Latest HIPAA News

IRS Issues Warning About W-2 Phishing Scams

Posted by HIPAA Journal

W-2 phishing scams increased considerably in 2015 prompting the IRS to issue a warning about the risk of attack. Now, just over 4 weeks into 2017, the IRS has issued a further warning in response to the sheer number of W-2 phishing scams that have been reported so far this year.

This type of scam – often referred to as business email compromise (BEC) or business email spoofing (BES) – is simple, but highly effective. The attacker sends an email request to a payroll or HR staff member and requests W-2 Form data for the entire workforce by return. Typically, the request is for the W-2 Forms of all individuals who worked in the previous tax year. The information is often asked for in PDF format.

The request appears to come from the company’s CEO, CFO, or another high-ranking executive with authority. Payroll and HR employee respond to the email and send data as requested as the email seems genuine. The individual who appears to have sent the request is likely to have a need for the information.

Research is conducted on the company by the attackers. They find out the email addresses of staff members to target and select an executive that is likely to have a need for W-2 Form data. The email address of the chosen executive is then spoofed using a variety of techniques to make the request appear to have been sent from within the company.

The consequences of responding to such a scam can be serious, certainly for an organization’s employees. The data on W-2 Forms can be used for a wide range of nefarious purposes, although the main purpose of the attack is to obtain the data necessary to file fraudulent tax returns.

Last year, there were at least 145 reports of successful W-2 phishing scams sent to the IRS and more than 29,000 employees were impacted by those scams. Given the number of successful scams already reported this year, 2017 looks set to be far worse than last year.

There have been at least 23 such scams pulled off in January, and over the past week, the number of reports received by the IRS has increased substantially.

It is not only the corporate world that is being targeted. Healthcare institutions, school districts, nonprofits, tribal organizations, restaurant chains, staffing agencies, shipping, and freight companies are all being targeted. In fact, any business or organization is a potential target.

This year, a new trend has emerged. In addition to the W-2 phishing scams, victims are also subjected to a second attack. The same spoofed email account is used to send a request to payroll or the comptroller requesting a bank transfer be made.

These scams were commonplace in 2016. In some cases, transfers of millions of dollars were sent to fraudsters’ accounts. The FBI reported that cybercriminals attempted to steal $3.1 billion by the middle last year. The transfer amounts ranged from around $10,000 to tens of millions of dollars.

The year may still be young, but several organizations have been stung twice and have sent W-2 Form data and made fraudulent bank transfers.

To avoid becoming a victim of these scams, employees must be made aware of the risk and instructed to exercise caution. Any request to send W-2 Form data should be treated as suspicious, even if that request appears to have been made by the CFO.

Policies should be introduced that require payroll/HR staff to properly authenticate any request for W-2 forms that are sent via email. Internal policies should also be developed covering wire transfers – and especially international wire transfers – to ensure such requests are authenticated before transfers are processed.

The post IRS Issues Warning About W-2 Phishing Scams appeared first on HIPAA Journal.

High Costs are Preventing Many Patients from Accessing their Medical Records

Posted by HIPAA Journal

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare.

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently explained patients’ right to obtain copies of their medical records and created a series of videos explaining how the HIPAA Privacy Rule applies to patients. OCR also issued guidance for HIPAA-covered entities on allowable charges for labor, printing, and postage last year.

A flat fee of $6.50 has been recommended for providing electronic copies of medical records – should HIPAA-covered entities opt for a single charge for providing designated record sets to patients. While not all covered entities choose this model, the costs associated with obtaining copies of electronic copies of medical records are usually relatively low. However, not all patients have easy access to the technology that will allow them to view those records.

In such cases, paper copies are the only option, yet the cost of obtaining printouts of medical records is often considerably higher. In many cases, obtaining paper copies of medical records can be prohibitively expensive, especially for patients who have extensive medical histories spanning several pages. If the costs of obtaining medical records are too high, patients will be discouraged from accessing their medical records. That can make it harder for patients to choose their healthcare providers and share their ePHI.

Many physicians are concerned that the amounts being charged by some healthcare providers prevents many patients from exercising their rights under HIPAA to obtain copies of their medical records.

A recent article published in JAMA Internal Medicine highlights just how expensive it can be for patients to obtain their medical records if they choose paper over electronic copies.

