The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning that it has received reports that someone has been impersonating an OCR inspector in an effort to access HIPAA Protected Health Information (PHI).
According to the agency: “The individual identifies themselves on the telephone as an OCR investigator, but
If you are a covered entity who experienced a breach of unsecured protected health information affecting fewer than 500 individuals , you must notify the Office of Human Rights of the Department of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was
It’s that time again for year-in-review articles. On December 16, 2019, Modern Healthcare has published an infographic that compares HIPAA breaches which occurred in 2019 to aggregate breach statistics from 2010-2018. The 2019 data was analyzed through the end of November. A few interesting trends appear. Let’s go to the numbers:
Breaches by Location:
In
Last week, the Office for Civil Rights (OCR) announced its second enforcement action and settlement with a provider for failing to comply with HIPAA’s patient access requirements. Korunda Medical, LLC, a primary care and pain management practice in Florida, agreed to pay $85,000 and comply with a Corrective Action Plan (CAP) as a result of
More and more often, health care data is stolen or made inaccessible by targeted ransomware attacks. The Office for Civil Rights (OCR) published a newsletter this week that provides warnings for HIPAA covered entities and business associates. It also provides practical tips to prevent and help you survive these attacks.
OCR’s warnings should resonate with
Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial
“TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical
A two-physician practice in Battle Creek, Michigan is reportedly the first health care provider to cease operations as a result of a ransomware attack. The Minneapolis Star Tribune reports that Brookside ENT experienced a malware attack that deleted and overwrote every medical record, bill and appointment in the practice’s system, including backups, and created encrypted
HHS Office for Civil Rights (OCR)’s April 3, 2019 cybersecurity newsletter highlights one of the more challenging cybersecurity vulnerabilities faced by covered entities and business associates. OCR reminds covered entities (CEs) and business associates (BAs) that compliance with the HIPAA Security Rule can help, but stops a bit short of providing concrete guidance as to
In our most recent post, the Top 5 Common HIPAA Mistakes to Avoid in 2018, we noted that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has recently published guidance on disclosing protected health information (PHI) related to overdose victims. OCR published this and other guidance within the last