« April 2013 | Main | June 2013 »

May 22, 2013

IDAHO State University Gets Whacked with $400K HIPAA Fine!

See below. Expect this to be par for the course anytime a significant breach happen, and they are going to happen all the time over the next 3 to 5 years. $50K would have bought a significant amount of compliance protection. Now ISU will pay that (or more) and still have to pay $400K to HHS. I would venture to say that HHS simply let ISU off the hook for Privacy Rule violations that they likely found.

You can expect that the worse may not be over for ISU. Some enterprising law firm will file a class action lawsuit and, in any case, ISU has to pay the costs of notification. If the Ponemon institute is correct about the cost per record this will be a significant chunk of change,

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic.

The Office for Civil Rights (OCR) opened its investigation after ISU notified HHS that the ePHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled.  OCR investigators found that ISU did not apply proper security measures and policies to address risks to ePHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner. Overall, ISU failed to ensure the uniform implementation of required Security Rule protections at each of its covered clinics. 

  The  Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.html.

Posted at 08:39 AM |

May 01, 2013

A Business Associate Just Notified You of a Serious Breach: What now?

Webtones Pointer This article provides guidance regarding what to expect, and what you should do, once a Business Associate has notified you of a breach. By now, you should already have a plan in place that helps you respond to this dreaded predicament. However, we know from experience that many of you don't, and even if you do, read on, you may learn something new. 

The approach we take in the article is to use the breach notification process as a backdrop to point out a number of "holes" you may have in your HIPAA/HITECH compliance initiative, ones that you are likely not even aware of.

HITECH / HIPAA NewsletterTracking Security Incidents

The term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. An attempt qualifies as an incident. 
 
If you are not rigorously tracking incidents, then you can't possibly know when you have a breach. One of the first questions that an HHS auditor is going ask is "show me the system (i.e. the policies, processes and tracking mechanism) your organization uses to track security incident?" If you can't adequately answer this most basic of questions, you may be in willful neglect land five minutes into the audit.
 
Ok, so let's assume that for the purpose of this article you, as the covered entity, have a state of the art security incident tracking system in place. What we really want to know is "What kind of tracking system does your business associate have in place?" If the answer is "we don't have a clue," then may the HIPAA gods help you if it turns out that in fact, despite "catching" this incident, there is no business associate system in place at all.  

Key Contract SectionsHow Do You Know It's a Breach?

 In order to determine whether Breach Notification is triggered you need to follow a methodology that is mandated by the Breach Notification Rule ("Rule"). Although the Rule contains a basic methodology that is inherent in its text, it is not presented as such in the regulations. HIPAA/HITECH remain descriptive as opposed to prescriptive. That is, the regulations inform you as to what is required, but have very little (mostly nothing) to say about how you should go about complying. 

The methodology consists of a three part analytical framework which we turn our attention to next. Although the framework only consists of three parts, it is significantly more complex than it first appears.

SIgnup for our FREE Newsletter or wait until it appears in the archives to read the rest of the article.

 

Posted at 10:54 AM in HHS Omnibus Rule, HIPAA Breach Notificaiton, HIPAA Checklist |

My Photo

About

NEWSLETTER


  • ACO COMPLIANCE NEWSLETTER

    Join My ACO Mailing List

  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Categories

CC

Tools

  • Google Analytics

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

February 2019

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28    

Archives

More...