The researchers indicate the cost of obtaining paper copies of medical records in Texas, for example, can be as high as $3.57 per page, not including the cost of postage or providing images. For a medical file of 15 pages, the cost would be $53.60. A full copy of medical records spanning 100 or more pages would see the price jump to several hundred dollars. For many Americans, the cost would prevent them from obtaining a copy of their records.

The high cost not only prevents patients from sharing their data with healthcare providers, it also has potential to prevent patients from providing their medical data for use in research. Patients would also not have the opportunity to check their medical records for errors, which could have a major negative impact on future care.

Currently, only one state – Kentucky – has laws in place that require healthcare providers to provide copies of medical records free of charge in the first instance. Researchers for the article suggest that the laws in Kentucky should serve as a model that all states should follow.

The post High Costs are Preventing Many Patients from Accessing their Medical Records appeared first on HIPAA Journal.

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years.

It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR.

Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently, Children’s Medical Center of Dallas was required to pay the full civil monetary penalty of $3,217,000, making this the biggest HIPAA violation penalty of 2017, eclipsing the payments made by Presense Health ($475,000) and MAPFRE Life Insurance Company of Puerto Rico ($2.2 million).

Children’s Medical Center of Dallas is run by Children’s Health, a Dallas-based healthcare system comprising three hospitals and numerous clinics in North Texas. On January 18, 2010, OCR was notified by Children’s Medical Center that a breach of patients’ electronic protected health information (ePHI) had occurred. The breach involved the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been encrypted and was not protected with a password, allowing any individual who found the device to access the ePHI of patients.

An investigation into the breach was launched on or around June 14, 2010. As part of the investigation, Children’s Medical Center provided OCR with a Security Gap Analysis conducted by Strategic Management Systems, Inc., (SMS) between December 2006 and February 2007. That analysis revealed a lack of risk management at Children’s Medical Center. In the report, SMS recommended that Children’s Medical Center implement encryption on portable devices such as laptop computers to prevent the exposure of ePHI in the event that a device be lost or stolen. Children’s Medical Center failed to act on that recommendation.

PricewaterhouseCoopers (PwC) conducted an analysis of threats and vulnerabilities to ePHI in August 2008. In the PwC report, it was also recommended that Children’s Medical Center implement encryption on laptop computers, workstations, mobile devices, and portable storage devices such as USB thumb drives. PwC determined that the use of encryption was “necessary and appropriate.” Children’s Medical Center failed to act on PwC’s recommendations, even though encryption was rated as a “high priority” item.

To OCR it was clear that Children’s Medical Center was aware of the risks to the confidentiality, integrity, and availability of ePHI and that were was a lack of appropriate safeguards for ePHI at rest. Children’s Medical Center was aware of the risks as early as March 2007, more than a year before the security incident occurred and ePHI was exposed. Had Children’s Medical Center acted on the recommendations of SMS or PwC the breach could have been avoided.

In addition to the lost Blackberry in 2010, Children’s Medical Center reported the loss of an unencrypted iPod containing the ePHI of 22 patients. The loss occurred in December 2010. On July 5, 2013, Children’s Medical Center notified OCR of another breach involving an unencrypted device. In this case, the laptop theft resulted in the exposure of 2,462 individuals’ ePHI.

Even after the data breaches were experienced, Children’s Medical Center failed to act; only implementing encryption on portable devices in April, 2013. From 2007 to April 9, 2013, nurses were using unprotected Blackberry devices that contained ePHI, while other workers were using unencrypted laptop computers and mobile devices until April 9, 2013.

Encryption of ePHI is not mandatory for HIPAA-covered entities. The use of encryption to safeguard the confidentiality, integrity, and availability of ePHI is an ‘addressable’ issue.

HIPAA-covered entities are required to conduct a comprehensive, organization-wide risk assessment to determine vulnerabilities that could potentially result in the exposure of ePHI. If, after performing the risk assessment, the covered entity determines that encryption is not ‘reasonable and appropriate’, the reasons why encryption is not deemed necessary must be documented and an equivalent measure must still be implemented to ensure ePHI is appropriately secured. Children’s Medical Center failed to document why encryption had not been used and also failed to implement an equivalent security measure.

