HHS Office for Civil Rights Secures Corrective Action and Ensures Florida Orthopedic Practice Protects Patients with HIV from Discrimination

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) has successfully secured corrective action and resolved a complaint against the Florida Orthopaedic Institute (“Florida Orthopaedic”). The complaint alleged that Florida Orthopaedic unlawfully cancelled a surgery because of a patient’s HIV positive status. After HHS OCR informed Florida Orthopaedic of the complaint and that it would be investigating the allegations, Florida Orthopaedic banned the patient from the practice and cited the patient’s complaint to HHS as a basis for doing so. Retaliation for filing complaints with HHS OCR is prohibited by law.

Florida Orthopaedic is a comprehensive orthopedic practice that employs approximately 40 physicians working in 10 offices and 20 hospitals in the Tampa area. Florida Orthopaedic receives federal financial assistance through its participation in Medicaid and Medicare Part C; and is subject to the requirements of Section 504 of the Rehabilitation Act of 1973 (Section 504). Section 504 prohibits discrimination on the basis of disability (including HIV/AIDS) in health programs or activities that receive HHS funding, such as medical practices, nursing homes, and hospitals.

HHS OCR received a complaint that a Florida Orthopaedic surgeon allegedly made an offensive comment relating to the patient’s HIV status and then refused to perform the patient’s scheduled surgery which prompted the patient to file a complaint with HHS OCR. After informing Florida Orthopaedic of the allegations, and before HHS OCR reached any conclusion as to the merits of the claims, Florida Orthopaedic prohibited the patient from receiving further care at the practice and cited patient’s complaint with HHS as a basis.

The patient informed HHS OCR of the retaliatory dismissal from the practice and on this ground HHS OCR secured several corrective actions from Florida Orthopaedic, including amending its nondiscrimination policies and revising its procedures for dismissing any patient from the practice. Florida Orthopaedic also agreed to provide staff with multiple trainings on HIV, federal non-discrimination laws, grievance procedures, and the requirement to refrain from retaliatory actions. Before Florida Orthopaedic completed its compliance activities, it provided the complainant with referrals to three orthopedic surgeons in the area to prevent further delays in the patient’s health care.

“Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of unlawful retaliation,” said HHS OCR Director Roger Severino. This case is representative of HHS OCR’s continuing compliance work and commitment to the full implementation of the National HIV/AIDS Strategy and the President’s Initiative, Ending the HIV Epidemic: A Plan for America.

For additional information on HHS OCR’s work on HIV/AIDS issues, visit: www.hhs.gov/civil-rights/for-individuals/special-topics/hiv

To learn more about civil rights and health information privacy laws that HHS OCR enforces, and to find information on filing a complaint, visit us at www.hhs.gov/ocr.

Follow HHS OCR on Twitter at twitter.com/HHSOCR

OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016. JHS provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals.

JHS is a nonprofit academic medical system based in Miami, Florida, which operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics. 

On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the protected health information (PHI) of 756 patients in January 2013. JHS’s internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.

In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job-related purpose.

On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011.

OCR’s investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.

JHS waived its right to a hearing and did not contest the findings in OCR’s Notice of Proposed Determination. Accordingly, OCR issued a Notice of Final Determination and JHS has paid the full civil money penalty.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

The Notice of Proposed Determination and Notice of Final Determination may be found at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html.

Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information

Elite Dental Associates, Dallas (“Elite”) has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  Elite is a privately-owned dental practice located in Dallas, Texas, providing general, implant, and cosmetic dentistry.

On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition.  OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.  Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.  OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

In addition to the monetary settlement, Elite will undertake a corrective action plan that includes two years of monitoring by OCR for compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html.

How to Protect Your Computers

A lot of people often think computer security as something technical, expensive and complicated. But most of the security best practices are actually very simple. Here are the basic, important things you should do to your home and organization computer to make yourself safer online.

 

 

 

Keep Your Firewall Turned On:

firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized internet users from accessing private networks connected to the internet, especially intranets. A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.

 

Vendors providing Firewall Protection:

Barracuda Network : https://www.barracuda.com/ 

Fortinet : https://www.fortinet.com/

Juniper Networks : https://www.juniper.net/us/en/products-services/security/

Sonic Wall : https://www.sonicwall.com/

 

Install or Update Your Antivirus Software:

The purpose of antivirus (AV) software is to detect, neutralize or eradicate malware (malicious software). AV software not only will identify and destroy the computer virus, but it’s also designed to fight off other kinds of threats such as phishing attacks, worms, Trojan horses, rootkits and more. Antivirus software, or anti-virus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.

