Elite Dental Associates, Dallas (“Elite”) has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Elite is a privately-owned dental practice located in Dallas, Texas, providing general, implant, and cosmetic dentistry.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition. OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
A lot of people often think computer security as something technical, expensive and complicated. But most of the security best practices are actually very simple. Here are the basic, important things you should do to your home and organization computer to make yourself safer online.
Keep Your Firewall Turned On:
A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized internet users from accessing private networks connected to the internet, especially intranets. A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.
The purpose of antivirus (AV) software is to detect, neutralize or eradicate malware (malicious software). AV software not only will identify and destroy the computer virus, but it’s also designed to fight off other kinds of threats such as phishing attacks, worms, Trojan horses, rootkits and more.Antivirus software, or anti-virus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.
Anti-spyware is a type of software that is designed to Prevent, Detect and remove unwanted spyware program installations and to remove those programs if installed. Detection may be either rules-based or based on downloaded definition files that identify currently active spyware programs. Spyware is a type of malware that is installed on a computer without the user’s knowledge in order to collect information about them. Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.
Operating System update are so critical that, it is a mistake that keeps the door open for hackers to access your private information, putting you at risk for identity theft, loss of money, credit, and more. Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection. The recent Equifax data breach, in which 143 million Americans were potentially affected, with Social Security numbers, birth dates, and home addresses exposed. The hackers were able to access the credit reporting agency’s data through a known vulnerability in a web application. A fix for this security hole was actually available two months before the breach, but the company failed to update its software. This was a tough lesson, but one that we can all learn from. Software updates are important because they often include critical patches to security holes.
Be Careful What You Download:
Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
Best practice:
Never reply to spam emails.
Never open attachments in emails that you get from unknown sources.
Always keep your anti-virus up-to-date.
Don’t allow auto-download of programs.
Turn Off Your Computer:
Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
Best practice:
Never reply to spam emails.
Never open attachments in emails that you get from unknown sources.
May 23, 2019– Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.
On July 23, 2015, MIE filed a HIPAA breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.
Europe’s huge privacy fines against Marriott and British Airways are a warning for many companies handling EU data. The biggest, however, may be yet to come as Facebook, Google and Apple remain under investigation. The GDPR is a very broad rule with little specifics, and companies have had few insights into how regulators in the EU would interpret the law. Databrackets in partnership with Bagchi law is working on publishing research material along with webinars to help companies comply with this new law.
What is GDPR?
GDPR stands for General Data Protection Regulation and is a set of data privacy regulations implemented by the EU Parliament on April 14, 2016 (“GDPR”). GDPR is designed to harmonize data privacy laws across Europe, and generally sets forth requirements with respect to how information related to individuals may be collected and used.
To Whom does GDPR Apply?
GDPR applies to all entities who “process” “personal data” related to individuals residing in the European Economic Area. As a result, the vast majority of entities which sell products or provide services to individuals located in the European Economic Area are subject to GDPR.
The concepts of “processing” and “personal data” are at the core of GDPR, and a determination of whether GDPR applies to a particular entity:
“processing” is defined in Article 4 of GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”; and
“personal data” is defined in Article 4 of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Such definitions are broad, and “personal data” generally includes all information which can be linked to a specific individual. Moreover, “processing” covers almost all uses of personal data.
Why is GDPR important? And What Does it Mean for the Future?
Almost every service we use- from retailers to email providers and social media networks- requires the collection and processing of our personal data. Entities may collect, store, and use a variety of personal information we provide, such as names, addresses, and credit card numbers.
In recent years, the accelerated aggregation of personal data has led to the most serious data breaches in history, such as the 2017 and 2018 breaches of Equifax, Facebook, and Aadhar, which collectively affected more than 1.25 billion individuals. But GDPR seeks to ensure personal information is protected against not only those who would seek to use it maliciously but also against the entities which collect it.
In early 2018, Facebook lost more than 100 billion dollars in share value in a matter of days when news of the Cambridge Analytica data scandal broke. Facebook shared with Cambridge Analytica personal information related to an estimated 87 million users, without their consent. In March 2018, just two months before GDPR came into effect, Google released findings that between 2015 and 2018 its Google+ social network contained a glitch allowing developers to access the personal “Google+” profile data of countless users.
The litany of data breaches and the frequent misuse of personal information has not gone unnoticed, even in the US. Largely in response to the misuse of personal data by big-tech companies such as Google, Facebook, Amazon and others, various states are implementing their own regulations applicable to personal data and cybersecurity. For instance, the California Consumer Privacy Act will be effective January 1, 2020, and the New York State Legislature’s Cybersecurity Regulations went into effect March 1, 2019.
How does GDPR Affect Your Business? What is a DPA?