Furthermore, OCR determined that prior to November 9, 2012, Children’s Medical Center did not have sufficient policies and procedures governing the removal of hardware and electronic equipment from its facilities or movement of the devices within its facilities. Until November 9, 2012, Children’s Medical Center could not tell how many devices those policies and procedures should apply to: A full inventory was only completed on November 9, 2012. While devices had been inventoried prior to November 9, 2012, devices managed by the Biomedical department were not included in that inventory, breaching the HIPAA Security Rule (45 C.P.R. § 164.310(d)(l)).

While efforts were made to resolve the HIPAA violations informally, Children’s Medical Center was unable to ‘provide written evidence of mitigating factors or affirmative defenses and/or its written evidence in support of a waiver of a CMP.’

OCR determined that the violations were due to reasonable cause and not willful neglect of HIPAA Rules. Had that not been the case, the penalty would have been considerably higher. OCR considered the fact that there had been no apparent harm caused to patients as a result of the lost devices, and chose the minimum penalty amount of $1,000 per day that the violations were allowed to persist.

OCR’s Final Notice of Determination can be viewed on this link.

According to OCR Acting Director Robinsue Frohboese, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.” Frohboese also explained that the lack of risk management can be costly for covered entities, “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The post $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas appeared first on HIPAA Journal.

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

Posted by HIPAA Journal

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist.

The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems.

The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations.

The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered.

A security gap is defined as an incomplete implementation of FISMA or CMS core security requirements. The security gaps identified are ranked as high, medium, or low-risk, depending on their severity.

PwC identified 22 high-risk gaps, 46 medium-risk gaps, and 81 low-risk gaps. According to the OIG report, 9 percent of the high and medium-risk gaps were identified in the previous year’s evaluations and had not yet been addressed. Four out of the six repeat gaps were determined to be high risk in both 2014 and 2015.

While the number of gaps increased by 16%, OIG points out that the scope of the evaluations was greater this year, with additional controls assessed in the 2015 financial year. The average number of gaps per MAC was 17. The highest number of gaps identified at any one MAC was 25 and the lowest was 14.

The biggest FISMA problem areas were ‘policies and procedures to reduce risk’ and ‘periodic testing of information security’, which had 45 and 41 security gaps identified respectively across the 9 MACs. 15 security gaps were identified with ‘system security plans’. Gaps were identified across all the FISMA control areas that were tested.

OIG reports that each MAC had 4-7 gaps related to policies and procedures to reduce risk. The evaluations showed that the most common security gaps were policies and procedures related to mobile device encryption, platform patch management, and external information systems that did not meet CMS requirements.

Each MAC had four to six gaps related to periodic testing of information security controls, including the failure to consistently enforce change management procedures and deficient system security configurations. There were one to three gaps in system security plans, including the failure to consistently enforce access control procedures, the failure to review policies and procedures within 365 days of the previous review date, and having a system security plan that did not reflect the current operating environment.

Each MAC is responsible for developing its own corrective action plan to address the high and medium risk security gaps identified by PwC. Each MAC must ensure that each of the identified gaps is remediated in a timely manner.

OIG has recommended that CMS continue with its oversight of MACs and should ensure that each MAC remediate all the identified high and medium-risk gaps in a timely manner.

The post OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs appeared first on HIPAA Journal.

Tax Season Triggers Wave of W-2 Business Email Compromise Attacks

Posted by HIPAA Journal

Campbell County Health is the latest victim of a W-2 business email compromise attack, which has resulted in the tax information of 1,457 hospital employees being disclosed to a scammer.

The Gillette, WY-based healthcare system discovered Wednesday that an employee had responded to an email request for the W-2 form data of hospital employees. As is common in these scams, the attacker impersonated a hospital executive and requested W-2 information for all employees who had taxable earnings in 2016.

A 66-year old hospital worker responded to the email and sent the information as requested. However, rather than being sent to the hospital executive, the data was sent to the scammer.

Andy Fitzgerald, CEO of Campbell County Health issued a statement confirming “no protected health information for our employees or our patients were released in this incident.” The breach was limited to W-2 data. All affected employees have now been contacted and have been offered identity theft protection services through a leading credit monitoring and identity theft protection company.

Law enforcement has been notified of the attack and hospital officials and a cyber security response team are investigating are trying to identify the attacker. Fitzgerald said the incident is being treated very seriously and “we will continue to review and enhance our security practices to further secure our systems.”

While Campbell County Health is one of the first healthcare organizations to report a W-2 attack this year, it is far from alone. Over the course of the past few weeks there have been numerous business email compromise attacks reported.

