HIPAA Compliance News

HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor

Posted by HIPAA Journal

The Senate Health, Education, Labor and Pensions (HELP) Committee has approved the Lower Health Care Costs (LHCC) Act of 2019, which has implications for HIPAA-covered entities.

One of the main aims of the bill is to improve transparency of health care costs and service quality. The bill is intended to end surprise health bills and make sure patients are kept well informed about healthcare costs.

The LHCC Act includes a provision that incentivizes healthcare organizations to adopt strong cybersecurity practices by calling for the Department of Health and Human Services’ Office for Civil Rights to consider the organization’s good faith security efforts when making decisions about enforcement actions.

The bipartisan bill passed the HELP committee by 20 votes to 3. The bill includes 54 different proposals from 65 senators. With the bill now passed, HELP committee chairman Lamar Alexander (R-Tenn) hopes to present the bill to the Majority and Minority Leaders for consideration by the full senate in July.

Many healthcare organizations have been calling for OCR to consider adoption of security frameworks and other good faith efforts to improve security posture when deciding on whether a penalty for noncompliance is appropriate. A safe harbor for organizations that adopt a cybersecurity framework such as the framework developed by NIST has been proposed by several industry groups.

The LHCC Act falls short of proposing a safe harbor from all enforcement actions, but could incentivize healthcare organizations to adopt security frameworks, invest time and resources in cybersecurity, and go above and beyond the minimum standards required by HIPAA.

The provision should not be viewed as a ‘get out of jail free’ card. When financial penalties are issued by OCR, they are usually for multiple compliance failures and/or egregious violations of HIPAA Rules. Adoption of the NIST Cybersecurity Framework would likely do little to prevent financial penalties.

The impact of the new requirement may only be minimal. Currently, when OCR investigates a data breach, many factors are taken into consideration when deciding whether financial penalties are appropriate. OCR has previously made it clear that HIPAA compliance is about minimizing, not eliminating risks. OCR accepts that even organizations with strong cybersecurity protections can still be breached. The organization’s security program is already considered when OCR decides whether enforcement actions are appropriate.

In addition to the HIPAA enforcement provision, the bill proposes that the CMS require health insurers to make information such as claim data and expected out-of-pocket-expenses available to patients via APIs to help patients decide on the best health plan. This would also help to communicate that patients’ privacy and security is protected and HIPAA and state laws apply.

Concern has been raised about the risks to individually identifiable health information when it is transferred electronically to and from non-HIPAA-covered entities. The bill proposes the Government Accountability Office (GAO) conduct a study to identify any risks associated with such transfers. In addition, a study is required to identify privacy and security gaps when health information is transferred to third parties via mobile apps created by developers not bound by HIPAA.

The bill must first go before the full senate and house; however, if the bill does not pass both houses, the provisions related to HIPAA may be added to a different bill.

The post HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor appeared first on HIPAA Journal.

OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care.

The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans:

Can PHI be disclosed to another health plan for care coordination purposes?

OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4))

Case management and care coordination are included in permitted ‘healthcare operations,’ so they are permitted without patient authorization, but any disclosures should be limited to the minimum necessary information.

Can a health plan use and disclose PHI to inform individuals about other available health plans, without first obtaining authorization and Is this possible if PHI was received for another purpose?

Uses and disclosures of PHI for marketing purposes is generally not permitted without prior authorization. Using PHI for the purposes of offering an individual a different health plan could be seen to be marketing and would therefore only be permitted with prior authorization.

However, there are exceptions to marketing rule. Marketing communications are permitted face to face – 5 CFR 164.508(a)(3)(i) and HIPAA also does not count communications regarding replacements to, or enhancements of, existing health plans, provided the covered entity is not receiving financial remuneration for the communications. (See 45 CFR 164.506(c)(1) and 45 CFR 164.501). It is also permitted to use PHI that has been received for another purpose if the above conditions are met.

You can view the new OCR FAQ on this link.

The post OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care appeared first on HIPAA Journal.

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

Posted by HIPAA Journal

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm.

Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017.

Kalina accessed the records of friends, old classmates, and individuals that she had an aggrievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction.

Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the moan to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical information of the new office manager and one other Zottola employee was disclosed.

Zottola informed UPMC and Kalina was terminated. She was later hired by Allegheny Health Network where she is alleged to have continued to access patient records without authorization. In total, Kalina accessed the records of 111 patients without authorization.

Kalina took responsibility for her actions but claimed she was going through a difficult time in her life and had health issues. She also claimed she was not aware she was breaking the law and thought she was not prohibited from looking at patient files. Kalina and her legal team were seeking probation due to Kalina’s ongoing family commitments.

Prosecutors argued Kalina had been provided with HIPAA training and was aware that she was breaking the law and to claim ignorance of that was ‘a complete farce.” The U.S. attorney’s office sought a jail term of between 6 and 12 months.

At sentencing, U.S. District Judge Arthur Schwab opted for a jail term at the top end of that scale as the crime was particularly ‘egregious.’ Kalina was sentenced to 12 months in jail followed by 3 years of probation. During that time frame Kalina is not permitted to have any contact with any of the 111 victims.

The post Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development

Posted by HIPAA Journal

One of the requirements of the HIPAA Administrative Simplification Rules was the development of a national identifier for all patients. Such an identifier would be used by all healthcare organizations to match patients with health records from multiple sources and would improve the reliability of health information and ensure it could be shared quickly and efficiently.

That national patient identifier has failed to materialize. For the past two decades, the Department of Health and Human Services has been prohibited from using funds to develop or promote a unique patient identifier system out of concerns over privacy and security of patient data.

Just as was the case in 1996, the benefits of using national patient identifiers remain and the need for such a system is greater than ever. Many hospitals, healthcare and health IT groups have been urging Congress to lift the HHS ban due to the benefits that would come from using a national identifier.

They argue it would make it much easier to match medical information from multiple sources with the correct patient and the potential for errors would be greatly reduced. Together with the cost savings, adoption of a national patient identifier would improve the quality of care provided to patients and patient safety.

Now, 20 years after the ban was put in place, it is closer to being lifted. The U.S. House of Representatives recently voted on several amendments to a $99.4 billion HHS appropriations bill. The amendment calling for the lifting of the ban was proposed by Rep. Bill Foster (D-Ill.) and was passed on Wednesday 12, June in a 246 to 178 vote. Until now, neither chamber in Congress has ever voted to lift the ban.

“For the last 21 years, this misguided policy has been in place, and thousands of Americans have died due to getting the wrong drug to the wrong patient or due to incorrect or incomplete electronic medical records, all arising from the inability to simply and correctly merge health records from different systems,” said Rep. Foster.

The passing of the amendment is the first step toward a national identifier being developed, but there are plenty of hurdles to overcome before the ban is finally lifted. The appropriations bill must first be passed, and the senate would need to give its approval, then the president would need to sign the bill into law.

Even though the benefits of a national patient identifier are clear, many privacy advocates believe the privacy and security risks are too great and that adoption of a national identifier would result in loss of control of patient data and more frequent, larger, and more damaging healthcare data breaches.

The post House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development appeared first on HIPAA Journal.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

Posted by HIPAA Journal

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

The post Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach appeared first on HIPAA Journal.

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

Posted by HIPAA Journal

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations.

The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment.

The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped.

The women subsequently sued the hospital and the employee for violating her privacy by disclosing her health information to law enforcement.

The HIPAA Privacy Rule limits uses and disclosures of protected health information to treatment, payment, and healthcare operations, but there are exceptions. One of those exceptions is when a disclosure is made when there is a perceived serious threat to health or safety. The Privacy Rule permits such a disclosure if the disclosure is made to a person who could prevent or lessen a threat to either to the patient or the public.

