patient records | The Health Law Firm Blog

Ex-Hospital Employee Admits to Stealing and Selling Confidential Patient Information

By Lance O. Leider, J.D., and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On October 22, 2012, a former Florida Hospital employee admitted to stealing patient information that was used to target customers for lawyers and chiropractors, according to a number of sources. The man allegedly pleaded guilty in Orlando federal court to one count of conspiracy and one count of wrongful disclosure of health information, according to the Department of Justice (DOJ). By accessing this information the man violated criminal provisions of the Health Insurance Portability and Accountability Act (HIPAA).

To read a press release on the guilty plea from the DOJ, click here.

You may remember the news story about a privacy breach at Florida Hospital back in October 2011. The breach involved more than 700,000 patient records that were accessed by the ex-employee between 2009 and 2011. We previously wrote about that story. Click here to read the blog.

Patients Received Calls from Lawyer and Chiropractor Referrals.

Federal investigators said the ex-hospital worker was looking specifically for information on car accident victims. He would allegedly sell that information to co-conspirators.

According to the Federal Bureau of Investigation (FBI) affidavit, some patients would receive calls offering lawyer or chiropractor referrals about a week after their hospital visit.

The FBI also allegedly found payments from co-conspirators to the former hospital employee.

To read the FBI affidavit, click here.

Will the Ex-Employee Get Prison Time?

According to the Orlando Sentinel, the ex-Florida Hospital worker faces up to 15 years in federal prison for these criminal charges.

Click here to read the entire article from the Orlando Sentinel.

The man will be sentenced on January 14, 2013. Be sure to check our blog for updates to this story.

Be Sure to Get a HIPAA Risk Assessment to Avoid Violations.

As a health provider you know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. We recently wrote a blog on this subject, click here to view it.

HIPAA Privacy Complaints Are Effective.

Many individuals whose privacy is breached fail to realize how effective a HIPAA Privacy Complaint can be. These complaints, which can be filed online to the Office of Civil Rights (OCR), are fully investigated. Stiff civil fines and even criminal prosecutions may result.

Since the time period is short for filing these (180 days), the first step you should take, if your medical privacy is breached, should be to file a HIPAA Privacy Complaint.

Contact Health Attorneys Experienced in the Confidentiality of Medical Records.

Our attorneys provide advice and legal opinions on confidentiality of medical records and medical information, including HIPAA Privacy Regulation, and are available to testify as expert witnesses on these issues.

For a list of applicable Federal and Florida legal authorities on “super-confidential” medical information such as mental health, HIV and drug or alcohol treatment records click here.

To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

Have you been following this story? Do you think the ex-hospital employee should receive the maximum sentence? Please leave any thoughtful comments below.

Sources:

Pavuk, Amy. “Ex-Hospital Employee Pleads Guilty to Stealing Patient Information.” Orlando Sentinel. (October 22, 2012). From: http://www.orlandosentinel.com/news/local/breakingnews/os-florida-hospital-patient-records-arrest-20121022,0,5057291.story

Department of Justice. “Former Florida Hospital Employee Pleads Guilty To Data Theft.” DOJ. (October 22, 2012). Press Release From: ttp://www.justice.gov/usao/flm/press/2012/oct/20121022_Munroe.html

About the Authors: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:00:40-04:00June 1, 2018|Categories: HIPAA, In the Know, In the News, The Health Law Firm Blog|Tags: audit attorneys, confidentiality of medical records, defense attorney, defense lawyer, Department of Justice (DOJ), Federal Bureau of Investigation (FBI), health care attorney, health care audits, health care laywer, Health Insurance Portability and Accountability Act (HIPAA), HIPAA audits, HIPAA compliance, HIPAA Privacy Complaint, HIPAA Privacy Regulation, legal representation, medical records, patient records, privacy breach|Comments Off

Florida Man Sentenced to Prison for Role in Florida Hospital Data Theft

By Lance O. Leider, J.D., The Health Law Firm

A Davenport, Florida, man was sentenced to four years in prison for paying off two Florida Hospital employees to illegally access patient records, according to the Department of Justice (DOJ). A judge sentenced Sergie Kusyakov on April 10, 2013. He was charged with conspiracy and wrongful disclosure of individual identifiable health information.