This week, eight school districts in Missouri were targeted by scammers. The Missouri Department of Elementary and Secondary Education confirmed that an employee of one of those districts – The Odessa School District –fell for the scam and emailed employee W-2 form data to the attacker. Also this week, the Tipton County Schools District in western Tennessee experienced a similar attack that resulted in the tax information of its employees being emailed to a scammer.

Tax season always sees a massive rise in business email compromise attacks and other tax-related scams. Last year, more than 41 U.S companies reported that employee’s personal information had been compromised as a result of these scams in the first quarter of 2016. The massive increase in attacks in 2016 prompted the IRS to issue a warning to organizations of the high risk of an attack. In the first quarter of 2016, tax-related malware and phishing incidents increased by 400%. The FBI reports an 1,300% increase in BEC attacks since January 2015.

The scams typically involve the impersonation of the CEO or CFO of a company, or another individual with authority. An email is sent to a member of the accounts, billing, or HR departments requesting details W-2 information of employees. The attacks are often successful because employees are unwilling to question requests from the CFO, CEO or other C-suite members.

These attacks tend to be highly targeted. Employees are often researched via professional networking and social media websites and are sent carefully crafted emails from spoofed email accounts. In some cases, corporate email accounts are compromised and the email requests are sent from genuine company accounts.

To counter the threat, all individuals in a company with access to employee data should be notified of the threat and warning of the increased risk of attack during tax season. A system should also be set up to ensure that any request for employee information is authenticated by some other means than email.

The post Tax Season Triggers Wave of W-2 Business Email Compromise Attacks appeared first on HIPAA Journal.

New Report Reveals 2016 Data Breach Trends

Posted by HIPAA Journal

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries?

A new data breach report from Risk Based Security has revealed the 2016 data breach trends across all industries and confirms just how bad a year 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse.

Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or stolen between January and December 2016.

The worst security breaches of 2016 were caused by hackers. 9 out of the top 10 worst data breaches of 2016 were due to hacks, with one web breach ranking in the top ten. 2016 saw six data breaches make the top ten list of the worst data breaches ever reported as well as the worst ever data breach – The 1 billion-record breach at Yahoo. The top ten breaches of the year resulted in the theft or exposure of more than 3 billion records. Seven out of the top ten data breaches of 2016 had a severity score of 10/10, with an average score of 9.96/10.

94 data breaches involving more than 1 million exposed records were reported over the course of the year – a 63% increase year on year. 37 data breaches of more than 10 million records were reported – an increase of 105% over 2015.

Risk Based Security’s figures show the United States was the worst hit. 47.5% of data breaches affected U.S. companies and those breaches accounted for 68.2% of the total number of exposed or stolen records. California was the worst hit state, registering 234 breaches and 80.48% of exposed records. Florida in second place with 113 breaches, followed by Texas with 105 and New York with 104.

While healthcare industry data breaches increased in 2016, they still only made up a small percentage of the total – 9.2% and just 0.3% of the total number of records exposed. The business sector was the worst hit, registering 51% of data breaches over the course of the year. Those breaches accounted for 80.9% of exposed or stolen records.

The 2016 data breach report indicates 7.6% of breaches were reported by medical institutions and 2.1% by hospitals. 11% of medical data breaches involved third parties.

Hacking was the main cause of breaches in 2016, accounting for 53.3% of the total. Those breaches were also the most severe, accounting for 91.9% of exposed or stolen records. One of the most common techniques used by hackers in 2016 was SQL injection, although in many cases there was no need to hack at all. More than 256 million records were exposed or stolen as a result of misconfigured databases and websites.

Insider breaches were a major cause of healthcare data breaches in 2016, although across all industries, insider incidents only accounted for 18.3% of the total. While malware attacks were frequent, they only accounted for 4.5% of the total number of breaches and 0.4% of exposed records.

The Data Breach QuickView Report can be downloaded on this link.

The post New Report Reveals 2016 Data Breach Trends appeared first on HIPAA Journal.

NIST Publishes Draft of Updated Cybersecurity Framework

Posted by HIPAA Journal

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul.

According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework.

The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide range of organizations of all types and sizes to reduce cybersecurity risk. The update reflects the wide range of organizations that are now using Framework.

