Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

HITECH EHR Incentive Program PaymentsThe Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading

Patient Engagement is Key in Stage 2 Meaningful Use

Stage 2 of Meaningful Use under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires providers who want the HITECH Act’s EHR incentive payments to ensure that at least some patients are engaged and are actually using their electronic health records (EHRs).  The Final Rule for the Stage 2 criteria call for eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) to provide a means for patients to access their health care information online.  EPs must also provide a means for patients to send secure messages electronically, however, patients have to actually use these services in order for providers to meet these new measures for making a Meaningful Use of certified EHRs.

Continue reading

Initial HIPAA Audit Report Provides Some Guidance, Identifies Top Risks

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report). 

Continue reading

HHS Office of Civil Rights updates HIPAA Breach Website

As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage.  This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals.  The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed.  The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information.  There are currently 107 breach notifications posted, all occurring since September 9, 2009.  The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:

Continue reading