Legal News about HIPAA and Healthcare Compliance

Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records

Posted by Steve Alder

The Texas Attorney General sent a civil investigative demand to Seattle Children’s Hospital seeking access to the medical records of trans patients. The hospital refused to provide the records and has filed a lawsuit that requests a Texas judge nullify the Attorney General’s demands.

The American Medical Association and the American Academy of Pediatrics believe that gender-affirming care is medically necessary and, in some cases, can be a lifesaving treatment for transgender youth; however, 20 states have imposed bans or placed restrictions on gender-affirming care for minors, and dozens of bills are being considered in other states. Earlier this year, Texas was added to that list when SB 14 was signed into law by Texas Governor Greg Abbott. The law prohibits the provision of gender transition care to Texas residents under 18 years of age.

In November 2023, Texas Attorney General Ken Paxton issued a civil investigative demand for the records of Texas residents who visited Seattle Children’s Hospital to receive gender-affirming care when under 18 years of age. In Washington, gender transition care can be legally provided to minors, including to individuals who travel to Washington from other U.S. states. AG Paxton sought access to information on diagnoses, lab test results, visit records, treatment for gender dysphoria, and other information about minor trans patients from Texas dating back to January 2022, along with the hospital’s standard protocol for treating patients with gender dysphoria who live in Texas. The hospital was given until December 7, 2023, to respond and provide the requested records.

The civil investigative demand was issued by the Texas Attorney General’s Consumer Protection Division as part of an investigation into alleged violations of the Texas Deceptive Trade Practices Act, specifically, the misrepresenting gender-affirming care. The demand for records was also accompanied by a threat of fines of $5,000 or a year in jail for anyone who concealed or falsified information. Seattle Children’s Hospital refused to provide the requested records and claimed that handing over the requested information would violate the Health Insurance Portability and Accountability Act (HIPAA), state healthcare privacy laws, and the recently passed House Bill (HB) 1469 – The Shield Law. The Shield Law protects individuals who travel to Washington to receive protected medical services such as abortion and gender-affirming care, which are banned or restricted in their home states.

Seattle Children’s Hospital also explained in its lawsuit that it owns no land in Texas, does not provide telehealth services to Texas residents, and has no offices in Texas, and while the hospital does employ a small number of individuals in Texas, none of those employees deal with gender-affirming care, therefore the state has no jurisdiction over the hospital’s practices. The lawsuit claims that the Texas Attorney General’s demands are unconstitutional and are an attempt to chill potential travel from Texas to obtain legal healthcare in another state. The lawsuit requests a Texas Travis County Court Judge overrule AG Paxton’s civil investigative demand, or at least modify the request or grant an extension for reply.

Washington University (WU) has also taken legal action against a state attorney general over a civil investigative demand that sought access to the medical records of trans patients, in that case, the demand was issued by the Missouri Attorney General as part of an investigation into deceptive trade practices under Missouri law. The Missouri attorney general responded with its own lawsuit seeking an order from the court for WU to provide the records immediately, and to get clarification from the court as to whether providing the requested records violated HIPAA.

The post Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records appeared first on HIPAA Journal.

MedStar Mobile Health Data Breach Settlement Proposed

Posted by Steve Alder

A settlement has been proposed by the Metropolitan Area EMS Authority to resolve a class action lawsuit that was filed by individuals affected by a 2022 cyberattack and data breach. Metropolitan Area EMS Authority is a Fort Worth, TX-based operator of an emergency and non-emergency ambulance service and does business as MedStar Mobile Healthcare. On October 20, 2022, unauthorized network activity was discovered, and the forensic investigation revealed unauthorized individuals had accessed parts of its network where patient data was stored. The hackers were able to access the protected health information of 612,000 individuals, including names, contact information, dates of birth, and limited medical information. The affected individuals were notified on December 19, 2022.

