All posts in HIPAA Business Associates

2017 HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

 

Art E.V.Pavlov_by_Repin

The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million.  2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter.  In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was.  Here are details about enforcement actions in 2017 thus far:

  1. Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago.  In October 2013,  operating room schedules that were written on paper and contained PHI of 836 individuals went missing.   Patients were not notified of the breach until February of 2014.  This represents the first enforcement related to the timeliness of breach notification.
  1. An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management.  OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce.   In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department.  Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
  1. Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals.  In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals.  The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
  1. Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty.  In this incident, the PHI of 115,143 patients was improperly accessed and disclosed.   Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year.  The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed.   Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.

Not too long ago, I posted an overview of OCR’s enforcement in 2016.  OCR continues to be active in its enforcement, at its highest level to date.  This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.

Continue Reading

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement.  2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties.  At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.

The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

Continue Reading

HIPAA Cartoon on HIPAA’s Jargon

Daniel Solove
Founder of TeachPrivacy

HIPAA Cartoon - TeachPrivacy HIPAA Training

HIPAA is famously impenetrable, with so many special terms and definitions.  I wrote this cartoon to capture the wonderful world of HIPAA jargon, which I hope fellow lovers of HIPAA can appreciate.

AHIMA LogoFor those who want an introduction to HIPAA and how the Privacy Rule and the Security Rule work, I produced a series of courses on HIPAA for the American Health Information Management Association (AHIMA). Each course is approximately 1 hour long.  The courses are:

• HIPAA Privacy: The Pillars of a Privacy Program
• HIPAA Privacy: Rights and Responsibilities
• HIPAA Security: Safeguarding PHI

They are available through AHIMA, but you can preview them on my site here.

HIPAA Courses - AHIMAThese AHIMA HIPAA courses are not for the entire workforce — the courses are for personnel who focus on HIPAA compliance and need to understand the basics of how HIPAA works.  My HIPAA training for the workforce is shorter as well as more basic and general.

I have another HIPAA cartoon here.

Continue Reading

HIPAA Cartoon – HIPAA Compliance Program

Daniel Solove
Founder of TeachPrivacy

HIPAA Training - Cartoon HIPAA Compliance

Recently, HIPAA celebrated its 20th birthday.  HHS issued a celebratory blog post.  HIPAA is 20 years old if you start counting from the date the statute was passed (1996).  If we measure HIPAA’s age from the date that the HIPAA Privacy Rule became effective (2003), then HIPAA is 13.

So HIPAA could be 20 years old, eager to become 21 and be able to drink (right now, it just makes people want to drink) or 13 years old and about to begin being an unruly teenager.

A few years ago, I published an article in the Journal of AHIMA to celebrate HIPAA’s 10th birthday (counting from when the Privacy Rule became effective).  The article discusses HIPAA’s growth and impact, and is a quick read if you’re interested.  You can download it for free here:

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
84 Journal of AHIMA 22 (April 2013)

Continue Reading

HIPAA’s Long Arm — and Why It’s a Good Thing

Daniel Solove
Founder of TeachPrivacy

HIPAA Training

Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement and monetary penalty against a business associate (BA).

Continue Reading

New Resource Page: HIPAA Training Requirements FAQ

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Requirements Whiteboard 02

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: HIPAA Training Requirements: FAQ.

Continue Reading

New Resource Page: Text of HIPAA’s Training Requirements

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Requirements Text 01

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: Text of HIPAA’s Training Requirements.  This page provides excerpts of the training provisions in the HIPAA Privacy Rule and the HIPAA Security Rule.

This page is designed to be a useful companion page to our resource page, HIPAA Training Requirements: FAQ.  The FAQ discuss my interpretation of the HIPAA training provisions, but the full text of those provisions is located on the separate new resource page above.

Continue Reading

Lawsuits for HIPAA Violations and Beyond: A Journey Down the Rabbit Hole

Daniel Solove
Founder of TeachPrivacy

hipaa lawsuits 1

by Daniel J. Solove

At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don’t provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies.

Continue Reading

The Most Alarming Fact of the HIPAA Audits

Daniel Solove
Founder of TeachPrivacy

hipaa audits 1

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.

What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.

Continue Reading

The Brave New World of HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

hipaa enforcement

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #4 of a series called Enforcing Privacy and Security Laws.

hhs logoThe Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs.

Continue Reading

The Best Preventative Medicine for Health Data Breaches

Daniel Solove
Founder of TeachPrivacy

data breach 1

by Daniel J. Solove

Last week, I gave a keynote address at a conference called Safeguarding Health Information: Building Assurance through HIPAA Security, sponsored by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). I’d like to summarize my remarks here for anyone interested who wasn’t able to attend.

Continue Reading

Follow Professor Solove on Social Media

Daniel Solove
Founder of TeachPrivacy

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:

Professor Solove’s LinkedIn Influencer blog

LinkedIn Influencer 02 You can follow Professor Solove on his blog at LinkedIn, where he is an “LinkedIn Influencer.”  He blogs about various privacy and data security issues. His blog has more than 600,000 followers.

LinkedIn Influencer 01

*    *    *    *

Professor Solove’s Twitter Feed

Twitter 01Professor Solove is active on Twitter and posts links to current privacy and data security stories and new scholarship, cases, and developments of note.

*    *    *    *

Professor Solove’s Newsletter

Newsletter 01Sign up for our newsletter where Professor Solove provides information about his recent writings and new training programs that he has created.

*    *    *    *

Professor Solove’s LinkedIn Discussion Groups

Please join one or more of Professor Solove’s LinkedIn discussion groups, where you can follow new developments on privacy, data security, HIPAA, and education privacy issues. You can also participate in the discussion, share interesting news and articles, ask questions, or start new conversations:

Privacy and
Data Security
HIPAA Privacy
and Security
Education Privacy
and Data Security
Image Group LinkedIn Logo Education Privacy 01 Image Group LinkedIn Logo HIPAA 01 Image Group LinkedIn Logo Privacy Security 01

6 Lessons from the Costliest HIPAA Settlement to Date

Daniel Solove
Founder of TeachPrivacy

Costliest HIPAA Settlement blog 1

by Daniel J. Solove

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:

Continue Reading

The HIPAA-HITECH Regulation, the Cloud, and Beyond

Daniel Solove
Founder of TeachPrivacy

HIPAA HITECH Privacy Trainingby Daniel J. Solove

The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.

Continue Reading