The updated version sees vocabulary added to help organizations use the framework for cyber supply chain risk management and cyber supply chain risk management has been added to the Framework core. In the draft, NIST has also expanded the section on communicating cybersecurity requirements with stakeholders to aid understanding of cyber supply chain risk management.

NIST explains, “A primary objective of cyber SCRM is to identify, assess and mitigate products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.”

The access control and identity management definitions have also been updated, clarifying authentication, authorization, and identity proofing. The relationship between implementation tiers and profiles has been explained in detail, and a new section has been added on cybersecurity measurement.

Measuring an organization’s security status over time will enable organizations to convey meaningful risk information. Barret explained that “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”

NIST is seeking comments on “version 1.1” of the Framework by April 10. NIST plans to hold a public workshop on the new version in the fall of this year.

The post NIST Publishes Draft of Updated Cybersecurity Framework appeared first on HIPAA Journal.

$2.2 Million Settlement for Impermissible Disclosure of ePHI

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted.

MAPFRE reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

Multiple Areas of Noncompliance with HIPAA Rules Discovered

During the course of the investigation, OCR discovered numerous HIPAA noncompliance issues:

45 C.F.R. 164.502(a) – Impermissible disclosure of the ePHI of 2,209 individuals.

5 C.F.R. 164.308(a)(1)(i) – A failure to conduct a comprehensive risk assessment to evaluate risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and a failure to implement measures to reduce risks to an appropriate level.

45 C.F.R. 164.308(a)(5)(i) – A failure to implement a security awareness training program for all members of the workforce.

45 C.F.R. 164.312(a)(2)(iv) – A failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage devices.

45 C.F.R. 164.316 (a) – A failure to implement reasonable and appropriate policies and procedures to safeguard ePHI to comply with HIPAA standards implementation specifications.

Additionally, the corrective measures MAPFRE said it would undertake following the submission of a breach report to OCR on August 5, 2011 were delayed. MAPFRE did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

OCR considered the financial position of MAPFRE along with the number and severity of HIPAA violations when determining the resolution amount. In addition to paying OCR $2,204,182, MAPFRE is required to adopt a corrective action plan to address all areas of noncompliance.

HIPAA and Data Encryption

HIPAA does not require covered entities to implement encryption on portable devices used to store ePHI. Data encryption is only an addressable issue. However, covered entities must conduct a thorough risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If, after assessing risks, covered entities determine that other controls are in place to safeguard ePHI and data encryption is not appropriate, the reasons for not implementing encryption must be documented.

Recent HIPAA Settlements

OCR has stepped up its enforcement of HIPAA Rules in recent years, with more settlements agreed in 2016 than in any other year to date. Last year, 12 healthcare organizations settled potential HIPAA violations with OCR, and one civil monetary penalty (CMP) was imposed.

MAPFRE is the second HIPAA-covered entity to settle potential HIPAA violations with OCR in 2017. Last week, OCR announced a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

The post $2.2 Million Settlement for Impermissible Disclosure of ePHI appeared first on HIPAA Journal.

No HIPAA Violation Fine for Virginia State Senator

Posted by HIPAA Journal

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign.

Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year.

An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule.  Such violations can result in financial penalties being issued.

Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been imprisoned for up to 10 years. However, OCR has chosen not to take further action.

No financial penalty was deemed appropriate as Dunnavant took immediate action to minimize damage. The investigation into the HIPAA violations has now been closed.

HIPAA violations are not always punishable with civil monetary penalties and do not always require resolution agreements. OCR prefers to resolve HIPAA violations through voluntary compliance and by issuing technical assistance. Civil monetary penalties and resolution agreements are typically reserved for the most serious violations of HIPAA Rules.

While Dunnavant’s use of patient contact information to solicit contributions did violate HIPAA Rules, the privacy violation was relatively minor and no patients came to harm as a result. Dunnavan believed her actions were permitted under HIPAA Rules as she had obtained a business associate agreement prior to disclosing the information.

Senator Dunnavant told the Richmond-Times Dispatch that the mailings were intended to advise patients of her political activity and reassure them that it would not have an impact on the provision of medical services. Dunnavant said she sought advice from her lawyers and medical practice board before sending the letter and no HIPAA issues were raised.  She also said she regretted adding an appeal for political support to the letters.

The post No HIPAA Violation Fine for Virginia State Senator appeared first on HIPAA Journal.