Click here to read the press release from the DOJ.

Ex-Employees Sold Patient Information to a Co-Conspirator.

Mr. Kusyakov’s sentence stems from a privacy breach at Florida Hospital back in October 2011. The breach involved thousands of patient records that were illegally accessed between 2009 and 2011. Apparently Mr. Kusyakov was paying hospital employee Dale Munroe and his wife to illegally access thousands of records of patients treated at multiple Florida Hospital locations. Mr. Munroe was sentenced in January 2013. Click here to read a previous blog on that story.

Mr. Munroe was allegedly fired in July 2011, after it was learned he accessed the records of a doctor fatally shot in a parking garage. Investigators then found that Mr. Munroe had accessed more than 700,000 patient records, most of whom had been involved in vehicle accidents. Mr. Munroe then sold the records to Mr. Kusyakov, who was associated with two chiropractic clinics. The information was then used to solicit the patients for lawyers and chiropractors. After Mr. Munroe was fired, his wife began stealing patient information. She will be sentenced in July.

HIPAA Privacy Complaints Do Result in Action.

The act of accessing patient records is a direct violation of the Health Insurance Portability and Accountability Act (HIPAA). Many individuals whose privacy is breached fail to realize how effective a HIPAA Privacy Complaint can be. These complaints, which can be filed online to the Office of Civil Rights (OCR), a federal agency, are fully investigated. Stiff civil fines and even criminal prosecutions may result. In serious cases, the FBI investigates them.

Since the time period is short for filing these (180 days), the first step you should take, if your medical privacy is breached, is to file a HIPAA Privacy Complaint with the OCR. Also file a complaint with the hospital or health care provider and with the state agency that licenses the health care provider.

Contact Health Attorneys Experienced in the Confidentiality of Medical Records.

Our attorneys provide advice and legal opinions on confidentiality of medical records and medical information, including HIPAA Privacy Regulation, and are available to testify as expert witnesses on these issues.

To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

What do you think of Mr. Kusyakov’s sentence? Please leave any thoughtful comments below.

Sources:

Pavuk, Amy. “Man Sentenced to Federal Prison for Role in Florida Hospital Theft.” Orlando Sentinel. (April 11, 2013). From: http://www.orlandosentinel.com/news/local/breakingnews/os-florida-hospital-patient-data-theft-20130410,0,3261544.story

Department of Justice. “Davenport Man Sentenced to 4 Years in Prison of Theft of Patient Information.” Department of Justice. (April 10, 2013). From: http://www.justice.gov/usao/flm/press/2013/apr/20130410_Kusyakov.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:00:47-04:00June 1, 2018|Categories: Health Care Industry, HIPAA, In the Know, In the News, The Health Law Firm Blog|Tags: audit attorneys, confidentiality of medical records, defense attorney, defense lawyer, Department of Justice (DOJ), Federal Bureau of Investigation (FBI), health care attorney, health care audits, health care lawyer, Health Insurance Portability and Accountability Act (HIPAA), HIPAA audits, HIPAA compliance, HIPAA Privacy Complaint, HIPAA Privacy Regulation, legal representation, medical records, patient records, privacy breach|Comments Off

Affinity Health Plan Settles with Government in Photocopier HIPAA Breach Incident Involving Patient Medical Information

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Humans Services (HHS) Office of Civil Rights (OCR), and Affinity Health Plan, Inc. (Affinity), reached a settlement for more than $1.2 million for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to a photocopier previously leased by Affinity. The photocopier had an internal hard drive which stored copies of documents, including medical records, which had been photocopied by Afinity. The photocopier was returned to the leasing company and then later purchased from that same company by CBS Evening News. Apparently CBS Evening News then discovered the medical records on the photocopier hard drive.

According to the HHS, Affinity filed a breach report with the HHS OCR on April 15, 2010. This is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

Affinity is a not-for-profit managed care plan serving the New York metropolitan area.

Alleged Violations Stemmed from Failing to Clear Photocopier Hard Drive.

