Healthcare Data Privacy

Wyoming Considers Repealing Hospital Records Act

Posted February 6, 2019 by HIPAA Journal

Wyoming is considering repealing the Hospital Records Act of 1991, an act that was introduced to ensure the privacy of patient information was protected. The law was enacted before the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and provided protections that did not previously exist at the state or federal level.

The Hospital Records Act introduced similar protections for patients those provided by HIPAA. The Act covered disclosures of patient information by hospitals, authorizations from patients prior to disclosure of patient information, the publishing notices of privacy practices, the persons authorized to act on behalf of patients, and security safeguards and rules covering record retention.

The Hospital Records Act was effective at the time but following the enactment of HIPAA and its subsequent Privacy and Security Rules, it became redundant.

While the requirements of both the federal and state laws are similar, there are several discrepancies between the two laws and the compliance requirements differ slightly.

The Hospital Records Act is seen to be creating unnecessary regulatory hurdles for hospitals as well as causing some issues for law enforcement. For some hospitals, the complications of having to comply with both sets of regulations could place them at risk of fines for non-compliance with HIPAA.

The Wyoming law is also primary focused on hospitals. Hospitals are required to comply with both laws, while physician’s offices are only required to comply with HIPAA. Repealing the law would make compliance uniform for all healthcare organizations.

Sen. Dave Kinskey (R-Sheridan); Rep. Mark Kinner (R-Sheridan); and Rep. Cyrus Western (R-Big Horn) have sponsored the bill (Senate File 96 SF0096). If enacted, Wyoming would hospital records and information statutes repealed, and the state would rely on the protections demanded by HIPAA. Hospitals would benefit from greater clarity over privacy and security requirements without reducing patient privacy protections.

The bill was introduced in the House on January 29, 2019 after passing three readings in the state Senate.

The post Wyoming Considers Repealing Hospital Records Act appeared first on HIPAA Journal.

Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm

Posted February 1, 2019 by HIPAA Journal

The Illinois Supreme Court has ruled that individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act can take legal action against a private entity, even if the violation of BIPA has not resulted in actual harm.

The Illinois Biometric Information Privacy Act, enacted in 2008, requires private entities to inform a person in writing that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorization from an individual or that individual’s legal representative before biometric data can be collected or stored.

Biometric data includes fingerprints, voiceprints, hand scans, iris scans, and other biometric means of identifying a person.

In contrast to HIPAA, which has no private cause of action, individuals can sue companies for Illinois Biometric Information Privacy Act (BIPA) violations. Illinois is unique in that respect. Other states such as Texas and Washington have similar laws, but in those states, there is no private cause of action. Further, according to a ruling by the Illinois Supreme Court on January 25, 2019, legal action can be taken without an allegation of actual injury or an adverse event as a result of the violation.

Plaintiff Stacy Rosenbach took legal action against Six Flags Entertainment Corp., following a visit to a Six Flags amusement park by her 14-year-old son. He was required to provide his fingerprint to access the amusement park. Nether Stacy Rosenbach nor her son were informed in writing about the reason for collecting her son’s fingerprint or the length of time it would be stored. Written authorization to collect the fingerprint was also not obtained by Six Flags.

The plaintiff did not allege harm in the case, which was filed solely over the violation of BIPA. Six Flags sought to have the case dismissed for lack of standing as the plaintiff had not suffered actual harm or threatened injury. The circuit court denied the motion to dismiss, that decision was reversed by the court of appeal, and the Supreme Court reversed the court of appeal’s decision.

The court’s held that a technical violation of BIPA is, in itself, sufficient to support an individual’s statutory cause of action. No proof of an actual injury or damage as a result of the BIPA violation is required and consumer’s need not wait until they have suffered harm as a result of the violation to take legal action.

If it can be established and proven that a violation of BIPA has occurred due to negligence, individuals could receive up to $1,000 for each violation. In cases of reckless or intentional violations of BIPA, up to $5,000 could be received per violation.

According to the ruling, ensuring compliance with BIPA is not difficult and the costs of compliance are likely to be insignificant compared to the substantial and irreversible harm that could be caused to consumers if their biometric identifiers are not appropriately safeguarded and kept private and confidential.

