Posts Tagged ‘HIPAA’

Message sent and received: First HIPAA settlement involving a business associate – a cautionary tale

obamacare_repealThe math is eye-opening — a $650,000 settlement for breach affecting 412 people. In the first HIPAA settlement involving a “business associate,” HHS’s Office of Civil Rights (OCR) has sent a strong message to all business associates about the importance of complying with HIPAA’s privacy and security rules.

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides management and information technology services to skilled nursing facilities, is a business associate under HIPAA because performed certain services using protected health information (PHI) on behalf of a HIPAA “covered entity” (a description of covered entities is here and a description of business associates is here). In 2014 a smartphone provided by CHCS to an employee was stolen. The smartphone had PHI of 412 patients and was neither encrypted nor password-protected. Read more…

Wellness plan compliance: Test your knowledge

August 20, 2014 Leave a comment

wellness_quizWhether it’s a free gym membership or free healthy lunches, corporate wellness programs continue to expand as employers focus on reducing employees’ health risks by improving their lifestyle and behavior. An increasing amount of employers are opting for incentive-driven plans offering financial rewards or better health plan options to employees who participate in program activities, such as weight-loss challenges and healthy eating seminars. Rather than creating programs that are strictly educational, incentive-based wellness programs tend to help increase employee motivation to participate in activities and make changes to their behavior. According to Optum Inc.’s 2014 Wellness in the Workplace Survey, over 40% of various sized employers said they now offer financial incentives that are tied to measurable improvements in employees’ health outcomes, (i.e. weight loss, reduced cholesterol, quitting smoking). In addition, nearly 50% have incorporated non-participation penalties Read more…

Largest privacy breach payment to date since HIPAA enforcement in 2003

stethoscope_computerCapping off a three year inquiry into a data breach of thousands of patient health records, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) ordered New York Presbyterian Hospital (NYP) and Columbia University (CU) to pay $4.8 million in settlement fees earlier this month. This marks the largest payment for a privacy breach to date since the enforcement of HIPAA’s Privacy Rule took effect in 2003.

NYP and CU operate Columbia University Medical Center under a joint venture, and operate a shared data network and network firewall that is overseen by employees at both organizations. According to the U.S. Department of Health and Human Services, the shared network connects to NYP patient data systems that contain electronic protected health information (ePHI). The breach occurred in September 2010, when a physician at Columbia University deactivated a PC server on the network that contained ePH. Due to inefficient data protection on the server, nearly 7,000 patient records, which contained information such as vital signs, medications, lab results and other status reports became accessible on internet search engines. Hospital representatives claimed they had no knowledge of the breach until the partner of a deceased patient discovered ePHI on the internet and notified hospital officials. Read more…

Aol’s healthcare firestorm

February 27, 2014 Leave a comment

nestegg2 Smart people say dumb things. That’s the moral of this story.

Tim Armstrong, CEO of AOL came under fire recently for remarks he made at a company “Town Hall Meeting” regarding the company’s employee benefits. Following AOL’s decision to cut retirement benefits to make up for increases in their healthcare expenditures, Mr. Armstrong blamed the spike in healthcare costs on two things: President Obama’s healthcare reforms and two “distressed” babies that were covered by the plan.

First of all, discussing specific claims and situations related to your general population of covered employees is a monumental error and should never be publicized. NEVER. While there was no specific HIPAA violation, the announcement was insensitive. The complexity of the health insurance plan and funding is not fully understood by all, and chalking up a cut in retirement Read more…

Final rule makes changes to HIPAA regs and HITECH Act and could lead to more breach notifications

HIPPA blogOn January 25, the Department of Health and Human Services (HHS) released its “Final Rule” , an update to several privacy and security protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) Along with protecting a patient’s privacy and providing individuals with rights to access their health information, the rule modifies the definition of breach for protected health information (PHI).

The Breach Notification Rule, mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) was originally issued in 2009 as an “interim final rule” and was defined as a use or disclosure of PHI that caused “a significant risk of financial, reputational or other harm to the individual.” This meant that any covered entity (CE) under HIPAA could determine whether or not a breach had occurred Read more…

When the government knocks, will your privacy insurance answer?

February 10, 2011 1 comment

Most experts predict that 2011 will bring a significant increase in regulatory proceedings and fines against companies that suffer privacy breaches. The mushrooming number of privacy-related laws at the federal, state, local and foreign levels provides fertile ground for investigations and enforcement actions. Potential regulatory protagonists may come from the federal Department of Health and Human Services, the FTC, the SEC, FINRA, State Attorneys General, the EU, or other sources.

The July 2010 settlement by Health Net of a HIPAA enforcement action by the Connecticut Attorney General provides a window to the potential near-term future. In settlement of an action resulting from its loss of a portable hard drive containing unencrypted patient records, Health Net paid a $250,000 fine, agreed to an additional contingent payment of up to $500,000, agreed to take several corrective steps – and spent more than $7,000,000 Read more…

Ask the Experts: Concerns for privacy in healthcare

March 11, 2010 Leave a comment

The Health Information Technology for Economic and Clinical Health Act (known as the “HITECH” Act), enacted as part of the American Recovery and Reinvestment Act of 2009, substantial expands the HIPAA privacy and security rules. A recent survey conducted with the readers of Modern Healthcare found that privacy is a big concern with several key changes in healthcare information privacy laws of the act. This installment of “Ask the Experts” takes a look at risk management issues regarding this issue within healthcare operations.