Healthcare Information Security

HIPAA and Compliance News

HIPAA Audits, Ransomware, Mobile Security Top 2016 Headlines

OCR HIPAA audits, ransomware, data breaches, and mobile security issues were some of our readers’ favorite topics in 2016.

By Elizabeth Snell

Healthcare data security is an ever-evolving area, with covered entities constantly working to ensure that they have the necessary tools in place to keep patient data safe.

HIPAA audits, ransomware, data breaches key 2016 issues

Over the past year, data breaches continued to be a hot topic in healthcare, with a larger focus on ransomware and how that may affect organizations. The latest round of OCR HIPAA audits has also captured the attention of’s readers, and will likely continue into 2017 as more entities come under scrutiny.

The push for interoperability and mobility has also affected covered entities and their business associates. More providers and hospitals are looking toward smartphones, tablets, and other devices to improve patient care and simplify daily operations. However, mobile security issues will naturally arise, and organizations need to ensure that PHI security is not compromised in the push to stay innovative. readers have been working hard all year to ensure they are brushed up on the latest techniques for maintaining HIPAA compliance and what the potential data security threats may be.  

Here is our countdown of the top 10 articles of 2016.

READ MORE: Urology Austin Ransomware Attack Possibly Affects 279K

10. OCR Releases Details of Phase 2 HIPAA Audits Starting Soon

After promising for months to release details on Phase 2 of its HIPAA audit program, the Office for Civil Rights (OCR) announced in March what the next steps would be and how organizations needed to prepare themselves for a potential audit.

There will be a three step process, starting with a small desk audit and then a more in-depth desk audit. The in-depth desk audit will review organizations’ compliance with the various HIPAA security, privacy, and breach notification rules. The final phase will include a more general audit examining broad HIPAA compliance across all aspects of the healthcare organization.

“The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules,” OCR explained on its website. “Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful.”

9. Are You Prepared for the OCR HIPAA Audits?

READ MORE: Why Healthcare Ransomware Attacks Are HIPAA Data Breaches

Even before the release of Phase 2, organizations had been planning ahead and working to ensure that they would be HIPAA compliant. contributor Keith Tyson discussed key steps for covered entities and business associates, and how a combination of the right tools, policies, and enforcement, healthcare organizations can better minimize cyber risk.

Properly implementing corrective steps, having a security incident management plan, and updating a security program following environmental changes are a few of the recommended steps to keep your healthcare organization’s data security up to date.

8. What are Top HIPAA Compliance Concerns, Obstacles?

To gain a better perspective of how healthcare organizations approach data security and HIPAA regulations, quizzed readers earlier this year about their current approach to HIPAA compliance and their use of mobile technology and secure messaging.

READ MORE: Professional Dermatology Ransomware Attack Affects 13K

External data security threats, employee training, and evolving technology were all top concerns for HIPAA compliance.

In terms of OCR HIPAA audits, 43 percent of respondents said that technical safeguards were the most difficult aspect, while 39 percent said administrative safeguards were the most difficult.

For mobile technology, 45 percent of those surveyed said that it was “very important” to their practice, while nearly one-third of respondents said that mobile device usage was “important,” and 12 percent calling it “very unimportant.”

7. Understanding HIPAA Regulations and Mobile Devices

Are you unsure of how HIPAA regulations apply to mobile devices? broke down the basics of HIPAA regulations as they apply to mobile devices, and reviewed additional regulations that have been put in place to further guide healthcare organizations.

6. $7.5M Healthcare Data Breach Settlement for St. Joseph Health

St. Joseph Health System agreed to a $7.5 million settlement stemming from a healthcare data breach from 2012 where PHI was made available via internet search engines.

The class-action lawsuit had alleged that PHI was made available via internet search engine. Danna Graewingholt, one of the class members, discovered the breach and found her health information was available online.

The breach reportedly resulted in 31,802 potentially affected individuals.

5. OCR Warns of Phishing Scam to HIPAA Covered Entities

In November, OCR became the victim of an attempted phishing scam that used Department of Health and Human Services (HHS) letterhead.

“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”

The email was targeting HIPAA covered entities and business associates.

OCR explained that the email in question “prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.”

4. Why Healthcare Ransomware Attacks Are HIPAA Data Breaches

As ransomware attacks continued to plague healthcare in 2016, a large debate was whether or not they qualified as a HIPAA data breach.

While HHS eventually released guidance on this very issue, contributor Jack Barkly tackled the topic in April. Barkly maintained that ransomware attacks need to be “disclosed as unauthorized exposures of private information because they are every bit as dangerous as the outright theft of the laptop, desktop, or server that they infect.”

3. Healthcare Data Breaches Top Reported Data Security Incident

A Symantec report in April found that healthcare data breaches were the most common type of data security incident reported in 2015.

In total, there were 120 healthcare data breaches reported in 2015, which was the largest number of data breaches across all industries studied. Researchers found that more cybercriminals used more zero-day attacks in 2015, including phishing scams and ransomware.

The number of zero-day vulnerabilities in 2015 increased by 125 percent from one year previously.

2. Maintaining HIPAA Compliance in Social Media Interaction

Social media use is also on the rise, and the healthcare industry is not exempt from this trend. However, employees need to be especially careful in how they use social media platforms, and ensure that PHI security still remains a top priority. contributor Savannah Myer explained that healthcare marketers have a huge opportunity to increase awareness of its hospital or health systems offerings by engaging with consumers through this platform. HIPAA regulations though cannot be overlooked, and Myer broke down top tips balance HIPAA compliance with social media activity.

1. How Healthcare Secure Texting, Messaging Impact the Industry

More organizations are beginning to consider secure texting and secure messaging options. However, covered entities and business associates need to understand the basics, and how to choose an approach that will not impede daily operations but also keep data secure. spoke with secure texting and secure messaging experts to better understand what entities need to consider with mobile technologies, and how to ensure that employees are properly trained any new system.

Overall, the proper communication tools and channels help providers communicate, collaborate and deliver care across the continuum.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks