United Healthcare Group (UHG) CEO Andrew Witty was in a board meeting on Feb. 21 when officials interrupted with the news that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased for $1.3 billion in October...more
5/13/2024
/ Business Associates ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Hackers ,
Health Care Providers ,
Healthcare ,
Legislative Agendas ,
OCR ,
Patients ,
Personal Information ,
Popular ,
Privacy Laws ,
Regulatory Oversight ,
Regulatory Requirements
Organizations typically deal with ransomware attacks out of the public eye, but the massive scale of United Healthcare Group’s (UHG) February breach made that an impossibility. UHG CEO Andrew Witty was recently on the hot...more
5/13/2024
/ Breach Notification Rule ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Healthcare Facilities ,
Incident Response Plans ,
Medical Records ,
Patients ,
Popular ,
Privacy Laws ,
Ransomware
Although the HHS Office for Civil Rights (OCR) described its recent $4.75 million agreement with a Bronx, New York, hospital as settling a “malicious insider cybersecurity investigation,” the agency considered a total of 11...more
3/12/2024
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Employees ,
Enforcement Actions ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
HIPAA Violations ,
Hospitals ,
Internal Investigations ,
Popular ,
Risk Assessment ,
Settlement
Report on Patient Privacy 23, no. 11 (November, 2023)
Tim DiBona clearly remembers Christmas Eve 2018 when the staff of his small firm—Doctors’ Management Service (DMS)—arrived at their West Bridgewater, Mass., office to...more
11/10/2023
/ Compliance ,
Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Data Recovery ,
Electronic Protected Health Information (ePHI) ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Popular ,
Ransomware ,
Risk Management
Report on Patient Privacy 23, no. 10 (October, 2023)
By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new...more
10/6/2023
/ Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Privacy Laws ,
Risk Assessment ,
Risk Management
Five Years After ‘a Singular Human Error,’ Two Breach Notices, Revenue Firm Settles With OCR -
As far as settlements for alleged HIPAA violations go, a recent agreement announced by the HHS Office for Civil Rights (OCR)...more
6/9/2023
/ Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
File Transfer Protocols (FTP) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
OCR ,
PHI ,
Risk Assessment ,
Settlement ,
State Data Breach Notification Statutes ,
Subcontractors
Report on Patient Privacy Volume 22, Number 11. (November 2022)
Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three...more
11/14/2022
/ Administrative Law Judge (ALJ) ,
Civil Monetary Penalty ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
HITECH Act ,
OCR ,
Patient Privacy Rights ,
PHI ,
Statutory Penalties
Report on Patient Privacy 22, no. 9 (September, 2022) -
When recommending best practices, federal privacy and security officials stress that organizations need to follow their protected health information (PHI) wherever...more
9/12/2022
/ Business Associates ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Improper Disposal ,
OCR ,
PHI ,
Settlement Agreements
Report on Patient Privacy 22, no. 8 (August, 2022) -
Oklahoma State University Center for Health Sciences’ (OSUCHS) breach might not have seemed all that serious at the time: No data is believed to have been misused,...more
8/16/2022
/ Breach Notification Rule ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Data Breach ,
Data Breach Costs ,
Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
HIPAA Violations ,
Medical Centers ,
OCR ,
Settlement Agreements
Report on Patient Privacy 22, no. 6 (June, 2022) -
Sometimes numbers tell the most compelling story. So, here are some associated with a cyberattack the University of Vermont Medical (UVM) Center suffered in October 2020...more
Report on Patient Privacy 22, no. 5 (May, 2022) -
Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and...more
5/6/2022
/ Business Associates ,
Civil Monetary Penalty ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Fines ,
Funding ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Violations ,
HITECH Act ,
Injunctive Relief ,
OCR ,
PHI ,
Popular ,
Privacy Laws
Report on Patient Privacy 22, no. 3 (March, 2022) -
Typically a “legacy” describes the lasting impact of an influential person or movement, most often in a positive sense. Not so with medical devices. When legacy is applied...more
3/14/2022
/ Cyber Attacks ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Technology ,
Hospitals ,
Incident Response Plans ,
Medical Devices ,
PHI ,
Physicians ,
Popular
Report on Patient Privacy 22, no. 2 (February, 2022) -
The new national health information network calls for a number of privacy and security safeguards and standards that, in some instances, exceed what HIPAA covered...more
2/14/2022
/ Audits ,
Business Associates ,
Certifications ,
Covered Entities ,
Cyber Incident Reporting ,
Cyber Insurance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Apps ,
Notification Requirements ,
