Tag Archives: PHI

The danger of unencrypted protected health information: 55,000 patients’ PHI exposed.

An Indianapolis oncology group has disclosed that data concerning about 55,000 patients was stored on a stolen laptop computer.  A backup copy of the Cancer Care Group’s server was stored on the computer, which was stolen from a locked car.  Among the data stored on the device were patient names, addresses, Social Security Numbers, medical record numbers, and insurance information.  Several employees’ personal information was stored on the compromised device as well.

Continue reading

Leave a Comment

Filed under HIPAA

Alaska Department of Health and Social Services Pays $1.7 Million to Settle HIPAA Security Rule Matter

Today, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that the Alaska Department of Health and Social Services (Alaska DHSS), which is that state’s Medicaid agency, has agreed to pay $1.7 million to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.   Alaska DHSS has also agreed to institute a corrective action plan (“CAP”) to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

OCR’s investigation began in October 2009, after Alaska DHSS filed a breach report, as required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Alaska DHSS reported that on or about October 12, 2009, a portable electronic storage device potentially containing ePHI was stolen from the vehicle of a DHSS computer technician. Continue reading

Leave a Comment

Filed under HIPAA

HIPAA: Conversion to Version 5010

As of January 1, 2012, all healthcare providers were required to transition from version 4010/4010A to version 5010 standards for submitting electronic transactions, and the failure to comply may result in claim denials or a government investigation. CMS has repeatedly postponed enforcement, but it appears the agency will begin to enforce civil monetary penalties against non-compliant medical practices, hospitals and other healthcare entities as of July 1, 2012.

If you are compliant, you may have noticed that not all public and private payors are currently compliant and able to accept transactions in version 5010 standards. This means that you will have to continue submitting transaction forms in both version 4010/4010A and version 5010 standards until all payors complete the transition.  It is important that you contact each payor and establish a relationship with their HIPAA compliance department to determine their compliance level and promote a fluid transition to version 5010 standards.

If you are not currently in compliance, it is imperative that you begin to develop a transition plan to incorporate the steps your practice will take to become compliant by the enforcement date.  In developing your plan, you should be in contact with your payors to provide you with valuable assistance. Continue reading

Leave a Comment

Filed under Adult Homes, HIPAA, Home Health Agency, Laboratories, Nursing Homes

Hospital Settles Data Breach Allegations with Massachusetts Attorney General

Late last month, the Massachusetts Attorney General, Martha Coakley, announced that her office had reached a settlement with South Shore Hospital regarding  alleged violations of the Massachusetts Consumer Protection Act and the Health Insurance Portability and Accountability Act (“HIPAA”) stemming from a data breach reported to both her office and the Office of Civil Rights of the Department of Health and Human Services.

In February 2010, South Shore Hospital shipped boxes of unencrypted back-up computer tapes, which contained the protected health information of approximately 800,000 individuals, to an off-site storage facility.  The hospital had contracted with Archive Data Solutions (“ADS”) to erase the information on the back-up tapes and to resell them on the hospital’s behalf.  In June 2010, the hospital learned that the majority of the tapes, which were handled by multiple companies during the shipping process, never made it to the storage facility.  These tapes have yet to be located, although the Attorney General has noted that, to date, there have been no reports of unauthorized use of the information. Continue reading

Leave a Comment

Filed under HIPAA

Ninth Circuit on HIPAA Criminal Liability: No Knowledge Requirement

On May 10, 2012, the United States Court of Appeals for the Ninth Circuit issued its opinion in United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the criminal misdemeanor provision of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), located at  42 U.S.C. § 1320d-6(a)(2)—which penalizes the mere unauthorized access to patient documents—does not require a defendant to know that his or her actions were illegal under the statute.

According to press accounts, the defendant, Huping Zhou, was hired as a research assistant at the UCLA Health System in February of 2003.  On October 29 of that same year, UCLA issued a notice of intent to dismiss Zhou, citing poor performance.  That evening, Zhou, for reasons that were not made clear, allegedly accessed the patient records of co-workers and well-known actors, including Tom Hanks, Drew Barrymore, and Arnold Schwarzenegger, without authorization.  UCLA terminated the defendant from his job on November 14, 2003, after a formal internal grievance hearing. Continue reading

Leave a Comment

Filed under Federal Case Updates, HIPAA

HHS Releases HIPAA Privacy Rule Accounting of Disclosures

The Department of Health and Human Services (HHS) issued its notice of proposed rulemaking to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI).

The current accounting provision applies to disclosures of paper and electronic PHI, regardless of whether such information is in a designated record set (DRS), for a six-year period prior to the request.  HHS is proposing to limit the accounting provision to PHI about the individual in a DRS for a three-year period prior to the request. Continue reading

Leave a Comment

Filed under Announcements, HIPAA