Healthcare Information Security

Office for Civil Rights

Boston Hospitals Cough Up $1M for ‘Boston Med’ HIPAA Violations

September 20, 2018 - OCR announced Sept. 20 that it has fined three Boston-area hospitals close to $1 million for HIPAA violations involving the filming of ABC’s TV series “Boston Med.” OCR reached HIPAA settlements with Boston Medical Center (BMC), Brigham and Women's Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising patients’ PHI when they invited the...


More Articles

Robust Health Data Security Needed for PHI-Laden Mobile Devices

by Fred Donovan

Strong health data security is vital for electronic media and mobile devices that process and/or store ePHI, stressed OCR in its August 2018 Cyber Security Newsletter. “Anyone with physical access to such devices and media,...

OCR Levies Close to $80M in HIPAA Privacy Rule Fines

by Fred Donovan

OCR has assessed close to $80 million in fines in 55 cases of HIPAA Privacy Rule violations since the rule took effect in April 2003, according to data on the HHS website. OCR has received 184,614 HIPAA complaints and has initiated 902...

HIPAA Security Rule Requires Secure Disposal of ePHI-Laden Devices

by Fred Donovan

The HIPAA Security Rule requires HIPAA covered entities and business associates to implement policies and procedures regarding the secure disposal and re-use of electronic devices and media containing ePHI so that ePHI cannot be retrieved,...

OCR On Pace To Assess Less Money in HIPAA Violation Fines in 2018

by Fred Donovan

OCR is on pace to conclude fewer HIPAA settlements and assess less money in HIPAA violation fines this year than in previous years, according to a report from the law firm Gibson Dunn. For the first half of this year, OCR has reported...

CMS Would Drop Security Risk Analysis from Interoperability Score

by Fred Donovan

CMS is proposing that the Protect Patient Health Information objective and its associated measure, security risk analysis, would no longer be scored as a measure but would act as a prerequisite for a participating clinician to earn any...

PHI of 105K People At Risk in Boys Town Healthcare Data Breach

by Fred Donovan

Nebraska-based Boys Town National Research Hospital reported to OCR July 20 a healthcare data breach that may have exposed PHI on 105,309 individuals. In a statement, Boys Town said it discovered on May 23 unusual activity relating to an...

Software Patching Integral to PHI Data Security, HIPAA Compliance

by Fred Donovan

Healthcare organizations and vendors are responsible for identifying and mitigating the risks unpatched software poses to ePHI as part of their HIPAA compliance, OCR advised in its June Cybersecurity Newsletter. As part of their risk...

Michigan Medicine Admits to Healthcare Data Breach in Laptop Theft

by Fred Donovan

University of Michigan’s Michigan Medicine announced June 25 that around 870 patients were affected by a healthcare data breach that involved the theft of an unencrypted laptop with PHI from an employee’s car. The theft...

Judge Upholds $4.3M Fines against MD Anderson for HIPAA Violations

by Fred Donovan

An HHS Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center (MD Anderson) must pay $4.3 million in civil money penalties for HIPAA violations. The judge backed OCR in its proposed determination,...

OCR Guidance Tackles PHI Research Use Under HIPAA Privacy Rule

by Fred Donovan

OCR has issued new guidance on the HIPAA Privacy Rule that explains certain requirements for an authorization to use or disclose PHI for research and clarifies aspects of the individual’s right to revoke an authorization. The...

Healthcare Pros Worry about Data Security at Other Organizations

by Fred Donovan

Many healthcare professionals are conflicted when it comes to data security. More than three-fourths of 122 healthcare professionals surveyed by security vendor Venafi at HIMSS18 are worried about healthcare data security, yet 68 percent...

SAMBA Mailing Error Creates Data Security Concern for 13.9K

by Elizabeth Snell

A programming error that occurred during the preparation process for mailing out certain IRS tax forms may have led to documents being sent to the wrong recipients, creating a data security concern for some individuals, according to SAMBA...

Top Reminders for Implementing a HIPAA Contingency Plan

by Elizabeth Snell

Healthcare organizations must ensure they have a current HIPAA contingency plan in place to prepare for all types of adverse events, including natural disasters and cybersecurity attacks, according to the latest OCR Cybersecurity...

Banner Health Data Breach Part of OCR Investigation

by Elizabeth Snell

The 2016 Banner Health data breach is reportedly being investigated by OCR, although it is currently not possible to estimate the range of potential fines from the agency, according to consolidated financial statements. An Ernst &...

OCR Highlights 8 Tips for Avoiding Healthcare Phishing Attacks

by Elizabeth Snell

Healthcare phishing attacks are becoming more sophisticated, which is why organizations must remain vigilant in their detection measures, OCR explained in its recent cybersecurity newsletter. Hackers can take advantage of popular holidays...

Filefax PHI Disclosure Leads to $100K OCR HIPAA Settlement

by Elizabeth Snell

Filefax, Inc. went out of business in 2017, but that does not mean that an OCR HIPAA settlement can be avoided due to an earlier PHI disclosure, according to OCR. A company that was appointed as a receiver to liquidate Filefax’s...

Timothy Noonan Named OCR Acting Deputy Director

by Elizabeth Snell

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently named Timothy Noonan as the new OCR acting deputy director for health information privacy (HIP). Noonan has been in the position since January 29,...

5 HIPAA Data Breaches Lead to $3.5M OCR Settlement

by Elizabeth Snell

Fresenius Medical Care North America (FMCNA) recently agreed to a $3.5 million OCR settlement following allegations that it committed HIPAA violations on five different occasions at separate FMCNA covered entities. FMCNA provides product...

How Healthcare Organizations Can Reduce Cyber Extortion Risk

by Elizabeth Snell

Healthcare organizations must be mindful of how they reduce cyber extortion risk because covered entities maintain sensitive data and provide necessary services, OCR stated in its January Cybersecurity Newsletter. Cyber extortion often...

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks