HIPAA Blog

[ Friday, December 21, 2018 ]

 

As Baylor Scott & White-Frisco (a joint venture between BSWH and USPI) is finding out, a credit card breach is also a HIPAA breach if it's connected to a HIPAA covered entity.  The incident is similar to one that happened at Banner Health in Arizona a few years ago (reported here and here): a credit card processor vendor suffered a breach, but it involved BSW-Frisco's patients' data. 

Hat tip: Taylor Weems, CIO at Midland Health.

Jeff [1:13 PM]

[ Thursday, December 13, 2018 ]

 

CMS has asked for public comment on how HIPAA should be changed.  Personally, I'm a "Chesterton's Fence" kinda guy, but I actually think it works pretty darned well as is.  But I'll be interested in seeing the public commentary.  

Jeff [3:55 PM]

 

When a hospital fails to cut off PHI access to a former employee, it can be a HIPAA violation.  In this case, a relatively inexpensive one (relative being the key word, it's still a lot of money). 

Jeff [3:40 PM]

[ Friday, December 07, 2018 ]

 

This continues to be the experience of many clients of mine, directly or indirectly in the healthcare field.   Of course, my advice from over 2 years ago is still applicable: patch, isolate, backup, and train (although today I think I'd change the batting order to backup, patch, train and isolate).

Jeff [12:43 PM]

[ Thursday, December 06, 2018 ]

 

This may or may not be a HIPAA breach, but NY's data breach notification law is likely implicated.  It's unclear whether the agency would be a HIPAA covered entity; it's described as a health provider, but if it doesn't conduct HIPAA-regulated transactions in electronic format, technically it might not be a HIPAA "covered entity." 

Jeff [10:44 AM]

[ Wednesday, December 05, 2018 ]

 

Here's a case similar to Raleigh Orthopaedic case: Advanced Care Hospitalists hired a guy who they thought worked for Doctor's First Choice Billing to help them with their billing and coding.  Apparently, the guy was a fraud.  But that's not important: what's important is that ACH didn't get a BAA with First Choice, and PHI ended up exposed on the First Choice website.  ACH notified OCR that at least 400 and as many as 9000 patients potentially had their data exposed. 

The breach notification led to an OCR investigation, which revealed a lack of BAA (and, in fact, a lack of a policy to get BAAs).  Upon further review, OCR also found out that ACH had never done a risk assessment either.

Net result: a $500,000 fine.  And a big black eye. 

If ACH had policies and procedures, a decent HIPAA compliance program, and had entered into a BAA with the guy in the first place, but still got snookered because the guy was a fake, they would've still had a reportable breach, but I'm pretty certain they'd be half a million bucks richer (not to mention what they probably spent on lawyers dealing with this, plus the PR hit).  

Jeff [12:59 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template