HIPAA Compliance News

HIPAA Compliance Best Practices

Posted by HIPAA Journal

Questions and Answers to Improve Security and Avoid Penalties

By Bill Becker

Even after 14 years, public and private sector organizations are still routinely found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the weakest links in compliance. In this article, we’ll look at some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with financial or other penalties.

For the uninitiated, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that engage in many types of transactions.

Enforcement of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement four years later. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been investigated by OCR. 98% (or 147,826) of the complaints have been resolved.

OCR enforces HIPAA Rules by applying “corrective measures,” including ether settlement or a civil cash penalty.

Only 47 cases have resulted in a settlement, although the total monetary penalty is still an eye-opening $67,210,982.00.  Most compliance issues, OCR reports, stem from improper use or disclosure of electronic protected health information (ePHI); poor health information safeguards; inadequate patient access to their ePHI; and the absence of administrative safeguard for such information.

In other words, there is a fundamental failure in developing and maintaining appropriate security management processes. Which is ironic because one of the very first stipulations in HIPAA § 164.308 (a)(1) calls for organizations to implement policies and procedures to prevent, detect, contain, and correct security violations.

There are several required specifications to implement these management safeguards. These include the following:

Risk analysis – Accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity (or its business associate/s).

Risk management – Security measures to reduce risks and vulnerabilities to a “reasonable and appropriate level.”

Sanction policy – Workforce members who do not comply with the security policies and procedures must be sanctioned according to a standard policy applied to violations.

Information system activity review – Procedures to review records of information system activity, including audit logs, access reports, and security incident tracking reports.

Before any of that, however, organizations must use best practices to get their arms around the protected information under their control, and to apply some common sense thinking to managing access to that information.

Let’s look at some of these best practices.

Identify relevant information systems – It seems obvious, but here’s where many organizations fail. You have to be able to identify all information systems that house ePHI. Moreover, you have to be able to analyze business functions and verify the ownership and control of those information systems.

Ask yourself the following questions:

  • Does the hardware and software in your information systems include removable media and remote access devices?
  • Have you identified the types of information you manage?
  • Have you identified and evaluated the sensitivity of each type of information?

Conduct a risk assessment – You have to have an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

To ensure accuracy and thoroughness, ask yourself the following questions:

  • Is the facility located in a region prone to any natural disasters?
  • Have you assigned responsibility to check all hardware?
  • Have you analyzed current safeguards and identifiable risks?
  • Have you considered all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected information?

Acquire IT systems and services – After identifying your systems and exposure to risk, you may find that you’ll need additional hardware, software or services to adequately protect information such as:

  • Multi-Factor Authentication
  • Data-at-Rest Encryption
  • Data-in-Transit Encryption
  • Cryptographic Key Management

When planning for new systems or services, ask yourself the following questions:

  • Will new security controls work with the existing IT architecture?
  • Have you conducted a cost-benefit analysis to make sure the investment is reasonable when measured against potential security risks?

Create and deploy policies and procedures – This is the crux of any working set of management processes. You have to have policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. Does your formal system security and contingency plan stand up to that kind of scrutiny?

In both the public and private sectors, hospitals, clinics, and other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times. The best practices presented here can help ensure that data isn’t stolen or compromised, and that your organization doesn’t face steep fines for being out of compliance.

Bill Becker is Technical Director of SafeNet Assured Technologies. He can be reached at Bill.Becker@SafeNetAT.com

The post HIPAA Compliance Best Practices appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Posted by HIPAA Journal

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk.

More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management.

The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch.

George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access management initiatives and ensures Kaiser Permanente continues to protect the ePHi of its 10.2 million members. Decesare will be explain the current healthcare threat landscape and will be offering invaluable advice to attendees on how they can secure their own networks from attack. He will also be offering an overview of how Kaiser Permanente operates its cybersecurity programs and manages risk.

While patients were previously tied to a healthcare organization, now they are able to easily change providers. Many do following a cybersecurity breach that exposes their health information. Jane Harper will be explaining the importance of including consumerism in risk management probability models and will cover techniques for risk management and how changes in healthcare have affected the risk environment.

