"HIPAA Breach Notification"

The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.

  • In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
  • In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.

Continue Reading HHS Announces More HIPAA Enforcement Actions

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement
Continue Reading Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

Recently, the Workgroup for Electronic Data Interchange (WEDI) published a Breach Risk Assessment Issue Brief for stakeholders to use in analyzing whether a breach of  protected health information (PHI) has occurred under the Health Insurance Portability and Accountability Act (HIPAA). 

Background

Under HIPAA’s breach notification rule, covered entities and business associates are required to notify affected individuals, HHS, and, sometimes, the media when they determine that a breach of unsecured PHI has occurred.Continue Reading WEDI Issues Guidance for Assessment of Potential Breaches under HIPAA

On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules. 

Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected health information (PHI).  WellPoint’s breach report, submitted in June 2010, indicated that security weaknesses in an online application database had left the electronic PHI of approximately 612,402 individuals accessible to unauthorized individuals online. 

HHS’s investigation indicated that:

  • From October 2009 to March 2010, WellPoint did not adequately implement policies and procedures for authorizing access to electronic PHI in the online application consistent with the HIPAA Security Rule;
  • WellPoint did not perform a sufficient technical evaluation following a software upgrade related to authentication safeguards for the online application;
  • For the same five-month period, WellPoint did not implement technology to verify that persons or entities seeking access to the application were who they claimed to be; and
  • For that same period, WellPoint impermissibly disclosed the electronic PHI (including names, dates of birth, Social Security numbers, and health information) of approximately 612,402 individuals whose information was maintained in the application.

Continue Reading HHS Announces $1.7 Million HIPAA Settlement With WellPoint