All posts in HIPAA

HIPAA Whiteboard and HIPAA Interactive Whiteboard

Daniel Solove
Founder of TeachPrivacy

HIPAA Whiteboard

Recently, I created two new HIPAA training resources.

HIPAA Whiteboard

I created a 1-page visual summary of HIPAA, which I call the HIPAA WhiteboardThe idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

HIPAA Whiteboard - TeachPrivacy HIPAA Training

HIPAA Interactive Whiteboard

I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about HIPAA.  It can also be used in learning management systems.

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

Continue Reading

HIPAA Enforcement Case – Filefax

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.

Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest

HIPAA Enforcement Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Is HIPAA Enforcement Too Lax?

Continue Reading

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties.  In 2016, the total in penalties was roughly the same amount but from 15 organizations.

Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:

HIPAA Enforcement Chart

Lessons from 2017

Devices, devices, devices . . .

Quite a number of cases involved failure to implement safeguards for PHI on mobile devices.  The best fix is to superglue devices to staff.  Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.

Act quickly.

Several cases involved failing to provide timely notice or to act promptly after problems were discovered.  In politics, it’s often not the scandal, but the coverup that fells politicians.  In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.

Continue Reading

10 Reasons Why the Fourth Amendment Third Party Doctrine Should Be Overruled in Carpenter v. US

Daniel Solove
Founder of TeachPrivacy

10 Reasons to Overrule the Fourth Amendment Third Party Doctrine

The U.S. Supreme Court will be hearing arguments this week in Carpenter v. United States, which is one of the most important Fourth Amendment cases before the Court.  The case involves whether the Third Party Doctrine will remain viable.  If so, the Fourth Amendment will fade into obsolescence in today’s digital age.

In this post, I provide 10 reasons why the Third Party Doctrine should be overruled.  Before doing so, here’s some background.

Carpenter [6th Circuit case on cert to the Supreme Court] involved the investigation of a string of robberies of Radio Shack.  The FBI obtained cell phone records of the defendants pursuant to the Stored Communications Act (SCA), which requires “specific and articulable facts” to demonstrate that there are “reasonable grounds to believe” that the records are “relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d).  This standard is far short of what the Fourth Amendment would require, which is a search warrant based upon probable cause.

Continue Reading

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Daniel Solove
Founder of TeachPrivacy

 

 

Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?

I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group.  I am particularly interested in the insurer’s perspective, so I interviewed Katherine.

Continue Reading

2017 HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

 

Art E.V.Pavlov_by_Repin

The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million.  2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter.  In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was.  Here are details about enforcement actions in 2017 thus far:

  1. Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago.  In October 2013,  operating room schedules that were written on paper and contained PHI of 836 individuals went missing.   Patients were not notified of the breach until February of 2014.  This represents the first enforcement related to the timeliness of breach notification.
  1. An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management.  OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce.   In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department.  Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
  1. Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals.  In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals.  The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
  1. Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty.  In this incident, the PHI of 115,143 patients was improperly accessed and disclosed.   Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year.  The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed.   Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.

Not too long ago, I posted an overview of OCR’s enforcement in 2016.  OCR continues to be active in its enforcement, at its highest level to date.  This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.

Continue Reading

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement.  2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties.  At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.

The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

Continue Reading

HIPAA Cartoon on Snooping

Daniel Solove
Founder of TeachPrivacy

This cartoon is about snooping, one of the most common HIPAA violations.  HIPAA prohibits accessing information that people don’t need to do their jobs.   It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong.  But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients.  Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.

Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity.  A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends.  Snooping is not intended maliciously.  Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern.  In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.

Continue Reading

Cartoon on HIPAA Training

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Cartoon - Train without the pain

This cartoon depicts the way many people perceive HIPAA training.  But it doesn’t have to be this way. When most people hear HIPAA training they prepare themselves to slog through a boring lecture filled with tedious legalese.   Many have been subjected to hours of training that is overly technical, not useful for their jobs and not even close to being memorable.  I designed my HIPAA training to be different.  I believe that training should be fun and engaging.  It should have personality.  I avoid the wordy and needless filler material and focus on the key concrete things that people must know and do.

Continue Reading

HIPAA Cartoon on Social Media Use

Daniel Solove
Founder of TeachPrivacy

HIPAA Cartoon Social Media

Here’s a cartoon on HIPAA and social media use to jump start your week.  You can’t think enough about HIPAA these days.  HIPAA audits are back, and OCR is having a vigorous enforcement year this year, something I plan to post about soon.

Continue Reading