A class action lawsuit – Kaether v. Metropolitan Area EMS Authority d/b/a MedStar Mobile Healthcare – was filed in Texas District Court in response to the breach that alleged negligence for failing to secure sensitive patient data. The lawsuit also alleged breach of implied contract, negligence per se, breach of fiduciary duty, public disclosure of private facts, and unjust enrichment. Metropolitan Area EMS Authority chose to settle the lawsuit with no admission of liability or wrongdoing and will make an unspecified sum available to cover claims from individuals affected by the data breach, including a subclass of individuals who had HIPAA-covered protected health information exposed.

Under the terms of the settlement, individuals who were notified about the breach who have experienced unreimbursed out-of-pocket losses that are reasonably traceable to the data breach may submit claims for up to $3,000 to cover the losses, including travel expenses, long-distance phone calls, bank fees, credit costs, and any unreimbursed expenses and monetary losses from identity theft or fraud. Members of the HIPAA subclass may also claim up to four hours of lost time at $20 per hour. Claims must be accompanied by documented evidence that losses have been experienced. All class members will be entitled to a complimentary 12-month membership to a single-bureau credit monitoring service which includes a $1 million identity theft insurance policy. Metropolitan Area EMS Authority has also agreed to implement additional cybersecurity measures to better protect the sensitive data it stores and is providing its workforce with additional security awareness training. Measures that will be implemented by the end of the year include multifactor authentication and disabling Outlook Anywhere.

Individuals wishing to object to the settlement, or exclude themselves must do so by January 24, 2024, and claims must be submitted no later than February 23, 2024. The final fairness hearing has been scheduled for April 3, 2024. The plaintiff and class members were represented by Joe Kendall of the Kendall Law Group PLLC and Gary M Klinger
and Alexander Wolf of Milberg Coleman Bryson Phillips Grossman PLLC.

The post MedStar Mobile Health Data Breach Settlement Proposed appeared first on HIPAA Journal.

Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

Horizon Actuarial Services has proposed a $8.73 million settlement to resolve all claims related to a hacking incident and data breach in 2022 that affected 227,953 individuals. Horizon Actuarial Services was contacted by a cyber actor in November 2022 who claimed to have stolen sensitive data in a cyberattack. The investigation confirmed there had been unauthorized access to two servers between November 10 and 11, 2021. The data stolen in the attack included names, dates of birth, Social Security numbers, and health plan information. Horizon Actuarial Services negotiated with the cyber actor and made a payment to prevent the stolen data from being sold, published, or misused.

A lawsuit – Sherwood, et al. v. Horizon Actuarial Services LLC – was filed in the U.S. District Court for the Northern District of Georgia on behalf of individuals affected by the data breach that alleged Horizon Actuarial Services had failed to implement reasonable and appropriate measures to protect the sensitive data stored on its servers. Horizon Actuarial Services has not admitted to any wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, a $8,733,446.36 fund will be established to cover claims from individuals who have experienced unreimbursed losses as a result of the data breach.

Class members may submit claims for reimbursement for up to $5,000 to cover out-of-pocket expenses reasonably traceable to the data breach and up to 5 hours of lost time at $25 per hour. All claimants can submit a claim for a $50 payment, and individuals who were California residents at the time of the data breach will be able to claim an additional $50 ($100 in total). The payments may be lower depending on the number of claims and will be paid pro rata.

Individuals wishing to object to or exclude themselves from the settlement must do so by January 22, 2024. Individuals wishing to submit a claim must do so by February 21, 2024. A final approval hearing has been scheduled for March 25, 2024. The plaintiffs and class members were represented by Terence R Coates of Markovits Stock & Demarco LLC, Gary M Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, and Kenya J Ready of Morgan & Morgan.

The post Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.

Missouri Attorney General Files Lawsuit in Response to WU Refusal to Provide Transgender Patients’ Records

Posted by Steve Alder

The Missouri Attorney General has filed a counterclaim in response to a lawsuit filed by Washington University (WU) over the legal basis of civil investigative demands for documentation about medical procedures performed on transgender patients. WU is refusing to provide records from its Transgender Center that contain patient information, which the Missouri Attorney General claims are essential to the investigation.