Affinity was allegedly informed by a representative of CBS Evening News, that as part of an investigation, CBS purchased a photocopier previously leased by Affinity. CBS allegedly informed Affinity that the photocopier still contained medical information on its hard drive. The OCR estimated that up to 344,579 individuals may have been affected by the breach. The OCR’s investigation found that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without deleting the data stored on the hard drives.

Affinity Must Try to Retrieve All Hard Drives in Previously Used Photocopiers.

According to HealthIT Security, on top of the $1,215,780 payment, Affinity must also try to recover all its previously used photocopiers that are still in the custody of the leasing company. Affinity must also conduct a risk analysis of its electronic protected health information for security risks and vulnerabilities.

Click here to read the article from HealthIT Security.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is wiped from the hardware before it is recycled, thrown away or sent back to a leasing agent. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include, for example, photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Office of Civil Rights. “HHS Settles with Health Plan in Photocopier Breach Case.” U.S. Department of Health and Human Services. (August 14, 2013). From: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

Ouellette, Patrick. “OCR, Affinity Health Plan Reach HIPAA Violation Agreement.” HealthIT Security. (August 14, 2013). From: http://healthitsecurity.com/2013/08/14/ocr-affinity-health-plan-reach-hipaa-violation-agreement

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Two Laptops Containing Information of 729,000 Patients Stolen from California Hospital Group

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The personal health information of around 729,000 patients has been compromised following the theft of two laptops. The password-protected computers were taken from an administration building of AHMC Healthcare Inc., a hospital group in Alhambra, California. According to the Los Angeles Times, the laptops contain data from patients treated at six different AHMC Healthcare hospitals. Surveillance video shows that the theft occurred on October 12, 2013, but hospital officials did not discover the laptops were missing until two days later.

To read the article from the Los Angeles Times, click here.

Laptops Contain Patient Information, But No Evidence Information Has Been Hacked.

According to the hospital group, the laptops contain data including patients’ names, Medicare/insurance identification numbers, diagnosis/procedure codes, and insurance/patient payment records. Some of the files allegedly contain the Social Security numbers of Medicare patients.

So far, there is no evidence the information has been accessed or used, according to the CBS affiliate in Los Angeles. Click here to read the article from the CBS affiliate.

However, given that this just occurred a few days ago, it is probably too early to tell, anyway.

Breach Must Be Reported to the Department of Health and Human Services.

Hospitals are required, under federal law, to report potential medical data breaches involving more than 500 people to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is responsible for investigating all allegation of violations of HIPAA Privacy and Security Regulations.

According to the Los Angeles Times, AHMC Healthcare has already asked for an auditing firm to perform a security risk assessment. Hospital administrators are also expediting a policy to encrypt all laptops.

HIPAA Omnibus Final Rule Effective September 23, 2013–Get a Risk Assessment.

The HIPAA Omnibus Final Rule went into effect on September 23, 2013. By now, hospitals, physicians and all covered entities must comply with the HIPAA Omnibus Final Rule. The amendments to the rule are available on the HHS OCR website. I previously wrote a blog series about the HIPAA Omnibus Final Rule. Click here for part one, click here for part two and here for part three.

Covered entities should be performing HIPAA risk assessments to identify their security risks and implement protections before a data breach occurs. HIPAA has always required covered entities to perform HIPAA risk assessments. Very often, the first question the OCR asks when investigating a possible HIPAA violation is what risk assessment the health care provider has performed.

The objectives of an adequate HIPAA risk analysis are:

1. Identify the scope of the analysis – the analysis should include all the risks and vulnerabilities to the confidentiality, availability and integrity of all electronic health information regardless of its location.
2. Gather data – the covered entity must identify every location where electronic data is stored.
3. Identify and document potential threats and vulnerabilities – the covered entity should consider natural threats, human threats and environmental threats.
4. Assess current security measures – the covered entity must examine and assess the effectiveness of its current measures.
5. Determine the likelihood of threat occurrence – the covered entity should evaluate each potential threat and prioritize its plan to address each threat.
6. Determine the potential impact of threat occurrence – the covered entity should assess the possible outcomes of each identified threat such as unauthorized disclosure of confidential information.
7. Determine the level of risk – the covered entity should categorize each risk and plan its procedures to mitigate any damage cause by each risk.
8. Identify security measures and finalize documentation – the covered entity should thoroughly document all the steps it used in its risk assessment process.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think if this alleged HIPAA violation? Do you have policies and procedures in place to protect your patients’ right to privacy? Have you received a HIPAA risk assessment lately? Please leave any thoughtful comments below.

