Latest HIPAA News

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website.

The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination.

Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease.

She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear.”

Due to a high rate of vaccination (94.5%) in Houston, a measles case is very rare. Over the past ten years there have fewer than 10 confirmed cases in the city. While the nurse did not post the child’s name on Facebook, her job was listed on her profile, along with the hospital where she worked, and information about the boy and his condition. Due to the information contained in the posts and the rarity of the disease, it is possible that the child could have been identified.

Texas Children’s Hospital suspended the nurse when officials found out about her social media posts and an investigation was launched. After receiving the suspension, the nurse appeared to realize that she had shared too much information and deleted several of her posts. Four days after the nurse was suspended the decision was taken to fire her for the HIPAA violation. An official from Texas Children’s Hospital confirmed the nurse lost her job as a result of violating hospital policies and federal laws by posting protected health information on a social media website, and not for her anti-vaxxing views.

The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of protected health information. Most healthcare professionals will be well aware that the posting of any protected health information on a social media website constitutes a HIPAA violation.

However, as this incident shows, the patient does not need to be mentioned by name in order for them to potentially be identified. If any personally identifiable protected health information is posted on social media without consent first being obtained from the patient, it constitutes a violation of the HIPAA Privacy Rule.

A good rule of thumb is to keep work and private lives separate, and never to post any information about patients on a social media platform, even if you do not think that a patient could be identified from the post.

At HIMSS 2017, the former deputy director of health information privacy at the HHS’ Office for Civil Rights (OCR) explained that OCR plans to issue guidance on HIPAA and social media and what is and is not acceptable.

The post Texas Nurse Fired for Social Media HIPAA Violation appeared first on HIPAA Journal.

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state.

The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina.

The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs.

During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule.

In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act.

During the period of the Public Health Emergency, sanctions and penalties against healthcare providers are waived for the following provisions of the HIPAA Privacy Rule.

  • 45 CFR 164.510(b) – The requirement to obtain authorization from a patient to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – The requirement to honor requests to opt out of the facility directory
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications

Sanctions and penalties for healthcare organizations have not been waived for all other requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

The waiver only exists in the areas covered by the public health emergency declaration for the period identified in the declaration, and only when hospitals have initiated their disaster protocol. The waiver only lasts for 72 hours following the declaration of the emergency.

When the Presidential or Secretarial declaration terminates, the waiver no longer applies, even to those patients still in the care of a hospital and even if the 72-hour time period has not elapsed.

The HHS’ Office for Civil Rights has responded to the declaration by issuing guidance on appropriate sharing of health information in emergency situations, confirming how the HIPAA Privacy Rule applies to healthcare providers in the disaster emergency zone.

OCR has also made a HIPAA Emergency Preparedness Decision Tool available to help healthcare providers determine how the HIPAA Privacy Rule applies.

The post Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information appeared first on HIPAA Journal.

NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework – A framework of computer security guidance to help private sector companies assess their security policies and improve their ability to prevent, detect, and respond to cyberattacks.

The Framework has been a huge success. Figures from Gartner suggest it has already been adopted by 30% of companies, and adoption of the Framework is mandatory for all federal agencies.

Now NIST plans to start working on a new Framework to help companies protect the privacy of employees and customers in what has become an increasingly connected and complex environment.

The NIST Privacy Framework will be a voluntary enterprise-level tool that will detail privacy outcomes and approaches to help organizations develop strategies for implementing flexible privacy protection solutions. The aim is to ensure that individuals can benefit from the use of innovative technologies such as IoT an AI, with the confidence that their privacy will be protected. Adopting the Privacy Framework will help organizations manage privacy risks more effectively.

“We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter Copan.

Adopting the Cybersecurity Framework and ensuring good cybersecurity practices are followed helps companies reduce the risk of privacy breaches, but as NIST explained, “Privacy risks also can arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services.”

NIST will take a collaborative approach when developing the new Framework as it did when it developed its Cybersecurity Framework. NIST plans to work with industry, academic institutions, civil society groups, standard-setting organizations, federal agencies, state, local, territorial, tribal, and foreign governments, and private companies through workshops and requests for public comment.

“We want to gather the best ideas from many stakeholders so that the privacy framework tool we develop is useful and effective for a wide range of organizations,” said NIST Senior Privacy Policy Advisor, Naomi Lefkovitz, who will lead the new project.

NIST plans to start gathering feedback on the new Framework at a public workshop being held in Austin, TX on October 16, in conjunction with the annual meeting of the International Association of Privacy Professionals.

Another Department of Commerce agency, the National Telecommunications and Information Administration (NTIA), is also working on a new privacy initiative. NTIA is currently developing a domestic legal and policy approach for consumer privacy in coordination with the International Trade Administration.

The post NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees appeared first on HIPAA Journal.

Final Participation Request: Emergency Preparedness Survey

Do you want to help determine the state of emergency preparedness in healthcare?

Over 100 HIPAA Journal readers have already participated in this survey and this is the last chance to contribute by completing this short anonymous survey on emergency preparedness and security communications trends.

This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next.

After you complete the survey, you will have the chance to enter into a raffle for a $150 gift card from the survey sponsor (RaveMobileSafety).

If you provide your email address, you’ll receive the published (anonymous) results before they are released.

HIPAA Journal will eventually publish the results.

Note: HIPAA Journal is not conducting this survey and HIPAA Journal does not receive any payment for promoting this survey.  If your organization is running a survey that is interesting to healthcare professionals, you can contact us with the details.

The post Final Participation Request: Emergency Preparedness Survey appeared first on HIPAA Journal.

Medical Records from New Mexico Hospital Found Scattered in Street

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility.

The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse.

The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street.

KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public.

The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing information, and Social Security numbers.

The New Mexico Department of Health was notified about the incident and sent a cleanup crew to collect the remaining paperwork on Friday August 31, at least 12 hours after the records had fallen off the truck. It is currently unclear whether all the records have been recovered.

An investigation has been launched to determine why the medical records were not secured in transit and how they were able to fall from the delivery truck. At this stage it is unclear exactly how many patients have had their health information exposed.

When those individuals are identified, the New Mexico Department of Health will send out notification letters in the mail. A report will also be submitted to the Department of Health and Human Services’ Office for Civil Rights and state authorities.

The post Medical Records from New Mexico Hospital Found Scattered in Street appeared first on HIPAA Journal.

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.