PHI ,
Popular
Report on Patient Privacy 21, no. 11 (November, 2021) -
Attorney Brad Hammer doesn’t always don a suit and tie, or what he calls his “lawyer’s uniform.” A privacy and security expert and founder of the Vakaris Group based...more
11/15/2021
/ Business Associates ,
Chief Compliance Officers ,
Covered Entities ,
Cyber Attacks ,
Cyber Insurance ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Health Care Providers ,
Information Security ,
Information Technology ,
Phishing Scams ,
Policies and Procedures ,
Ransomware ,
Risk Mitigation ,
Training
Report on Patient Privacy 21, no. 10 (October, 2021) -
Conducting a risk analysis is a basic tenet of security compliance, with the overarching goal of understanding where protected health information (PHI) “lives” in an...more
10/15/2021
/ Business Associates ,
China ,
Covered Entities ,
Cyber Attacks ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Due Diligence ,
FBI ,
Hackers ,
Health Care Providers ,
National Security ,
PHI ,
Physicians ,
Risk Mitigation
Report on Patient Privacy 21, no. 5 (May 2021) -
Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights...more
5/7/2021
/ Business Associates ,
Cooperation ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Failure to Notify ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Investigations ,
OCR ,
PHI ,
Popular
Report on Patient Privacy 21, no. 3 (March 2021) -
Sometime during the fall, a worker for a subcontractor of Humana Inc. decided to share actual member information from medical records via a Google document with people he...more
3/25/2021
/ Business Associates ,
Business Associates Agreement (BAA) ,
Compliance ,
Covered Entities ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Medical Records ,
Notice Requirements ,
OCR ,
Patient Privacy Rights ,
PHI ,
Subcontractors
Report on Patient Privacy 21, no. 2 (February 2021) -
Unless an extension is granted or the notice of proposed rulemaking (NPRM) is withdrawn, covered entities (CEs) and business associates (BAs) have until late March to...more
2/26/2021
/ Business Associates ,
Comment Period ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Medical Records ,
Notice of Proposed Rulemaking (NOPR) ,
OCR ,
Right of Access ,
Settlement Agreements
Report on Patient Privacy 20, no. 12 (December 10, 2020) -
Transparency and contrition are two qualities that HIPAA officials at covered entities (CEs) and business associates (BAs) might want to think about expressing...more
Report on Patient Privacy 20, no. 12 (December 10, 2020) -
In late September, Anthem Inc. entered into a $39.5 million settlement for a 2014 data breach that affected nearly 79 million individuals. About a week later,...more
12/18/2020
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Hackers ,
Health Care Providers ,
Health Insurance ,
HIPAA Breach ,
Medical Records ,
PHI ,
Settlement ,
State Attorneys General
Report on Patient Privacy 20, no. 11 (November 2020) -
In her 14-plus years of investigating and blogging about hacking and breaches, “Dissent” has been yelled at, threatened with lawsuits and accused of being a criminal....more
11/10/2020
/ Criminal Liability ,
Cyber Attacks ,
Cyber Crimes ,
Cyber Incident Reporting ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Breach Plans ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Hackers ,
HIPAA Breach ,
OCR ,
Personally Identifiable Information ,
PHI ,
Phishing Scams ,
Popular ,
Ransomware
Report on Patient Privacy 20, no. 10 (October 2020) -
September was quite the month for enforcement actions by the HHS Office for Civil Rights (OCR). The agency announced eight settlements totaling more than $10 million....more
10/16/2020
/ Business Associates ,
Compliance ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Data Breach ,
De-Identified Protected Health Information ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Settlement
Report on Patient Privacy 20, no. 8 (August 2020) -
Last month, leaders from Agape Health Services in rural Washington, North Carolina, were happy to share photos of the shell of a building in neighboring Plymouth, that,...more
8/10/2020
/ Chief Compliance Officers ,
Civil Monetary Penalty ,
Compliance ,
Corrective Action Plans (CAPs) ,
Data Breach ,
FQHC ,
Health Care Providers ,
HIPAA Security Rule ,
Laches ,
Noncompliance ,
OCR ,
Patient Privacy Rights ,
Rural Health Care Providers ,
Settlement
Report on Patient Privacy 20, no. 7 (July 2020) -
During the first six months of this year, 228 breaches affecting 500 or more individuals were reported to the HHS Office for Civil Rights (OCR), and of the top 20, five...more
Report on Research Compliance 17, no. 1 (January 2020) -
Ah, those pesky residents. If you’re a teaching hospital, you can’t live without them, right? But sometimes living with them is mighty costly, as the University of...more
12/19/2019
/ Administrative Appeals ,
Civil Monetary Penalty ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Encryption ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Violations ,
Laptop Computers ,
Medical Research ,
Medical Residents ,
OCR ,
PHI ,
Settlement ,
Teaching Hospitals