Sources:

Winton, Richard. “Laptop Thefts Compromise 729,000 Hospital Patient Files.” Los Angeles Times. (October 21, 2013). From: http://www.latimes.com/local/la-me-hospital-theft-20131022,0,1936078.story#axzz2iRg6Rh3Y

Los Angeles CBS. “Laptops Containing Patient Information Stolen from Alhambra Hospital.” Los Angeles CBS. (October 22, 2013). From: http://losangeles.cbslocal.com/2013/10/22/laptops-containing-patient-information-stolen-from-alhambra-hospital/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:52-04:00June 1, 2018|Categories: HIPAA, Hitech Act, The Health Law Firm Blog|Tags: corrective action plan (CAP), data security, defense attorney, defense lawyer, florida health attorney, Florida health lawyer, Health Insurance Portability and Accountability Act (HIPAA), HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA Omnibus Final Rule, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

Dermatology Practice Settles with Government After Stolen USB Drive Results in HIPAA Breach

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and Adult & Pediatric Dermatology (APDerm), reached a $150,000 settlement for privacy and security violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to an unencrypted USB drive that was stolen. The thumb drive contained the protected health information (PHI) of around 2,200 patients, according to a press release posted December 26, 2013, on the HHS website.

According to the HHS, this is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

APDerm delivers dermatology services to patients in Massachusetts and New Hampshire.

Alleged Violations Stemmed from Stolen, Unencrypted USB Drive.

According to the HHS, the OCR initiated its investigation after being tipped off that an unencrypted thumb drive containing the PHI of about 2,200 patients was stolen from a vehicle of an APDerm staff member. According to Healthcare IT News the thumb drive was never recovered.

The investigation allegedly revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of it security management process. It’s also alleged that APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train staff members.

According to Healthcare IT News, the settlement also includes a corrective action plan (CAP). The CAP requires the dermatology company to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. Click here to read the entire article on Healthcare IT News.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is protected. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them, selling them or trading them in on newer models.

To read a previous blog on Affinity Health Plan settling with government in photocopier HIPAA breach incident, click here.

Practical Tips.

The following are some lessons learned from this case. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work cite. If you need to work on it remotely, use a secure, encrypted internet connection to access your work data base. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Millard, Mike. “Lost Thumb Drive Leads to $150K Fine.” Healthcare IT News. (December 30, 2013). From: http://www.healthcareitnews.com/news/lost-thumb-drive-leads-150k-fine

U.S. Department of Health and Human Services “Dermatology Practice Settles Potential HIPAA Violations.” HHS.gov. (December 26, 2013). From: http://www.hhs.gov/news/press/2013pres/12/20131226a.html

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:54-04:00June 1, 2018|Categories: HIPAA, Hitech Act, The Health Law Firm Blog|Tags: corrective action plan (CAP), data security, defense attorney, defense lawyer, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

Data Breach at Colorado Hospital Highlights IT Security Risks

By Lance O. Leider, J.D., The Health Law Firm

A small rural hospital in Glenwood Springs, Colorado, has identified a virus on its computer network that had captured and stored screen shots of protected health information in a hidden file system. The hidden folder was created on Sept. 23, 2013, but was not discovered until Jan. 23, 2014. The breach identified at least 5,400 individual patients whose information was compromised.

According to Healthcare IT News, among the stolen data was patient names, addresses, dates of birth, telephone numbers, Social Security numbers, credit card information, and admission and discharge dates.

Hospital officials have been unable to determine how the virus was loaded onto the hospital network, according to Healthcare IT News. Consequently, officials believe that there is “very high” probability that the data had been accessed by an outside entity.

