HIPAA Compliance News

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

Posted by HIPAA Journal

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations.

The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment.

The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped.

The women subsequently sued the hospital and the employee for violating her privacy by disclosing her health information to law enforcement.

The HIPAA Privacy Rule limits uses and disclosures of protected health information to treatment, payment, and healthcare operations, but there are exceptions. One of those exceptions is when a disclosure is made when there is a perceived serious threat to health or safety. The Privacy Rule permits such a disclosure if the disclosure is made to a person who could prevent or lessen a threat to either to the patient or the public.

Under the circumstances, the disclosure was reasonable and appropriate, which is what the Supreme Court ultimately concluded, affirming the Superior Court’s judgement. The disclosure was determined to have been made in order to mitigate an imminent threat to both the patient and the public. The Court rules “no reasonable factfinder could determine the disclosure was for any other purpose.” The plaintiff failed to prove that the disclosure had been made for any other purpose, such as in order for the patient to be arrested and charged.

The ruling is perfectly understandable; however, what is atypical is the case was given standing when state and HIPAA laws do not include a private cause of action. Patients do not have the right to sue their providers over violations of HIPAA laws and laws in Vermont also do not give patients that right. The case was ruled to have standing under a common-law private right of action for damages.

While the lawsuit was not successful, it could be cited in other lawsuits filed by patients who allege their privacy has been violated by their healthcare providers.

The post Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation appeared first on HIPAA Journal.

HELP Committee Calls for HHS to Recognize Good Faith Efforts to Improve Cybersecurity in its HIPAA Enforcement Activities

Posted by HIPAA Journal

Enforcement of HIPAA compliance by the HHS’ Office for Civil Rights is viewed by many as overly punitive.  Compliance investigations following complaints or data breaches often uncover violations of HIPAA Rules, which can lead to sizable financial penalties.

Organizations that have adopted good cybersecurity best practices could still receive a financial penalty following a data breach, even though they have made reasonable efforts to improve their security posture.

There have been calls for the HHS to take good faith efforts to improve cybersecurity into consideration when investigating breaches and to use discretion when considering enforcement actions.

While the threat of financial penalties for should encourage healthcare organizations to invest more in cybersecurity defenses, some consider the HHS approach to be having the opposite effect. Why invest heavily in cybersecurity when the HHS could still issue a financial penalty over a data breach?

An alternative approach, which is favored by several industry groups, is to incentivize healthcare entities to adopt strong cybersecurity best practices by taking the steps that have been taken to improve cybersecurity into account, such as adoption of the NIST cybersecurity framework. In cases where the covered entity can demonstrate that it has adopted strong cybersecurity practices, the entity should be protected against financial penalties.

A safe harbor such as this has long been proposed by CHIME, which believes good faith efforts to improve cybersecurity should be recognized by OCR when investigating breaches.  Instead, at present, the HHS appears to be “victimizing the victim.”

Support for incentivizing healthcare organizations to improve cybersecurity rather than punishing them for failures is growing. The recently introduced Lower Health Care Cost Acts of 2019 includes such a requirement. The bill was proposed by Senate Committee on Health, Education, Labor, and Provisions (HELP) chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) and calls for the HHS Secretary to consider an organization’s security practices when investigating data breaches or potential HIPAA violations.

Privacy and security concerns have been raised about the proposed interoperability and data blocking rules introduced by the ONC and CMS in February. The rules call for the use of APIs to solve interoperability issues, reduce data blocking, and make it easier for patients to gain access to their health data.

Complying with patient requests for their data to be sent to health apps has potential to result in a HIPAA violation and possible financial penalty. Several healthcare organizations and industry groups have expressed concern about liability for unauthorized disclosures of PHI after it has been sent to third parties at the patient’s request. OCR has recently clarified, through a series of FAQs, that once ePHI has been transferred to a third-party app at the request of the patient, the covered entity is no longer liable for any further disclosures.

Since app developers are not typically business associates, HIPAA restrictions no longer apply once the information has been disclosed to the app and there have been several cases of health data being provided to third parties without the knowledge of the patient.

The Lower Health Care Cost Acts of 2019 will help to address privacy and security concerns by calling for the Government Accountability Office (GAO) to conduct a study to identify existing gaps in privacy and security protections when patients have their health information transferred to third parties such as mobile apps which are not covered by HIPAA Rules. The findings of that study could guide efforts to improve privacy and security protections for health information once it is transferred beyond the reach of HIPAA.

The HELP committee is seeking comments on the proposed bill up until June 5, 2019.

The post HELP Committee Calls for HHS to Recognize Good Faith Efforts to Improve Cybersecurity in its HIPAA Enforcement Activities appeared first on HIPAA Journal.

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Posted by HIPAA Journal

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.

How Phone.com Started as a HIPAA Business Associate

Posted by HIPAA Journal

Getting started as a business associate and entering into the healthcare sphere can be a major challenge, but the potential rewards are considerable, as Phone.com discovered.

Breaking into the Healthcare Industry

Companies that provide services and products to healthcare clients that require contact with protected health information (PHI) are considered business associates under Health Insurance Portability and Accountability Act (HIPAA) Rules. As such, they must implement policies and procedures to ensure they comply with HIPAA Rules, sign business associate agreements with HIPAA-covered entities, and need to ensure safeguards are implemented to ensure the confidentiality, integrity, and availability of any ePHI that they are provided with.

For many businesses, having to comply with HIPAA stops them from expanding into this potentially very lucrative market. Not only is it necessary to commit resources to compliance, any failures could result in a considerable financial penalty. The HHS’ Office for Civil Rights has recently confirmed that there are 10 aspects of HIPAA Rules which can, if violated by a business associate, result in a financial penalty.

Benefits of HIPAA Compliance for Vendors

While the healthcare industry is one of the fastest growing markets in the United States, and with so many medical specialties and sub-verticals, it is easy for companies to find a niche in which to operate and thrive.

One company that made the decision to develop a HIPAA compliance program to enable it to expand into the healthcare market is Phone.com, a provider of collaborative VOIP services for small businesses.

While the potential for growth in the healthcare sector was appreciated, when Phone.com started its HIPAA compliance program the extent to which the company would grow as a result was majorly underestimated.

Since becoming HIPAA compliant 18 month ago, the company has signed more than 700 business associate agreements with HIPAA covered entities and a large percentage of those clients are entirely new to Phone.com.

Not only has becoming HIPAA compliant allowed Phone.com to work directly with healthcare companies, it has also allowed the company to work with business associates of HIPAA-covered entities.

“Our success and responsiveness with health care vendors is well beyond what I expected. There is a real need for HIPAA compliant vendors in the market today – it’s a strong and concrete differentiator,” said Joel Maloff, SVP of Strategic Alliances and Chief Compliance Officer at Phone.com.

Assistance with HIPAA Compliance

Phone.com’s HIPAA compliance journey was aided by The Compliancy Group, offers compliance coaches to guide businesses through all requirements of HIPAA and provides solutions that include HIPAA policies and procedures, business associate agreements, risk analysis assistance, verification of compliance, and HIPAA audit support.

“When we first considered if we should become HIPAA compliant, one of the first things we did was a simple search through our existing clients who could potentially be in health care or touch health care data. We found 600 in our database alone, and that became a huge driver for seeking out Compliancy Group’s help,” explained Maloff. “Compliancy Group gives us the flexibility to execute BAAs that competitors simply don’t have the time or capacity to complete. We’ve been able to directly attribute substantial growth in monthly recurring revenue (MRR) to just Compliancy Group’s BAAs alone.”

The post How Phone.com Started as a HIPAA Business Associate appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Posted by HIPAA Journal

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Posted by HIPAA Journal

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

Posted by HIPAA Journal

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC).

In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients.

The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented.

The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain access to their health data, including claims information, lab test results, medications, and clinical notes. Easy access to that information will help with care coordination and will improve patients’ understanding of their conditions and treatments. However, there are potential problems.

“Consistent policies are needed across the board to incentivize and facilitate the exchange of data across systems,” wrote AAN President Ralph L. Sacco. “Many EHRs do not support the robust use of application program interfaces (APIs) for data exchange or are hindered by APIs that are implemented in proprietary ways that inhibit data exchange.” The AAN has also voiced concerns about privacy and security.

While the AAN understands that once PHI has been shared through an API it is no longer the responsibility of the provider to protect that information, but the AAN believes a security framework is required for third-party applications to prevent unauthorized disclosures once PHI has been transmitted by providers.

There is currently no federal regulatory framework to address unauthorized disclosures of PHI onside of enforcement by the FTC. Without a regulatory framework, a burden is placed on providers to ensure that they inform patients of the potential risks, when it should be the responsibility of app developers to ensure that all necessary precautions are taken to ensure PHI is protected. The AAN is seeking clarification on the responsibilities of third-party applications to ensure patient information is protected.

Unauthorized disclosures after PHI has been transferred do not constitute HIPAA violations, but they do have potential to negatively impact a provider’s reputation. Further, explaining the risks to patients may result in patients declining to share their information, which would work counter to CMS’s goal of promoting exchange of data and could detrimentally impact providers’ relationships with their patients.

“Given the sensitive nature of PHI and the paramount importance of trust between patients and providers, the AAN implores CMS and the FTC to ensure that there are clear security guidelines for third-party APIs and that there is robust enforcement to ensure that third-party applications are responsible stewards of patient data,” wrote Sacco.

Concern has also been raised about the sharing of certain types of particularly sensitive information, such as high-risk genetic testing data. If a patient has a genetic test that indicates there is a high probability that the patient will develop an incurable degenerative disease such as Huntington’s disease, prior to that information being shared with patients and their families it is necessary to make sure appropriate counselling is provided. The AAN suggests that that type of information should not be shared through APIs.

The AAN also believes the proposed six-month implementation time scale for many of the proposed changes is much too short. Complying with the new requirements in such a short time frame will place a significant burden on providers. More time has been requested for implementing the proposed system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is also urging the CMS and ONC to extend the timescale for complying with the proposed changes and has suggested an interim rule is required and the time frame for complying should be extended from six months to three years.

The post AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan appeared first on HIPAA Journal.

April 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

Posted by HIPAA Journal

A lawsuit has been filed against Atchison Hospital in Kansas by a sexual assault victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital.

According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties.

Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient.

Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

A complaint was filed with the hospital over the privacy violation and an internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorized accessing of her medical records and interviews were conducted with staff members.

No evidence was uncovered to suggest the woman’s electronic medical records had been accessed inappropriately, but the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  The hospital confirmed to the woman that the X-ray technician was not part of her care team and was not authorized to view her records.

The hospital apologized for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, details of the former employee’s conduct were not disclosed to Cushing Hospital and a positive review was provided. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson issued a statement to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

The lawsuit accuses the hospital of having inadequate policies in place to protect against the unauthorized accessing of patient information and claims the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The lawsuit seeks punitive damages.

The post Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker appeared first on HIPAA Journal.