Under the circumstances, the disclosure was reasonable and appropriate, which is what the Supreme Court ultimately concluded, affirming the Superior Court’s judgement. The disclosure was determined to have been made in order to mitigate an imminent threat to both the patient and the public. The Court rules “no reasonable factfinder could determine the disclosure was for any other purpose.” The plaintiff failed to prove that the disclosure had been made for any other purpose, such as in order for the patient to be arrested and charged.

The ruling is perfectly understandable; however, what is atypical is the case was given standing when state and HIPAA laws do not include a private cause of action. Patients do not have the right to sue their providers over violations of HIPAA laws and laws in Vermont also do not give patients that right. The case was ruled to have standing under a common-law private right of action for damages.

While the lawsuit was not successful, it could be cited in other lawsuits filed by patients who allege their privacy has been violated by their healthcare providers.

The post Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation appeared first on HIPAA Journal.

HELP Committee Calls for HHS to Recognize Good Faith Efforts to Improve Cybersecurity in its HIPAA Enforcement Activities

Posted by HIPAA Journal

Enforcement of HIPAA compliance by the HHS’ Office for Civil Rights is viewed by many as overly punitive.  Compliance investigations following complaints or data breaches often uncover violations of HIPAA Rules, which can lead to sizable financial penalties.

Organizations that have adopted good cybersecurity best practices could still receive a financial penalty following a data breach, even though they have made reasonable efforts to improve their security posture.

There have been calls for the HHS to take good faith efforts to improve cybersecurity into consideration when investigating breaches and to use discretion when considering enforcement actions.

While the threat of financial penalties for should encourage healthcare organizations to invest more in cybersecurity defenses, some consider the HHS approach to be having the opposite effect. Why invest heavily in cybersecurity when the HHS could still issue a financial penalty over a data breach?

An alternative approach, which is favored by several industry groups, is to incentivize healthcare entities to adopt strong cybersecurity best practices by taking the steps that have been taken to improve cybersecurity into account, such as adoption of the NIST cybersecurity framework. In cases where the covered entity can demonstrate that it has adopted strong cybersecurity practices, the entity should be protected against financial penalties.

A safe harbor such as this has long been proposed by CHIME, which believes good faith efforts to improve cybersecurity should be recognized by OCR when investigating breaches.  Instead, at present, the HHS appears to be “victimizing the victim.”

Support for incentivizing healthcare organizations to improve cybersecurity rather than punishing them for failures is growing. The recently introduced Lower Health Care Cost Acts of 2019 includes such a requirement. The bill was proposed by Senate Committee on Health, Education, Labor, and Provisions (HELP) chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) and calls for the HHS Secretary to consider an organization’s security practices when investigating data breaches or potential HIPAA violations.

Privacy and security concerns have been raised about the proposed interoperability and data blocking rules introduced by the ONC and CMS in February. The rules call for the use of APIs to solve interoperability issues, reduce data blocking, and make it easier for patients to gain access to their health data.

Complying with patient requests for their data to be sent to health apps has potential to result in a HIPAA violation and possible financial penalty. Several healthcare organizations and industry groups have expressed concern about liability for unauthorized disclosures of PHI after it has been sent to third parties at the patient’s request. OCR has recently clarified, through a series of FAQs, that once ePHI has been transferred to a third-party app at the request of the patient, the covered entity is no longer liable for any further disclosures.

Since app developers are not typically business associates, HIPAA restrictions no longer apply once the information has been disclosed to the app and there have been several cases of health data being provided to third parties without the knowledge of the patient.

The Lower Health Care Cost Acts of 2019 will help to address privacy and security concerns by calling for the Government Accountability Office (GAO) to conduct a study to identify existing gaps in privacy and security protections when patients have their health information transferred to third parties such as mobile apps which are not covered by HIPAA Rules. The findings of that study could guide efforts to improve privacy and security protections for health information once it is transferred beyond the reach of HIPAA.

The HELP committee is seeking comments on the proposed bill up until June 5, 2019.

The post HELP Committee Calls for HHS to Recognize Good Faith Efforts to Improve Cybersecurity in its HIPAA Enforcement Activities appeared first on HIPAA Journal.

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Posted by HIPAA Journal

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.