5,800 Affected by Business Associate Email Breach

An email breach at Magellan National Imaging Associates claims another covered entity victim, Geisinger Health Plan. Magellan, hired by the health plan to manage their radiology benefits, discovered on July 5 that an employee’s email account was compromised. The account in question had been sending out spam emails originating from outside of the U.S. since May. Although Geisinger is unable to determine whether or not protected health information (PHI) [...]

2019-10-29T16:15:33-05:00October 29th, 2019|

Proper PHI Disposal

The HIPAA Privacy Rule requires that covered entities apply appropriate safeguards to protect the privacy of protected health information (PHI). The required safeguards include: Administrative safeguards Physical safeguards Technical safeguards The rule includes requirements for proper PHI disposal. What is Required for Proper PHI Disposal? Under the HIPAA Privacy Rule, covered entities must implement reasonable safeguards to avoid prohibited uses or disclosures of PHI. The reasonable safeguards that must [...]

2019-10-29T09:23:12-05:00October 29th, 2019|

9,700 Patients Affected by Healthcare Breach

Shore Speciality Consultants Pulmonology Group notified 9,700 patients in breach notification letter that their protected health information (PHI) may have been compromised. On July 8, 2019 the Group discovered that their network server was accessed by an unauthorized individual on July 7, 2019. The affected patients were part of sleep studies, patients that did not participate in a sleep study were not affected. Although there was no evidence that [...]

2019-10-28T10:32:09-05:00October 28th, 2019|

What is the National Patient Identifier Repeal Act?

When HIPAA was enacted in 1996, the law called for development of a unique patient identifier (sometimes referred to as a “national patient identifier”). In 1999, Congress passed legislation prohibiting the Department of Health and Human Services from funding, implementing or developing a unique patient identifier system. This ban has been in place since then. Recent legislative activity in the US Senate seeks to preserve this status quo. Specifically, [...]

2019-10-25T11:01:16-05:00October 25th, 2019|

HIPAA Firewall Controls

The HIPAA Security Rule and Firewall Controls Under the technical safeguard requirements of the HIPAA Security Rule, covered entities must implement policies and procedures to protect electronic protected health information (ePHI) from improper alteration or destruction. Firewall controls are used to provide such protection. Proper firewall use can help to ensure that a covered entity’s network does not fall victim to unauthorized access that might compromise the confidentiality, integrity, [...]

2019-10-24T14:46:03-05:00October 24th, 2019|

$2.15 Million Civil Monetary Penalty Issued Against Jackson Health

The headline speaks for itself. On October 15, 2019, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) imposed a $2.15 civil monetary penalty against Miami-based Jackson Health Systems (JHS). OCR based the hefty fine on a multitude of HIPAA violations, which occurred over a six-year period of time. What Is the $2.15 Million Civil Monetary Penalty Based On? JHS is a fairly [...]

2019-10-29T14:58:09-05:00October 23rd, 2019|

Doctor to Doctor Sharing of PHI Under HIPAA

Generally, doctor-to-doctor sharing of protected health information (PHI) is permitted under the HIPAA regulations. When Is Doctor to Doctor Sharing of PHI Permitted Under HIPAA? Under the HIPAA Privacy Rule, a covered entity may disclose PHI to facilitate treatment, payment, or health care operations (TPO) without a patient’s express written authorization.  Any other disclosure of PHI requires the covered entity to obtain and store written authorization from the individual [...]

2019-10-23T09:38:04-05:00October 23rd, 2019|

Is Mailing Breach Notification Letters to Wrong Patient a Breach?

Alive Hospice, based in Tennessee, experienced a healthcare breach due to phishing emails. A phishing email occurs when a hacker disguises themselves as a trusted user, prompting recipients to click on a malicious link, allowing access to their email account. The incident was reported on July 3rd and affected 608 patients. Under the Health Insurance Portability and Accountability Act (HIPAA), Alive was required to mail breach notification letters to [...]

2019-10-28T16:58:53-05:00October 22nd, 2019|

10 Tips for Protecting Patient Health Information in the Workplace

Protecting patient health information in the workplace involves employees following practical measures so that a covered entity is compliant. Below are ten tips for protecting patient protected health information (PHI) in the healthcare workplace. Take steps to minimize the risk of unauthorized access by implementing access controls.  Providing training on PHI handling, for employees who perform health care administrative functions.  Be mindful of when patient written authorization is required.  [...]

2019-10-23T09:13:15-05:00October 22nd, 2019|

68,000 Patients Affected by Indiana Healthcare Breach

Methodist Hospitals based in Indiana experienced a phishing attack that affected 68,039. Phishing attacks when hackers send an email disguising themselves as trusted entities, often prompting recipients to click on a malicious link. The healthcare breach allowed access to the email accounts of two Hospital employees from March 13 to July 8. In response to the breach Methodist Hospitals recommended that patients monitor their credit reports and account statements, [...]

2019-10-21T14:53:20-05:00October 21st, 2019|