The post Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm appeared first on HIPAA Journal.

Aetna Settles HIV Status Breach Case with California AG for $935,000

Posted February 1, 2019 by HIPAA Journal

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy violation that exposed state residents’ HIV status.

On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates. Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California.

The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.

In addition to the financial penalty, the settlement agreement requires Aetna to designate an employee to implement and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna is also required to complete an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.

“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Bercerra. “Aetna violated the public’s trust by revealing patients’ private and personal medical information.”

The privacy violation has proven expensive for Aetna. In January 2018, Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve alleged HIPAA violations and breaches of state law.

A further $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The latest settlement brings the total financial penalties issued to date in relation to the breach to $2,725,170.59.

The post Aetna Settles HIV Status Breach Case with California AG for $935,000 appeared first on HIPAA Journal.

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

Posted January 31, 2019 by HIPAA Journal

The Oregon Health Information Property Act proposes patients should be allowed to give authorization to their healthcare providers to sell on their health data and to receive payment in exchange for allowing their data to be used by third parties.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients.

The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research organizations and other entities.

Senate Bill 703, dubbed the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has the support of than 40 co-sponsors. Essentially, the bill would see consumers health information treated in a similar way to property and would allow them to profit from its sale.

The Oregon Health Information Property Act

The Oregon Health Information Property Act has three main components:

It would require HIPAA-covered entities and their business associates and subcontractors to obtain a signed authorization from consumers before they de-identify PHI to sell on to third parties.
Consumers could choose if they want to receive payment in exchange for giving authorization to allow their health data to be sold.
The bill also prevents consumers from being discriminated against for refusing to sign an authorization or choosing to receive payment.

HIPAA-covered entities are able to profit from selling de-identified data so it is argued that patients should receive a cut of the payment; however, despite having attracted considerable support, concern has been voiced about the impact of these authorizations.

The bill, in its current form, does not place any limitations on the uses of health data once authorization has been provided. Information could therefore be used for a wide range of purposes once authorization has been given – Reasons that may not necessarily be listed on the authorization form.

The bill also makes no distinction between an individual’s protected health information, health information or de-identified data. By signing a form to receive a small payment, consumers would be relinquishing their privacy and important protections afforded by HIPAA, which could have various unintended repercussions.

The post Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data appeared first on HIPAA Journal.

New Cybersecurity Framework for Medical Devices Issued by HSCC

Posted January 30, 2019 by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

The post New Cybersecurity Framework for Medical Devices Issued by HSCC appeared first on HIPAA Journal.

Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities

Posted January 30, 2019 by HIPAA Journal

Nine vulnerabilities have been identified in Stryker Medical Beds. The vulnerabilities could be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames.

The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices.

The nine vulnerabilities are summarized below:

CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake.
CVE-2017-13078: Reinstallation of group key in the four-way handshake.
CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake.
CVE-2017-13080: Reinstallation of group key in the group key handshake.
CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake.
CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake.
CVE-2017-13086: Reinstallation of Tunneled Direct-Link Setup Peer Key in the Tunneled Direct-Link Setup handshake.
CVE-2017-13087: Reinstallation of the Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.
CVE-2017-13088: Reinstallation of the Integrity Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.

The group of vulnerabilities have collectively been assigned a CVSS v3 base score of 6.8 – Medium severity. The flaws were identified by Mathy Vanhoef of imec-DistriNet, KU Leuven and reported to the National Cybersecurity & Communications Integration Center (NCCIC).

Mitigations

Software updates have been released by Stryker to mitigate the vulnerabilities:

Users of Gateway 2.0 should upgrade to software version 5212-400-905_3.5.002.01
Users of Gateway 3.0 should upgrade to software version 5212-500-905_4.3.001.01

No patch is available for Gateway 1.0.

Additional measures can also be taken to reduce the risk of exploitation of the vulnerabilities. These include disabling iBed functionality if it is not being used, operating the products on a separate VLAN, and applying updates that include the KRACK patch to wireless access points.

The post Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities appeared first on HIPAA Journal.

