reading

BEWARE OF THE MAN-IN-THE-MIDDLE: Malicious Eavesdroppers on the Internet

Posted in Compliance Issues, Cybersecurity, Privacy, Security, Technology
Imagine this: Dr. Primary is treating Patty Patient for substance abuse and emails Patty Patient’s protected health information (PHI) to a treatment clinic. Before the email arrives at the clinic, it is intercepted by a third party, Evan Eavesdropper, who publishes the PHI on the internet.  Evan Eavesdropper also decides to alter the PHI in… Continue Reading

Time is of the Essence When Reporting a Breach of PHI

Posted in Business Associates, Covered Entities, HIPAA, Privacy, Security
The failure to timely report a breach of unsecured protected health information (PHI) has cost Presence Health (one of the largest health systems in Illinois) almost half of a million dollars. Earlier this month, Presence Health agreed to pay $475,000 and enter into a corrective action plan (CAP) with the Office for Civil Rights (OCR)… Continue Reading

20 Years of HIPAA – Where We’ve Been and Where We’re Going

Posted in Guest Contributor, HIPAA, Privacy, Security
On August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law by President Bill Clinton. The original purpose of the Act, which amended the Internal Revenue Code of 1986, was to improve the portability and continuity of health insurance coverage, combat waste, fraud, and abuse, promote the use… Continue Reading

Record-Breaking HIPAA Settlement Sends Strong Message to Covered Entities

Posted in Covered Entities, HIPAA, Privacy, Security
This month marked the largest HIPAA settlement to-date for a single entity. Advocate Health Care Network (“Advocate”) agreed to pay $5.5 million and adopt a corrective action plan after an investigation by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) revealed that Advocate’s widespread noncompliance with the requirements of HIPAA affected… Continue Reading

HIPAA Compliance Is a Health Care Entity’s Secret Weapon in Preventing and Combating Ransomware Attacks

Posted in Business Associates, Covered Entities, Cybersecurity, HIPAA, Privacy, Security
One of the fastest growing areas of cybercrime is ransomware. Ransomware is a type of malicious software that encrypts data and makes it inaccessible to authorized users. The hackers who orchestrate ransomware attacks demand that authorized users pay a ransom in order to obtain the key to decrypt their data. Payment is generally required to… Continue Reading

Protected Health Information: Providers Must Proceed with Caution

Posted in HIPAA, Medical Records, Mental Health Procedures Act, Pennsylvania, Privacy, Security
Medical records are a powerful weapon in the courtroom. They may reveal the extent of an individual’s injury in a personal injury case or substantiate the severity of an individual’s mental illness when that mental illness is being used as a defense. However, while using medical records in litigation can be a dream come true… Continue Reading

Breach of ePHI Results in $2.7 Million Fine

Posted in Business Associates, Covered Entities, HIPAA, Security
Oregon Health & Science University (“OHSU”) has paid $2.7 million to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) to settle allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). OHSU must also comply with a three-year corrective action plan. OCR began an investigation of… Continue Reading

Spring Showers Bring HIPAA Breaches

Posted in Business Associates, Covered Entities, HIPAA, Privacy, Security
OCR has announced several recent settlement agreements to resolve violations of the Health Insurance Portability and Accountability Act (“HIPAA”). These settlement amounts range from $25,000 to $3.9 million dollars and illustrate a range of mistakes that health care providers make with respect to their HIPAA compliance. This post briefly summarizes OCR’s findings with respect to… Continue Reading

Ask the Health Law Gurus™: What Is a Civil Monetary Penalty and How Is It Different from an OCR Settlement?

Posted in Ask the Health Law Gurus™, Business Associates, Covered Entities, HIPAA, Privacy, Security
The Health Law Gurus™ are here to help you stay current on issues and breaking news in health law. To help you stay up-to-date, we are excited to announce our new segment, “Ask the Health Law Gurus™.” Each month, we will select a reader’s question and answer it here, on the Health Law Gurus™ blog.… Continue Reading

Historic Moment: Husband Reports Wife’s HIPAA Violation Triggering Six Figure Penalty Against Employer

Posted in Covered Entities, HIPAA, Privacy, Security
For the second time in history, the Office for Civil Rights (“OCR”) has imposed a civil monetary penalty (“CMP”) against a covered entity for violations of the Health Insurance and Portability Act (“HIPAA”). Lincare, Inc., a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, is required to pay a $239,800 CMP… Continue Reading

False Claims about Encryption Cost an Arm, a Leg, and a Tooth

Posted in FTC, HIPAA, Security
Earlier this month, Henry Schein Practice Solutions, Inc. (“Schein”), a provider of office management software to dental practices, learned the hard way that exaggerating the capabilities of its products can be very costly. On January 5, 2016, Schein agreed to pay the Federal Trade Commission (the “FTC”) $250,000 to settle claims that it falsely advertised… Continue Reading

Are Wearable Devices a Privacy Nightmare?

