The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone. The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians. CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.
Continue Reading Significant HIPAA Fine Follows Business Associate’s Stolen iPhone
OCR
Senators Request Information from HHS About Medical Identity Theft Efforts
By Krysten Rosen Moller on
Posted in Cybersecurity, Data Security
Last week, the chairmen and ranking members of the Senate Committee on Health, Education, Labor, and Pensions and the Senate Committee on Finance sent a letter to Andy Slavitt, Acting Administrator for the Centers for Medicare & Medicaid Services (“CMS”), and Jocelyn Samuels, Director of the Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), requesting information on how HHS “is working to support and protect victims of medical identity theft” in order to “assess the adequacy of current efforts.”
Continue Reading Senators Request Information from HHS About Medical Identity Theft Efforts
HIPAA 2015 Enforcement Priorities Highlight Cyber Threats, But Timing of HIPAA Compliance Audits Still Uncertain
On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI. Samuels highlighted an increase in infiltration of computer networks reported under the breach notification requirements, explaining that hacking and other cyberthreats are affecting not just covered entities like health care providers, insurers and clearinghouses, but also business associates handling ePHI on behalf of covered entities. Despite this concern, it is unclear when OCR will launch its HIPAA compliance audits of covered entities and business associates, which were slated to begin in early 2015.
Continue Reading HIPAA 2015 Enforcement Priorities Highlight Cyber Threats, But Timing of HIPAA Compliance Audits Still Uncertain