GDPR Incorporated into the HITRUST CSF

Posted January 29, 2019 by HIPAA Journal

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST HSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements.

Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.

Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”

HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognized as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.

In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST HSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.

The post GDPR Incorporated into the HITRUST CSF appeared first on HIPAA Journal.

Multiple Flaws Identified in LabKey Server Community Edition

Posted January 29, 2019 by HIPAA Journal

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser.

LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed.

CVE-2019-3911 – Reflected XSS

Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication.

CVE-2019-3912 – Open Redirects

Open redirects via returnURL are present throughout LabKey Server which could be manipulated to redirect users to a location under the control of the attacker. __r paths are the easiest to manipulate.

CVE-2019-3913 – Network Drive Mapping Logic Flaw

Improper sanitization of supplied values in the mount function allows a user to manipulate arguments in the ‘net use’ command when mapping network drives. Tenable has illustrated one of the vulnerabilities in a proof of concept exploit, which allows a user to supply any valid drive letter which will result in the application ending the connection, even if the remainder of the mapping command is not correct. Admin access to the web interface would be required for this vulnerability to be exploited. This flaw could be exploited to map a malicious drive to the server.

Tenable Research disclosed the vulnerabilities to LabKey and patches were developed to correct the three flaws. Updates correcting each of the vulnerabilities were released on January 16, 2019.

To prevent the flaws from being exploited, all users should update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as possible.

The post Multiple Flaws Identified in LabKey Server Community Edition appeared first on HIPAA Journal.

Analysis of 2018 Healthcare Data Breaches

Posted January 28, 2019 by HIPAA Journal

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR).

2018 Was a Record-Breaking Year for Healthcare Data Breaches

Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States.

The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year.

In 2018, 365 healthcare data breaches were reported, up almost 2% from the 358 data breaches reported in 2017 and 83% more breaches that 2010.

2018 was the worst year in terms of the number of breaches experienced, but the fourth worst in terms of the number of healthcare records exposed, behind 2015, 2014, and 2016. The last two years have certainly seen an improvement in that sense, although 2018 saw a 157.67% year-over-year increase in the number of compromised healthcare records.

2018 Healthcare Data Breaches by Month

Healthcare Records Exposed Each Month in 2018

Largest 2018 Healthcare Data Breaches

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2,652,537	Hacking/IT Incident
2	Iowa Health System d/b/a UnityPoint Health	Business Associate	1,421,107	Hacking/IT Incident
3	Employees Retirement System of Texas	Health Plan	1,248,263	Unauthorized Access/Disclosure
4	CA Department of Developmental Services	Health Plan	582,174	Theft
5	MSK Group	Healthcare Provider	566,236	Hacking/IT Incident
6	CNO Financial Group, Inc.	Health Plan	566,217	Unauthorized Access/Disclosure
7	LifeBridge Health, Inc	Healthcare Provider	538,127	Hacking/IT Incident
8	Health Management Concepts, Inc.	Business Associate	502,416	Hacking/IT Incident
9	AU Medical Center, INC	Healthcare Provider	417,000	Hacking/IT Incident
10	SSM Health St. Mary’s Hospital – Jefferson City	Healthcare Provider	301,000	Improper Disposal

Click for further information on the largest healthcare data breaches of 2018.

Causes of 2018 Healthcare Data Breaches

The biggest causes of healthcare data breaches in 2018 were hacking/IT incidents (43.29%) and unauthorized access/disclosures (39.18%), which together accounted for 82.47% of all data breaches reported in 2018. There were 42 theft incidents (11.5%) reported in 2018, 13 cases (3.56%) of lost PHI/ePHI, and 9 cases (2.47%) of improper disposal of PHI/ePHI.

There was a 5.33% annual increase in hacking/IT incidents – 158 breaches compared to 150 in 2017. While the number of hacking/IT-related breaches rose only slightly, the breaches were far more damaging in 2018 and resulted in the theft/exposure of 161.89% more healthcare records. The mean breach size of hacking/IT incidents in 2017 was 23,218 records and in 2018 it rose to 57,727 records in 2018 – A year-over-year increase of 148.63%.