Before turning to a discussion of the practical impact of GDPR on covered entities, it is important to understand two additional terms defined therein:
“controller” is defined in Article 4 of GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”; and
“processor” is defined in Article 4 of GDPR as “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
If your business processes personal information related to individuals residing in the European Economic Area or provides such information to any other entity, you are likely already familiar with the concept of a data privacy agreement. GDPR requires certain contractual provisions govern the relationship between controllers and processors. These contractual provisions are generally found in a data processing agreement, commonly referred to as a data processing addendum or “DPA.”
The most fundamental provisions required by GDPR are found in Article 28 Section 3 of GDPR. Such section requires “processing by a processor” be “governed by a contract…that sets out:”
the subject-matter of the processing;
the duration of the processing;
the nature and purpose of the processing;
the types of personal data subject to processing;
the categories of data subjects (whose data is being processed); and
the rights and obligations of the controller.
In addition to the above, GDPR sets forth a number of stipulations applicable to processors, which must be contained in the relevant agreement or DPA. Such stipulations include the following:
the processor must act only on the controller’s documented instructions unless required by law;
the processor must ensure that individuals processing the controller’s personal data are subject to an appropriate duty of confidence;
the processor must take appropriate measures to ensure the security of processing;
the processor may only engage with a sub-processor with the controller’s prior authorization and pursuant to a written contract containing appropriate protections;
the processor must take appropriate measures to help the controller respond to request from individuals to exercise the rights provided to them under GDPR;
taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, notification of personal data breaches and data protection impact assessments;
the processor must delete or return all personal data to the controller upon the termination of the provision of services relating to processing; and
the processor must submit to certain audits and inspections.
Whether your business is a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, it may seem daunting to ensure each requirement of GDPR is met. On the flip-side, failure to comply with GDPR can result in fines ranging from 10 million euros to four percent of a business’s annual global turnover. While GDPR was implemented in May 2018, this year has seen an exponential increase in the number of enforcement actions. And as the US begins implementation of its own data privacy regulations, it is more important than ever for US businesses to begin thinking about compliance.
Attend our live webinar to learn more about how to comply with GDPR.
The Centers for Medicare & Medicaid Services (CMS) has released a new infographic on how alleged violations of the HIPAAAdministrative Simplification requirements are processed.
Find out what happens when a complaint is filed:
If you have a complaint about a potential HIPAA Administrative Simplification violation, you can submit it to the CMS complaint enforcement process. Look for more information about CMS compliance and enforcement coming soon.
EHR 2.0, the company that was founded in 2011 to serve the signature healthcare law incentive programs, security requirements and HIPAA/HITECH compliance requirements, today announced a corporate name change to databrackets. As part of the rebranding effort, we are unveiling a new line of service offerings and software platform capabilities, a new website and introducing a new logo to showcase the company’s fresh look.
“As part of the rebranding efforts the tone for our company is to evolve and serve the growing security, privacy audit and compliance requirements,” Mr. Kolathur said. We are expanding our service offerings not only to our consulting customers but also to our DIY (Do It Yourself) toolkit customers and partners. With our strong security and compliance team of expertise, we strive to fulfill the needs all of our customers to the fullest extent.
Under our former brand EHR 2.0, we primarily served the healthcare industry clients with HIPAA/OSHA compliance and MIPS requirements. Based on our customers’ needs, we have added GDPR compliance, NIST framework compliance, Cybersecurity compliance, (including CCPA and NY Cybersecurity) CFR Part 11, SOC 2 audits, cloud compliance and other fields that are on high demand. With these expanded service offerings, we see our company shift from the healthcare domain to industry agnostic solutions with general data security, compliance, and auditing as our key differentiators. We believe rebranding to a strong and unique company name reflects the full depth and breadth of our current expertise, as well as our vision for the future.
The rebranding and expanded service offerings has positioned us to reach the European, Asian, and the Middle Eastern markets and we are excited about our expansion.
“Data is the key in this digital world. Our expanded services focus on securing them and ensuring that the organizations’ data meets the compliance and certification requirements. The response from our consulting clients and DIY portal customers is very encouraging and positive” says Punitha Srini, Business Development Director.
Our DIY portal and training in all our service area offerings receive overwhelming positive feedback and serves the customers with the necessary budget and resources needed to quickly meet the compliance requirements. Visit out our website to learn more.
Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.
On July 23, 2015, MIE filed a breach report with OCR following the discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.
The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.
OCR has the authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.
Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
Taking any retaliatory action against any individual or another person for filing a HIPAA complaint, participating in an investigation or other enforcement processes, or opposing an act or practice that is unlawful under the HIPAA Rules.
Failure to comply with the requirements of the Security Rule.
Failure to provide breach notification to a covered entity or another business associate.
Impermissible uses and disclosures of PHI.
Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Failure, in certain circumstances, to provide an accounting of disclosures.
Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino. “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”
Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.
In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to protected health information (PHI). This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.
Touchstone initially claimed that no patient PHI was exposed. However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses. OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely. OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.
In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.
Anti-spyware
The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. 