The Office of Civil Rights (“OCR”) has issued new guidance in connection with an increase of malicious cyberattacks, namely ransomware attacks on healthcare organization’s computer systems. Ransomware is a defined by HHS as a type of malicious software whose defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker until the requested ransom is paid.Read More
The possibility of business associates potentially being audited, investigated, and ultimately fined is now a reality. On June 24, 2016, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”) entered into an agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) for $650,000 to settle potential HIPAA violations related to the theft of a CHCS iPhone that contained the protected health information of 412 nursing home residents.
This is the first settlement of this kind with a business associate. If there was ever a question as to how diligent business associates must be in implementing a HIPAA compliant program that includes the management of mobile devices used to transmit protected health information, this settlement makes it clear that business associates should be very vigilant.Read More
The confidential health information of 1,615 Medicaid patients may have been compromised by the North Carolina Department of Health and Human Services (NC DHHS) on August 19, 2015, though the fact that this potential breach occurred was not made public until October 19, 2015. According to Kendra Gerlach, a spokeswoman for NC DHHS, the potential breach occurred when an NC DHHS employee:
inadvertently sent an email to the Grenville County Health Department without first encrypting it. The information disclosed included the individuals’ first and last name, Medicaid identification number, provider name, provider ID number and other information related to Medicaid services. The social security number of two individuals who used this number as their Medicare ID number was also disclosed. Even though it cannot be confirmed at this time whether the unencrypted email was intercepted, all individuals that may have been affected were mailed a breach notification letter on October 16, 2015.
For those individuals who were potentially affected by this breach and individuals that may find themselves on the receiving end of a breach notification letter from a physician practice or other entity, it is beneficial that you contact one of the three nationwide consumer reporting companies and place an initial fraud alert on your credit reports. This alert will help prevent someone from opening new credit accounts in your name. A report to one agency is sufficient, because the agencies are by law required to share that information with each other. The three main consumer credit reporting agencies can be reached as follows:
Equifax: Equifax Credit Information Services, Inc.
P.O. Box 740241
Atlanta, GA 30374-0241
P.O. Box 6790
Fullerton, CA 92834-6790
In addition to placing an initial fraud alert, individuals should regularly check their bank account statements and credit card bills for any activity that appears to be out of the ordinary.
It is important to carefully review the breach notification letter that you receive carefully so that you understand what specific information was disclosed, when it was disclosed and to whom it was disclosed. If you have any questions, contact the person designated in the letter as soon as possible.
The Office of Civil RIghts (“OCR”) recently announced that Phase 2 of the HIPAA audits would be further delayed because the audit portals and project management tools that are needed to initiate the audit process are not ready and available for usage. Phase 2 of the HIPAA audits was initially slated to begin in the fall of 2014 and was subsequently moved to late 2014 or early 2015. Currently, no timeline has been provided as to when the next round of audits will officially begin.
A delay in Phase 2 of the OCR HIPAA Audits does not mean that covered entities and business associates should not continue to make sure they are in compliance with all HIPAA regulations. The potential consequences for failure to comply with HIPAA regulations are significant. While the audit portals are still under development, it is a good time for covered entities to (i) make sure their HIPAA policies and procedures are up to date and meet the latest privacy and security requirements, (ii) create a list of all business associates that provide services to the covered entity, and (iii) conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Among other things, Parker Poe’s healthcare attorneys advise our healthcare clients about (i) compliance with HIPAA’s privacy requirements as they affect healthcare information, including preparing employee and patient notices, plan policies and procedures, plan amendments and authorization and other forms, and (ii) HIPAA compliance requirements for business associates.