2018 saw an even larger increase in unauthorized access/disclosure incidents. 14.4% more incidents were reported in 2018 than 2017 and 146.49% more healthcare records were exposed in unauthorized access/disclosure incidents than the previous year. The mean breach size of unauthorized access/disclosure incidents in 2017 was 9,893 records and 21,316 records in 2018 – An increase of 115.47%.

Loss, theft, and improper disposal incidents all declined in 2018. Loss incidents fell from 16 to 13 year-over-year (-18.75%), improper disposal incidents fell from 11 to 9 (-18.18%), and theft incidents fell from 56 in 2017 to 42 in 2018 (-25%).

While there was a reduction in the number of cases of theft and improper disposal year-over-year, the severity of those two types of breaches increased in 2018. The mean breach size of theft incidents rose from 6,908 records in 2017 to 16,605 records in 2018 – A rise of 140.37%. Improper disposal incidents increased from a mean of 2,802 records in 2017 to 37,794 records in 2018 – A rise of 1,248.82%.

There was a slight reduction in the severity of loss incidents, which fell from an average of 2,461 records in 2017 to 2,305 – A fall of 6.33%.

Location of Breached Protected Health Information

The breakdown of 2018 healthcare data breaches by the location of breached PHI highlights the importance of increasing email security and providing further training to healthcare employees. 33.42% of all healthcare data breaches in 2018 involved email. Those breaches include phishing attacks, other unauthorized email access incidents and misdirected emails.
While healthcare organizations may be focused on preventing cyberattacks and improving technical defenses, care must still be taken with physical records. There were 81 breaches of physical PHI such as charts, documents, and films in 2018. Paper/films were involved in 22.19% of breaches.

The next most common location of breached PHI was network servers, which were involved in 20.27% of breaches in 2018. These incidents include hacks, ransomware attacks, and malware-related breaches.

2018 Healthcare Data Breaches by Covered Entity Type

Given the relative percentages of healthcare providers to health plans, it is no surprise that more healthcare provider data breaches occurred. 74.79% of the year’s breaches affected healthcare providers, 14.52% occurred at health plans, and 10.68% affected business associates of HIPAA-covered entities.

Business associate data breaches were the most severe, accounting for 42% of all exposed/stolen records in 2018, followed by healthcare provider breaches and breaches at health plans. The mean breach size for business associate data breaches was 140,915 records, 53,471 records for health plan data breaches, and 17,974 records for healthcare provider data breaches.

States Worst Affected By 2018 Healthcare Data Breaches

Being the two most populated states, it is no surprise that California and Texas were the worst affected by healthcare data breaches in 2018. Only four states avoided healthcare data breaches in 2018 – New Hampshire, South Carolina, South Dakota, Vermont.

Number of Breaches	State
38	California
32	Texas
19	Illinois
18	Florida
18	Massachusetts
16	New York
14	Missouri
11	Pennsylvania
10	Iowa, Michigan, Minnesota, Wisconsin
9	Maryland, Ohio, Oregon
8	Arizona, North Carolina, Virginia
7	Georgia, New Jersey, Tennessee, Washington
6	Colorado, Kansas, Nevada
5	Arkansas, Indiana, Nebraska, New Mexico, Utah
4	Connecticut, Kentucky
3	Alaska, Louisiana, Mississippi, Montana, Rhone Island
2	Alabama, District of Columbia, Oklahoma, Wyoming
1	Hawaii, Idaho, Maine, North Dakota, West Virginia
0	New Hampshire, South Carolina, South Dakota, Vermont

HIPAA Fines and Settlements in 2018

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and has the authority to issue financial penalties for violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. State attorneys general also play a role in the enforcement of HIPAA compliance and can also issue fines for HIPAA violations.

In 2018, OCR issued 10 financial penalties to resolve HIPAA violations that were discovered during the investigation of healthcare data breaches and complaints.

The financial penalties issued by OCR in 2018 totaled $25,683,400, making 2018 a record-breaking year for HIPAA penalties.

12 financial penalties were issued by state attorneys general over violations of HIPAA Rules.

You can read more about the – HIPAA fines and settlements in 2018 here.

The post Analysis of 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information