Latest News | HIPAA

From: Washington Post – 5/15/12

SALT LAKE CITY — Utah’s chief technology officer has resigned following the theft of hundreds of thousands of online medical records from state computers by unknown hackers.

Gov. Gary Herbert on Tuesday announced a “comprehensive” response to the massive data breach, including the resignation of Stephen Fletcher, director of the state’s Department of Technology Services.

Herbert’s office said the state also is hiring a public relations firm to handle crisis communications.

Last month, hackers stole personal information of about 780,000 Medicaid recipients and participants in the Children’s Health Insurance Program, including the Social Security numbers of about 280,000 of them.

Read more here…

From: The Atlanta Journal- Constitution – 4/18/12

Article Excerpt:

Personal and health information for about 315,000
patients is missing, Emory Healthcare announced Wednesday. The hospital system
has been unable to find 10 computer discs containing the data.  The missing discs held information on all
patients who had surgery at Emory University Hospital, Emory University
Hospital Midtown and The Emory Clinic Ambulatory Surgery Center between
September 1990 and April 2007. The discs contained protected health
information, including patient names, along with the diagnosis, the name of the
surgical procedure and the surgeon. Approximately 228,000 of the patient
records also included Social Security numbers.

“We sincerely regret
that this incident has occurred and we want to assure our patients that we are
committed to safeguarding their personal information,” John T. Fox,
president and CEO of Emory Healthcare, said at a press conference.

Emory has no evidence that
any information contained on the discs has been misused. Emory is sending
letters to affected patients and offering them free identity protection and
credit monitoring services. An investigation is ongoing to try to determine
what happened to the discs. It’s not certain that the information was stolen,
Fox said. It could simply have been misplaced. The discs were removed
sometime between February 7 and February 20, the investigation has determined.

Read more…
Patient Data Missing for 315,000 Emory Patients

HHS settles HIPAA case with BCBST for $1.5 million

First enforcement action resulting from HITECH Breach Notification Rule

From: HHS News Room – 3/13/12

Article Excerpt: 

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today.  BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program.  The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee.  The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

Read more…

Sutter Health Medical Records Compromised By Computer Theft

From: Huffington Post – 11/16/11

Sutter Health reported the theft of a computer from their office that contained more than 4 million patients dating back to 1995.  The computer’s hard drive unfortunately had not been encrypted.  This is an ever present reminder of the risk we all have concerning the safe guarding of PHI.

Records of 4.9 mln stolen from car in Texas data breach

From: Reuters – 9/29/11

Backup tapes from a contractor transported from one federal facility to another were stolen from the car losing 4.9 million patient records.  This reflects about half of all Military beneficiaries covered under the TRICARE program.  It would appear that these back-up tapes were not encrypted.  If they were encrypted, then this event would not need to be reported.  This is simply my take in review of the article.  The moral of this story, all data needs to be encrypted when being transported whether electronically or otherwise.  The cure of this breach will cost millions of dollars.

Article Excerpt:

A massive data breach, in which the personal and medical records of millions of military patients and their families were compromised, happened when the records were stolen out of a data contractor’s car in San Antonio, officials told Reuters on Thursday.

The information for some 4.6 million active and retired military personnel, as well as their families, was on back up-tapes from an electronic health care record used to capture and preserve patient data from 1992 through September 7 of this year, according to Science Applications International Corp (SAIC).

Read more…

From: HHS – July 7, 2011 News Release

Here is but another reminder of the vigilance we must maintain relative to our use of protected health information (PHI).

Contents from News Release:

Following an investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the University of California at Los Angeles Health System (UCLAHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies. (more…)

HHS News Release

HHS issued a news release on Tuesday concerning a proposed additional rule making under HIPAA. This proposed rule would give people the right to obtain a report on who has electronically accessed their protected health information.

Click here to read the full news release.

The proposed rule was published in the May 31, 2011 federal register. Click here to view the proposed rule.