PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

HIPAA Enforcement

Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement.  2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties.  At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.

The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

Continue Reading

Is a Ransomware Attack a HIPAA Data Breach?

Ransomware - Security Awareness Training

As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).

A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice.  Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.

Continue Reading

Is HIPAA Enforcement Too Lax?

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

Blogging Highlights 2015: Health Privacy+Security Issues

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security:

Why HIPAA Matters: Medical ID Theft and the
Human Cost of Health Privacy and Security Incidents

care

Continue Reading

Lessons from the Latest HIPAA Enforcement Action

HIPAA Training OCR Enforcementby Daniel J. Solove

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC).  SEMC agreed to pay $218,000.

The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken.  OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”

Continue Reading