Missouri Attorney General, Andrew Bailey, issued civil investigative demands for documentation in February 2023 pursuant to an investigation of the Washington University Transgender Center, including records of patients who received treatment. The investigation was initiated in response to allegations by a whistleblower that the clinic had administered experimental drugs, puberty blockers, and cross-sex hormones without sufficient assessments and also pressured parents into giving consent. WU strongly denies the allegations.

Washington University complied with the investigative demand and provided documentation but did not provide patient records as it did not believe the Missouri Attorney General had the legal authority to demand the records. The Attorney General claimed that he had the authority to request the records under the Missouri Merchandising Practices Act (MMPA); however, WU argues that the MMPA is a consumer protection law concerning deceptive advertising and the investigation appears to be into medical decision-making at the Transgender Center. In its lawsuit, Washington University asked a St. Louis Circuit Court judge to confirm if the Attorney General has the authority to request the records and, if not, to narrow AG Bailey’s investigative demands.

In the counterclaim, AG Bailey claims that WU initially agreed to comply with the investigative demand and then later changed its position, claiming that the federal Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of patient data. In the counterclaim, AG Bailey asked for the court to rule on whether HIPAA prohibits the disclosure of PHI in response to civil investigative demands. With respect to the documentation sent by Washington University, the documents were not downloaded before the link expired, and after issuing requests to resend, received a file that could not be opened. When the file was resent it contained heavily redacted information, with patient data unviewable.

The counterclaim answers the question about the legality of the demand and claims that the investigation concerns whether the Transgender Center was “boosting patient volume by falsely advertising compliance with Endocrine Society, World Professional Association for Transgender Health (WPATH) and similar group guidelines while in fact sharply deviating from those guidelines,” and that “Inducing a person to purchase gender transition services through unfair or deceptive practices leads to life-altering physical consequences.”

The Attorney General claims that the consumer-protection statute grants “extraordinarily broad authority,” including investigating medical malpractice issues. The Attorney General claims the requested documents are essential to the investigation and will reveal whether children underwent irreversible procedures without proper parental consent. AG Bailey seeks an order from the court for the documentation to be provided within 20 days.

The Missouri Attorney General has also claimed that the Biden administration has been quietly interfering with the investigation and alleges that WU changed its position on providing the records after a federal probe. Initially, WU agreed to provide the records, then, after the probe, claimed providing those records violated HIPAA.

The post Missouri Attorney General Files Lawsuit in Response to WU Refusal to Provide Transgender Patients’ Records appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

OCR Imposes First HIPAA Penalty for a Phishing Attack

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle a landmark cyber investigation and has imposed its first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) for a phishing attack. Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach to OCR on May 28, 2021, involving the protected health information (PHI) of up to 34,862 individuals.

According to the breach notification, a hacker gained access to the email account of one of its owners on March 30, 2021, following a response to a phishing email that spoofed one of the medical group’s owners. The threat actor gained access to the Microsoft 365 environment, which contained patient data. Lafourche Medical Group said that because of the size of the email system, it was not possible to determine all patient information that had been exposed so notification letters were mailed to all patients. The exposed data included names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

OCR launched an investigation into the incident to determine whether a failure to comply with the HIPAA Rules led to or contributed to the security breach. OCR’s investigators discovered Lafourche Medical Group had not conducted a security risk analysis prior to the phishing attack. The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information. OCR also determined that Lafourche Medical Group had not implemented procedures to regularly review records of information system activity prior to the phishing attack. This is also a required implementation specification of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).

Lafourche Medical Group agreed to settle the investigation with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Lafourche Medical Group has agreed to implement a robust corrective action plan (CAP) which includes establishing and implementing security measures to reduce security risks and vulnerabilities to ePHI, developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules, and providing HIPAA training to all staff members who have access to PHI. OCR will also monitor Lafourche Medical Group for two years to ensure compliance with the HIPAA Rules.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

This is the 12th HIPAA violation penalty imposed by OCR in 2023 and the second-largest of the year. So far this year, OCR has imposed HIPAA penalties totaling $4,016,500

 

The post OCR Imposes First HIPAA Penalty for a Phishing Attack appeared first on HIPAA Journal.

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

Posted by Steve Alder

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.