Matt Trevors will be explaining how healthcare organizations can develop security controls that meet the requirements of the HIPAA Security Rule. In his speech, Trevors will explain whether simply meeting HIPAA Security Rule requirements will be sufficient to prevent data breaches. Trevors will also explain how healthcare organizations can use the Center for Internet Security’s Critical Security Controls (CIS CSC) to help them meet HIPAA Security Rule requirements and will offer advice on the Cyber Resilience Review (CRR) – A free tool that can be used by healthcare organizations to assess their security programs.

M.K. Palmore will be providing an invaluable insight into the current healthcare cybersecurity threat landscape, including an up-to-the-minute overview of the latest threats, including phishing attacks, insider threats, and business email compromise scams. Palmore will be covering some of the recent FBI investigations and will explain how breaches occurred and how they could have been prevented.  Palmore will also explain how healthcare organizations can access the FBI’s considerable resources and use its data to prevent data breaches.

The HIMSS Privacy and Security Forum will be taking place at the Grand Hyatt Union Square, on May 11-12, 2017. Further information can be found on this link.

The post HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape appeared first on HIPAA Journal.

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

Posted by HIPAA Journal

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients.

Patients are required to enter in a range of sensitive information into the MDLive app; however, during the first 15 minutes of use, the app takes screenshots of the data entered by users. According to the lawsuit, an average of 60 screenshots are taken during the first 15 minutes – the time it typically takes a user to register for an account. Those screenshots are then sent to an Israeli company called Test Fairy, which conducts quality control tests.

The lawsuit alleges patients are not informed that their information is disclosed to a third-party company. All data entered into the app can also be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data.

Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories, family medical histories and details of allergies. According to the lawsuit, the screenshots are “covertly” sent to Test Fairy “in near real time.”

The lawsuit suggests patients using the app are likely to assume their data will be kept confidential and that reasonable security measures will be employed to prevent disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”

The lawsuit was filed by the Illinois law firm Edelson PC with app user Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.

Edelson PC attorney Chris Dore said, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”

MDLive says the lawsuit is “baseless,” that no data breach has occurred, HIPAA Rules have not been violated, and any data entered into the app is safe. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any information disclosed is only used for the purpose for which that disclosure is made.

MDLive is seeking to have the lawsuit dismissed.

The post MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge

Posted by HIPAA Journal

A New York Supreme Court Judge has recently ruled that patient records held by the New York Organ Donor Network must be turned over to a plaintiff and that the request cannot be denied based on HIPAA.

Patrick McMahon claims he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he made about organ harvesting from four patients who were still showing clear signs of life and had not been declared legally dead.

The New York Organ Donor Network maintains the plaintiff was fired for poor performance while he was still a probationary employee. The allegations about the procurement of organs have been denied.

McMahon requested the New York Organ Donor Network turn over the medical records of the four patients as they are ‘material and necessary’ to show the patients showed signs of brain activity at the time the organs were harvested.  The New York Organ Donor Network had previously denied McMahon’s request, instead providing contact details of the patients’ next of kin, informing McMahon that he needed to obtain consent forms allowing the release of the information.

McMahon claims he attempted to obtain consent forms, but despite diligent attempts, was unable to obtain the authorizations. Without access to the medical records of patients, McMahon is unable to provide the proof related to his asserted cause of action.

McMahon argued that the New York Organ Donor Network is not a HIPAA-covered entity and therefore would not be in breach of HIPAA-Rules by turning over the patients’ records.

The New York Organ Donor Network confirmed that it is not an entity covered by HIPAA Rules, but that it has a duty to maintain patient confidentiality. The defendant also pointed out it has entered into memorandums of understanding (MOUs) with hospitals in which access to PHI was gained in order to facilitate the organ donation process. The New York Organ Donor Network says “it would defeat the purpose of HIPAA if it were required to comply with plaintiffs’ requests.”

While HIPAA Rules protect the privacy of patients, Manhattan Supreme Court Justice Arlene Bluth ruled that the New York Organ Donor Network is not a HIPAA-covered entity, and even if it were, HIPAA Rules do not prevent document disclosure. Bluth explained that organ procurement organizations (OPOs) are allowed to be provided with PHI and that MOUs “seek to assure the covered entities who provide information to defendant that protected health information will be kept confidential.” However, Bluth said, “MOUs between [the] defendant and certain hospitals do not compel this Court to deny plaintiffs motion.”