Vendors providing Antivirus Protection :

Bitdefender Antivirus Plus 2019 : https://www.bitdefender.com/

Norton AntiVirus Basic : https://us.norton.com/ 

Webroot SecureAnywhere Antivirus : https://www.webroot.com/us/en/home

ESET NOD32 Antivirus : https://www.eset.com/us/home/antivirus/

F-Secure Antivirus SAFE : https://www.f-secure.com/us-en/home?ecid=10619&afcid=10619

 

Install or Update Your Antispyware Technology:

Anti-spyware is a type of software that is designed to Prevent, Detect and remove unwanted spyware program installations and to remove those programs if installed. Detection may be either rules-based or based on downloaded definition files that identify currently active spyware programs. Spyware is a type of malware that is installed on a computer without the user’s knowledge in order to collect information about them. Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.

Vendors providing Anti-spyware protection :

Emsisoft AntiMalware : https://www.emsisoft.com/en/home/antimalware/ 

Spyware Terminator : https://www.spywareterminator.com/ 

Malwarebytes Premium Trial : https://www.malwarebytes.com/trial/

 

Keep Your Operating System Up to Date:

Operating System update are so critical that, it is a mistake that keeps the door open for hackers to access your private information, putting you at risk for identity theft, loss of money, credit, and more. Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection. The recent Equifax data breach, in which 143 million Americans were potentially affected, with Social Security numbers, birth dates, and home addresses exposed. The hackers were able to access the credit reporting agency’s data through a known vulnerability in a web application. A fix for this security hole was actually available two months before the breach, but the company failed to update its software. This was a tough lesson, but one that we can all learn from. Software updates are important because they often include critical patches to security holes.

 

Be Careful What You Download:

Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.

Best practice:

        1. Never reply to spam emails.
        2. Never open attachments in emails that you get from unknown sources.
        3. Always keep your anti-virus up-to-date.
        4. Don’t allow auto-download of programs.
 
 
 
 

Turn Off Your Computer:

Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.

Best practice:

        1. Never reply to spam emails.
        2. Never open attachments in emails that you get from unknown sources.
        3. Always keep your anti-virus up-to-date.
        4. Don’t allow auto-download of programs.

 

 

HIPAA Breach – Indiana Medical Records Service Pays $100,000 to Settle

HIPAA breach
HIPAA breach

May 23, 2019 Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

On July 23, 2015, MIE filed a HIPAA breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.

HIPAA Complaint Process Infographic Released by HHS

The Centers for Medicare & Medicaid Services (CMS) has released a new infographic on how alleged violations of the HIPAA Administrative Simplification requirements are processed.

Find out what happens when a complaint is filed:

If you have a complaint about a potential HIPAA Administrative Simplification violation, you can submit it to the CMS complaint enforcement process. Look for more information about CMS compliance and enforcement coming soon.

https://asett.cms.gov/ASETT_HomePage

 

EHR 2.0 rebrands as databrackets, Expands its security & compliance offerings

 

EHR 2.0, the company that was founded in 2011 to serve the signature healthcare law incentive programs, security requirements and HIPAA/HITECH compliance requirements, today announced a corporate name change to databrackets. As part of the rebranding effort, we are unveiling a new line of service offerings and software platform capabilities, a new website and introducing a new logo to showcase the company’s fresh look.  

“As part of the rebranding efforts the tone for our company is to evolve and serve the growing security, privacy audit and compliance requirements,” Mr. Kolathur said. We are expanding our service offerings not only to our consulting customers but also to our DIY (Do It Yourself) toolkit customers and partners. With our strong security and compliance team of expertise, we strive to fulfill the needs all of our customers to the fullest extent.

Under our former brand EHR 2.0, we primarily served the healthcare industry clients with HIPAA/OSHA compliance and MIPS requirements. Based on our customers’ needs, we have added GDPR compliance, NIST framework compliance, Cybersecurity compliance, (including CCPA and NY Cybersecurity) CFR Part 11, SOC 2 audits, cloud compliance and other fields that are on high demand. With these expanded service offerings, we see our company shift from the healthcare domain to industry agnostic solutions with general data security, compliance, and auditing as our key differentiators. We believe rebranding to a strong and unique company name reflects the full depth and breadth of our current expertise, as well as our vision for the future.

The rebranding and expanded service offerings has positioned us to reach the European, Asian, and the Middle Eastern markets and we are excited about our expansion.

“Data is the key in this digital world. Our expanded services focus on securing them and ensuring that the organizations’ data meets the compliance and certification requirements. The response from our consulting clients and DIY portal customers is very encouraging and positive” says Punitha Srini, Business Development Director.

Our DIY portal and training in all our service area offerings receive overwhelming positive feedback and serves the customers with the necessary budget and resources needed to quickly meet the compliance requirements. Visit out our website to learn more.

Phone: (866)-276-8309
E-mail:info@databrackets.com

Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach

23rd May 2019

Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

 

On July 23, 2015, MIE filed a breach report with OCR following the discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mie/index.html.

New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA

24th May 2019

The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. 

OCR has the authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list. 

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or another person for filing a HIPAA complaint, participating in an investigation or other enforcement processes, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.  “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”

The new fact sheet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html along with OCR’s guidance on business associates.