According to a February 12, 2019 Press Release from Protenus, a developer of analytics for patient privacy monitoring and compliance, 15,085,302 patient records were breached in 2018 – a startling number made even more startling by the fact that the number of breached patient records in 2018 is three times greater than the number of records breached in 2017.

As evidenced by the Protenus data and information reported by the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”), a growing number of these breaches relate to third-party hacking, ransomware, and related malware incidents (collectively, “Hacking/IT Incidents”). As such, the OCR data shines a bright light on the obvious difficulties that healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).

The following examines representative HIPAA settlements and rulings from 2018, and considers the 2018 breach statistics and the growing security risk associated with Hacking/IT Incidents.
Continue Reading Cybersecurity, Inside Jobs, Outside Jobs, and HIPAA

The Office for Civil Rights (“OCR”) issued a request for information (“RFI”) to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations (the “HIPAA Rules”) that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information (“PHI”).
Continue Reading OCR Seeks Ideas on HIPAA Rule Changes to Promote Value-Based Care and Coordinated Care

This follows the blog article posted November 28, “Connection and Innovation Take Center Stage at the Patient ENGAGE Conference” and is the second feature regarding the MedCity ENGAGE conference Nov. 6-7 in San Diego. Here, we focus on the aspects of the conference that explored the impact of technology on patient engagement, from wearables to DNA sequencing, to apps used by insureds to quit smoking while reducing insurance premiums in the process.
Continue Reading Patient Empowerment Through Technology is Focus of ENGAGE Conference

The following article was originally posted to the Eye on Privacy Blog on July 5, 2018

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information.
Continue Reading Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

This is not a drill.

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. Hospitals and healthcare entities in the UK and elsewhere were particularly hard hit and continue struggling to recover, with doctors around the world blocked from access to patient files and multiple emergency room and even entire-hospital shut-downs. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Continue Reading WannaCry Ransomware Alert

The Center for Children’s Digestive Health (CCDH), a small, for-profit pediatric subspecialty practice that operates seven clinics in the Chicago area, has paid the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading A $31,000 Mistake: Failing To Manage Business Associate Agreements Proves Costly For Providers

Covered entities have a long list of laws and regulations governing their conduct, including their communications with patients, customers, and members.  Specifically, the Health Insurance Portability and Accountability Act (“HIPAA”) permits many such communications, including those about health care products and services, but precludes certain “marketing” communications absent written consent.  Recently, however, healthcare providers and health plans have been subject to a spate of class actions alleging violations of the Telephone Consumer Protection Act (“TCPA”), which generally precludes autodialed (or “robo”) calls to residential and cellular phones.  The TCPA was originally enacted to curtail pesky “telemarketers,” but has recently been used to go after a range of other business.  The penalties under the TCPA can be substantial – at $500 to $1,500 per phone call, the statutory damages can quickly exceed $100 million.
Continue Reading Do Routine Calls by Health Plans to Patients and Health Plan Members Constitute “Telemarketing” Under the Telephone Consumer Protection Act? Not Today!

The Department of Health & Human Services (DHHS) Office of Civil Rights (OCR) recently announced it will devote more resources to investigate smaller HIPAA breaches. Before this announcement, OCR typically opened investigations for HIPAA breaches affecting more than 500 individuals.
Continue Reading OCR to Focus More Investigative Resources on Smaller HIPAA Breaches with Less Than 500 Individuals Affected

Messaging applications are popular tools to facilitate communication and workflow in healthcare settings—increasingly so as smart phones, tablets and other mobile mediums continue to penetrate the market. Organizations relying on or acquiescing in the use of informal messaging platforms, however, should be aware of the risk for data breaches and other HIPAA liability.
Continue Reading Communications Compliance: Are Messaging Applications Leaving Your Organization Vulnerable to HIPAA Liability?

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.
Continue Reading What Can You Expect in 2015 Regarding HIPAA Enforcement?