Bluth said, the “defendant failed to identify a federal regulation or case law that would prevent this Court from requiring disclosure,” and ruled the documents must be turned over as requested by the plaintiff.

Explaining the ruling, Bluth said “HHS could have promulgated a rule stating that any protected health information received by an OPO from a covered entity must remain subject to HIPAA’s privacy protections as if the OPO were a covered entity; HHS did not.” Bluth also pointed out that HHS could have included OPOs in its definition of covered entities but it did not.

Bluth explained that “Providing this information might negatively impact these MOUs. But that possibility merely underscores the need for additional federal regulations addressing OPOs and their relationship with HIPAA.”

The New York Organ Donor Network must turn over the patients’ records no later than April 26, 2017. McMahon has been prohibited from using the information in the medical records for anything other than litigation.

The post Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge appeared first on HIPAA Journal.

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information.

Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois.

On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI.

The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules.

CCDH had provided paper records relating to 10,728 patients without officially advising FileFax, by means of a BAA, of the firm’s responsibilities to safeguard patients’ data. CCDH also received no HIPAA-compliant assurances that appropriate safeguards had been implemented to ensure the confidentiality, integrity, and availability of PHI prior to the disclosure.

FileFax had been storing documents containing the PHI of patients of CCDH since 2003, yet the earliest business associate agreement produced by CCDH and FileFax was dated October 12, 2015.

CCDH has agreed to pay OCR $31,000 to resolve the potential HIPAA violations and will adopt a corrective action plan that involves updating policies and procedures, conducting staff training on those policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements are obtained from all business associates.

HIPAA-covered entities are permitted to disclose the PHI of patients to their business associates; however, before any PHI is disclosed, the covered entity must enter into a contract with the business associate. The contract must explain the responsibilities the business associate has to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the contract or if required to do so by law.

The business associate must also be advised of the requirement to notify the covered entity in the event that any PHI is accidentally or deliberately accessed or disclosed along with the timescale for doing so. The business associate must also be advised that the failure to comply with HIPAA Rules can result in financial penalties being issued.

Further information on HIPAA Rules concerning business associate agreements can be viewed on this link.

2017 HIPAA Settlements

Last year, OCR issued one civil monetary penalty and agreed to settle potential HIPAA violations with 12 covered entities to resolve HIPAA violations – More than any other year since the HIPAA Enforcement Rule was introduced.

This year looks set to see even more HIPAA enforcement actions. The Center for Children’s Digestive Health HIPAA settlement is the sixth financial penalty in less than four months, bringing the total amount of HIPAA fines in 2017 to $11,806,000.  The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

Roger Severino Named New Director of HHS’ Office for Civil Rights

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights.

Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015.

A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief.

Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II and Title VI of the Civil Rights Act of 1964 and the Religious Land Use and Institutionalized Persons Act. Severino has also worked as Legal Counsel for the Becket Fund for Religious Liberty between July 2003 and May 2008.

While Severino has civil rights experience and has spent time working in the section of the DOJ that enforces criminal HIPAA statutes, he does not appear to have much experience of privacy and security issues.

LGBT Groups Express Concern About New OCR Appointment

Many human rights organizations have expressed concern over the appointment of Severino as head of OCR due to the views he has previously expressed about transgender people and same-sex marriages. Severino has authored a number of reports in which he has spoken out in opposition of LGBT rights and pro-LGBT legislation. Severino has also spoken out against Planned Parenthood.

JoDee Winterhof, senior vice president of policy and political affairs at the Human Rights Campaign went as far as saying ‘There isn’t a more dangerous person to lead HHSGov’s Office for Civil Rights than LGBTQ opponent Roger Severino.”

Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Right, said “The Office for Civil Rights at HHS is essential to ensuring that all people can lead healthy lives, free of discriminatory barriers. Section 1557 of the Affordable Care Act, which bans discrimination based on race, sex, disability and age in health programs and activities, is key to achieving this goal. Henderson went on to say, “Strong and experienced leadership at OCR committed to fully enforcing Section 1557 is therefore critical. Mr. Severino is not that leader.”

OCR is likely to be taken in a different direction under Severino’s leadership than it was under the directorship of Jocelyn Samuels. What impact Severino will have on OCR’s HIPAA enforcement activity and HIPAA guidance remains to be seen.

The post Roger Severino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.