The 2013 changes to HIPAA’s privacy and security regulations in combination with the government’s bolstered approach to compliance and enforcement reinforces the need for health care providers to remain focused on preparing for the inevitable likelihood that privacy or security issues will occur. With the number of significant data breaches expected to rise, it is … Continue Reading
Last week, President Obama signed into law a bill that will eradicate Social Security Numbers (SSNs) from all Medicare beneficiary cards over the next eight years. Medicare has four years to begin issuing cards with new identifiers, and four years after that to reissue cards to current beneficiaries. The removal of SSNs from the cards is not only expected to decrease the risks associated with identity theft for Medicare beneficiaries, but also Medicare's risk of exposure associated with breaches of protected health and personal information under HIPAA and state privacy laws.… Continue Reading
Two separate instances of unencrypted laptop theft from different health care providers have resulted in two settlements for potential violations of the HIPAA Privacy and Security Rules. These alleged violations were uncovered following investigations by the Department of Health and Human Services, Office for Civil Rights (OCR). In the first instance, involving Concentra Health Services, OCR found that Concentra had previously recognized its need for increased encryption on its technological devices but had failed to fully address this issue before the breach. In the second instance, involving QCA Health Plan, Inc. of Arkansas, OCR found that QCA had failed to comply with multiple requirements set forth by the HIPAA Security Rule. Both instances resulted in settlements comprised of financial payments to OCR as well as agreement to Corrective Action Plans that will allow for continued oversight by OCR in regards to HIPAA compliance.… Continue Reading
On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading
The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass., to pay $150,000 to the Department of Health and Human Services' Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009.… Continue Reading