Posted in Privacy, Security, Technology
Wearable devices, such as fitness trackers and smart watches, have taken the United States technology industry by storm. In the past three years, there has been a 500% increase in the number of fitness bands and activity trackers sold. The research firm Market and Market predicts that the industry will continue to grow at unprecedented… Continue Reading

High Cost of HIPAA Violations Demonstrated in $3.5 Million Settlement

Posted in Business Associates, Covered Entities, HIPAA, HITECH, Privacy, Security
Triple-S Management Corporation (“Triple-S”), on behalf of its wholly-owned subsidiaries, Triple-S Salud, Inc., Triple-C, Inc., and Triple-S Advantage, Inc., has agreed to pay $3.5 million as part of a Resolution Agreement with the Department of Health and Human Services Office of Civil Rights (“OCR”) (“Resolution Agreement”). The Resolution Agreement settled all potential liabilities related to… Continue Reading

Hospital’s Turkey Dinner Is $850,000 Fine for Failure to Secure Mobile Medical Devices

Posted in HIPAA, HITECH, Prescription Drugs and Medical Devices, Privacy, Security
Just before Thanksgiving, Lahey Hospital and Medical Center (“Lahey”), a non-profit teaching hospital located in Burlington, Massachusetts, agreed to pay $850,000 for a breach of unsecured electronic protected health information (“ePHI”). Lahey will also be required to implement a corrective action plan. The breach occurred in 2011 when an unencrypted laptop was stolen from an… Continue Reading

Medical Devices a Target for Online Hackers

Posted in Cybersecurity, Prescription Drugs and Medical Devices, Privacy, Security, Technology
In the past few years, medical devices have become a major target for online criminals. Not only are medical devices considered to be one of the easiest and most vulnerable points of entry into a health care enterprise, they are one of the most difficult areas to remediate even when an attack has been identified.… Continue Reading

OCR Audits to Begin in 2016

Posted in Business Associates, Covered Entities, HIPAA, HITECH, Privacy, Security
Beginning in 2016, the United States Department of Health and Human Services’ Office for Civil Rights (OCR) will conduct another round of audits to gauge compliance with privacy provisions in the Health Insurance Portability and Accountability Act (HIPAA). This announcement comes in the wake of criticism leveled against OCR for inconsistencies enforcing the HIPAA Rules.… Continue Reading

Controversial Cybersecurity Information Sharing Act Passes in Senate

Posted in Cybersecurity, Legislation, Privacy, Security
This week, the Senate passed a cybersecurity bill, called the Cybersecurity Information Sharing Act of 2015 (the “CISA”), by a vote of 74 to 21. With the Senate’s vote, the bill is one step closer to becoming law. The CISA authorizes the Director of National Intelligence, the Department of Homeland Security, the Department of Defense,… Continue Reading

Physician Group Practice Pays $750,000 for Breach of Unsecured Electronic Protected Health Information on Electronic Device

Posted in Covered Entities, HIPAA, Privacy, Security
Cancer Care Group, P.C. (“CCG”), a radiation oncology physician group practice in Indiana, agreed to pay $750,000 for a breach of unsecured electronic protected health information (“ePHI”). CCG will also implement a corrective action plan. The breach occurred in 2012 when a CCG employee’s unattended laptop bag was stolen from a car. The laptop bag contained… Continue Reading

Hospital Pays $218,400 to OCR for HIPAA Violations

Posted in Compliance Issues, Covered Entities, HIPAA, Privacy, Security
St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan. The settlement stems from a 2012 complaint to… Continue Reading

Revised Guidance for Privacy and Security of Electronic Health Information Released by Government

Posted in Business Associates, Covered Entities, EHR, HIPAA, Privacy, Security
The Office of the National Coordinator for Health Information Technology (“ONC”) has released a revised Guide to Privacy and Security of Electronic Health Information (the “Guide”), which is intended to be a resource for small and medium-sized health care providers, health IT and other information technology professionals, and business associates regarding federal health information privacy… Continue Reading

Pharmacy Pays $125,000 for Failure to Properly Dispose of Paper Records

Posted in Compliance Issues, Covered Entities, HIPAA, Privacy, Security
Cornell Prescription Pharmacy (“CPP”), a Colorado single-location pharmacy, has agreed to pay $125,000 to the United States Department of Health and Human Services, Office for Civil Rights to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). CPP will also adopt a two-year corrective action plan. The settlement is the… Continue Reading

Premera Blue Cross Targeted by Hackers – 11 Million Individuals Compromised

Posted in Cybersecurity, HIPAA, Privacy, Security
Premera Blue Cross (“Premera”) announced this week that it has been the target of a sophisticated cybersecurity attack in which the information of approximately 11 million individuals has been compromised. This announcement comes on the heels of the cybersecurity attack against health insurer Anthem, Inc., which affected approximately 80 million individuals.… Continue Reading