To read the entire article from Healthcare IT News, click here.

Take Steps to Secure Your Network.

Breaches of this kind are not solely confined to hospitals and large providers. In fact, it may be that this hospital was targeted because it was a smaller provider in a rural area with easier access to its systems.

Viruses like the one in question could be loaded onto systems as a result of an outside attack (think hackers) or through inside means like a flash drive or deliberately opening an infected e-mail.

It is imperative that a Health Insurance Portability and Accountability Act (HIPAA) covered entity have an effective cyber security plan. Make sure that you have up-to-date anti-virus software and that your computers are secure from access by unauthorized personnel like cleaning crews or patients and their families. Also, meet with your IT professional to discuss security measures you can put in place such as restricting access and accessibility to certain files or the ability to download programs and applications to essential staff only.

Hacked data represents a growing share of HIPAA breaches. It is imperative that covered entities ensure their compliance with HIPAA to avoid any sanctions by the Office for Civil Rights (OCR). To date, the OCR has collected in excess of $18 million in fines and penalties for failures to secure patient information.

Get a Risk Assessment.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs), please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Do you think it is likely that this hospital was targeted because it was a smaller provider in a rural area? Do you think a HIPAA risk assessment could have helped this practice avoid a breach? Please leave any thoughtful comments below.

Sources:

Harvey, Nelson. “Hospital Database Hacked, Patient Info Vulnerable.” Aspen Daily News. (March 15, 2014). From: http://www.aspendailynews.com/section/home/161578

McCann, Erin. “Small-Town Hospital Gets Hacked.” Healthcare IT News. (March 17, 2014). From: http://www.healthcareitnews.com/news/small-town-hospital-gets-hacked

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:55-04:00June 1, 2018|Categories: HIPAA, Hitech Act, In the Know, The Health Law Firm Blog|Tags: data security, defense attorney, defense lawyer, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

HIPAA Fines, Mobile Devices and Risk Assessments: Follow the Steps or Pay the Price

By Lance O. Leider, J.D., The Health Law Firm

Two separate entities have agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1,975,220 in fines collectively. The settlements resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules involving stolen, unencrypted laptops. These two actions shine a light on the significant risk unencrypted laptops and other mobile devices pose to the security of patient information.

To read the press release from the HHS OCR, published on April 22, 2014, click here.

Concentra Received Risk Assessments, But Did Not Act on Findings.

According to the OCR, an investigation of Concentra Health Services, a subsidiary of Humana, was conducted after a laptop was stolen from a Missouri physician therapy center. This investigation revealed that Concentra had previously received multiple risk analyses that stated the company lacked encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information. Concentra’s efforts to remedy the risk were incomplete and inconsistent, leaving patients’ health information vulnerable. Concentra agreed to pay $1,725,220 to settle potential security violations and adopt a corrective action plan.

QCA Investigation.

The QCA Health Plan, Inc., investigation began in February 2012, after an unencrypted laptop containing the medical records of 148 individuals was stolen from an employee’s car. The investigation revealed that QCA failed to comply with multiple requirements of the HIPAA privacy and security rules. According to Modern Healthcare, the company is required to pay $250,000, as well as provide HHS with an updated risk analysis and corresponding risk-management plan.

Click here to read the entire article from Modern Healthcare.

Encrypt Laptops and Other Equipment or Pay the Price.

Encryption is one of your best defenses against incidents. These two settlements highlight the need for all entities to encrypt their laptops and other devices. Failing to do so may put that entity at risk for paying a large fine to the OCR and possible fines for state law violations.

HIPAA-covered entities are responsible for making sure all personal information is protected.

The following are some practical tips to use when handling protected health information. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work site. If you need to work on it remotely, use a secure, encrypted internet connection to access your work database. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Are the laptops and other mobile devices at your practice encrypted? Does your practice regularly perform HIPAA risk assessments? Please leave any thoughtful comments below.

Sources:

Conn, Joseph. “Unencrypted-Laptop Thefts at Center of Recent HIPAA Settlements.” Modern Healthcare. (April 23, 2014). From: http://www.modernhealthcare.com/article/20140423/NEWS/304239945/unencrypted-laptop-thefts-at-center-of-recent-hipaa-settlements

U.S. Department of Health and Human Services Press Office. “Stolen Laptops Lead to Important HIPAA Settlements.” U.S. Department of Health and Human Services. (April 22, 2014). From: http://www.hhs.gov/news/press/2014pres/04/20140422b.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:56-04:00June 1, 2018|Categories: HIPAA, Hitech Act, The Health Law Firm Blog|Tags: corrective action plan (CAP), data security, defense attorney, defense lawyer, encrypted laptop, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, HIPAA violation, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

Board of Dentistry Considers Adding Failure to Provide Dental Records to “Citation” Offenses

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

At the Florida Board of Dentistry meeting held on November 21, 2014, it discussed a proposed change to Rule 64B5-13.0046, Florida Administrative Code. The amendment would add a provision for failing to timely produce dental records to patients. This addition should help dentists avoid receiving permanent discipline on their records for a minor technical violation.

Considered was the addition of the following language to the existing Rule, listing citation-approved offenses:

Violation of subsection 466.028(1)(n), F.S., failure to timely make available to a patient or client, or to his legal representative or to the Department, if authorized in writing by the patient, copies of documents in the possession or under control of the licensee, which relate to the patient or client. Timely means less than 30 days from the receipt of the written authorization. The subject of the citation has 10 days from the date the citation becomes a final order to release the patient records. Failure to comply will result in a $1,000.00 fine.

Citation vs. Charge.

An administrative citation such as those discussed is not considered to be discipline, but an alternative to discipline. The dentist can accept the citation and pay the fine; therefore the citation will not be recorded on his/her record as discipline. For more on this issue, read my blog on citations against physicians and other health professionals.

This is a good development for dentists as it allows the resolution of minor technical violations of statutes and rules without the very undesirable effect of creating a disciplinary record. We sometimes jokingly refer to these as “speeding tickets” since they carry a fine but are not considered to be permanent disciplinary action.

Carefully Review and Promptly Respond in Citation Cases.

Take immediately action on any proposed citation you receive from the Department of Health (DOH). Consult immediately with a health attorney who is experienced at representing dentists in Board of Dentistry matters. Click here for a previous blog on why you should speak with an attorney first.

In most cases, you will probably be advised to accept the citation and pay the fine. If so, be sure to submit the signed agreement, ending it by a method that documents sending and receipt (such as certified mail, return receipt requested), and keep a copy of all documents you submit. Make sure it is received (not sent) by the due date. Call to make sure it was received.

For additional information on citations in disciplinary cases, click here.

In Limited Circumstances, You May Not Want to Accept the Citation.

In limited circumstances, it may not be advisable to accept a citation. This may occur if there is pending litigation involving the subject of the citation. If the wrong person is named in the citation, this may be another reason for not accepting it. If you did not commit the offense and you are sure you can prove this, you may also desire to not accept the citation. This is especially true if you have dental liability insurance coverage which pays for a legal defense in such administrative disciplinary cases involving professional license defense.

For more information on dental license defense, read this previous blog.

If You Do Not Accept the Citation, Be Prepared for an Administrative Complaint.

If you do not accept the citation within the limited time given (usually 30 days), or if you send back a statement regarding why it is unfair or why you did not commit the violation, this will usually be treated as a statement disputing material facts. In this event, the case will be treated as though you were requesting a formal administrative hearing. You will be given a regular formal hearing (trial) with an administrative law judge from the Division of Administrative Hearings (DOAH). For information on hearings in dental cases, click here.

Be Sure Your Staff Knows How to Treat Record Requests.

Be sure that when your office receives a request for a patient’s dental chart that the request is promptly reviewed by someone in management. Management must make sure the authorization or subpoena is valid (remember HIPAA) and that the record is provided in a timely manner. Paying attention to such requests may allow you to detect and act on potential dental medical malpractice claims or DOH complaints. You should have a written office policy on this that every employee has signed.

Remember you are not authorized to withhold a patient’s dental record because the patient has not paid a bill. You are not authorized to withhold the chart because you are angry at the patient or the patient has threatened to sue you. Be sure to provide the patient (or his/her representative) a copy of the record within 30 days. Keep a copy of the letter transmitting the copy in the chart and annotate the HIPAA medical information disclosure form in the record.

Comments?

What do you think of a citation versus a charge in regard to promptly getting patients their dental records? Please leave any thoughtful comments below.

Consult With An Attorney Experienced in the Representation of Dentists.

We routinely provide deposition coverage to dentists, dental hygienists and other health professionals being deposed in criminal cases, negligence cases, civil cases or disciplinary cases involving other health professionals.

The lawyers of The Health Law Firm are experienced in both formal and informal administrative hearings and in representing dentists and dental hygienists and other health professionals in investigations and at Board of Dentistry hearings. Call now or visit our website http://www.TheHealthLawFirm.com.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.Copyright © 1999-2015 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:01:10-04:00May 15, 2018|Categories: Board of Dentistry, Dental Law, Dentist Defense attorney, Dentistry Law, Dentists|Tags: administrative citation, administrative complaint, Administrative Hearing, citation, defense attorney, defense lawyer, dental board, dental lawyer, dental records, dentist, dentist attorney, department of health, disciplinary action, disciplinary record, doh, doh complaint, Florida Board of Dentistry, Florida dentist, Florida laws, formal hearing, Informal hearing, license defense, patient records, requests for patient records|Comments Off

Jury Awards Walgreens Customer $1.44 Million Over HIPAA Violation

By Lance O. Leider, J.D., The Health Law Firm and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

An Indiana jury awarded a Walgreens customer $1.44 million on July 26, 2013, over a Health Insurance Portability and Accountability Act (HIPAA) violation, according to the Indianapolis Star. The Walgreens pharmacist was found to have violated the customer’s privacy by looking up and sharing the customer’s prescription history with others. The lawsuit alleged that there was a relationship between the pharmacist, her husband and the husband’s ex-girlfriend (who was the customer). The customer/ex-girlfriend was the plaintiff in the lawsuit.

Click here to read the entire article from the Indianapolis Star.

Details of the Lawsuit.

According to the American Bar Association, the lawsuit alleged the pharmacist was married to the customer’s ex-boyfriend at the time the pharmacist viewed her prescription records. The pharmacist admitted to showing the confidential information to her husband, who shares a child with the customer/plaintiff. In doing this, the pharmacist breeched her statutory and common law duties of confidentiality and privacy.

Click here to read the entire article from the American Bar Association.

Walgreens Found Negligent.

The jury found Walgreens negligent in training and supervising the pharmacist. The pharmacist admitted she was aware of the pharmacy’s privacy policy and knew she was violating it. Walgreens claims the pharmacist has been appropriately disciplined.

Deadline to Comply with Omnibus Rule Close-Are You Ready?

The Department of Health and Humans Services (HHS) released stronger rules and protections governing patient privacy on January 17, 2013. This omnibus rule strengthens the privacy and security protection established under HIPAA. Physicians, hospitals, clinics, health care providers and their business associates need to take into account the corrections as they work to update business associate agreements, policies, practices and training to comply with the rule changes by the September 23, 2013, deadline. To learn more on the omnibus rule changes, click here to read a previous blog.

Be Proactive-Get a HIPAA Risk Assessment.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions. It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts on this HIPAA violation? Do you think Walgreens failed to train and supervise the pharmacist? Please leave any thoughtful comments below.

Sources:

Neil, Martha. “Walgreens Must Pay Customer $1.44M After Pharmacy Shared Her Prescription Records.” American Bar Association. (July 29, 2013). From: http://www.abajournal.com/news/article/jury_says_walgreens_must_pay_1.44m_because_pharmacist_gave_her_husband/

Evans, Tim. “Walgreens Must Pay Woman $1.44 Million Over HIPAA Violation.” Indianapolis Star. (July 26, 2013). From: http://www.indystar.com/article/20130726/NEWS/307260079/

About the Authors: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999. Copyright © 1996-2012 The Health Law Firm. All rights reserved.