KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
via HIPAA Auditor Involved in Own Data Breach.
Data Breaches Involving Business Associates
According to data on OCR’s website, there have been 292 breaches affecting 500 or more individuals since September 2009. Business associates have been involved in 57, or about 20%, of those breaches.
via OCR Deciding Whether To Run HIPAA Audits on Business Associates – iHealthBeat.
An official at HHS Office for Civil Rights says the agency has not decided whether to include business associates in its HIPAA-compliance audit plans, HealthLeaders Media reports.
via OCR Deciding Whether To Run HIPAA Audits on Business Associates – iHealthBeat.
The Department of Health and Human Services should not require hospitals and other entities covered by the Health Insurance Portability and Accountability Act to provide to individuals on request a report detailing all internal disclosures of their personal health information from electronic designated record sets, the AHA told the department in a letter today. AHA said the proposal, included in a proposed rule modifying the HIPAA privacy rule under the HITECH Act, fails to meet the law’s requirement to “appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals.” The association urged HHS to withdraw the proposal and “reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation’s effectiveness with the compliance burdens.” While generally endorsing the rule’s proposed accounting of disclosures revisions, AHA urged additional changes to ensure a proper balance of the value of the information to patients with the burdens to covered entities of producing it. AHA also urged HHS to retract the rule’s preamble commentary about the HIPAA security rule in order to reflect longstanding department guidance.
via AHA urges changes to proposed rule for PHI disclosures.
An Alabama woman has been charged with violations of the HIPAA privacy rule for stealing paper surgery schedules of about 4,500 patients from Trinity Medical Center in Birmingham and intending to use the names, dates of birth and Social Security numbers to commit identity theft.
via Woman Faces Criminal Charges for HIPAA Privacy Violations.
An Alabama woman has been charged with violating the HIPAA Privacy Rule following allegations that she stole identifying information on about 4,500 patients from Trinity Medical Center in Birmingham
via HIPAA Violation Charged in Records Theft.
Legal experts say a Michigan court ruling over disclosing patient names places tighter restrictions on what information physicians can release during legal proceedings.
The decision also could impact peer review and lead to a rise in lawsuits against health care professionals over patient-privacy violations, they said.
via amednews: Michigan law trumps HIPAA in patient privacy case :: June 6, 2011 … American Medical News.
7 tips to avoid HIPAA violations in social media
via 7 tips to avoid HIPAA violations in social media.
Office of Inspector General (OIG) has released two reports that question HHS agencies’ efforts to secure electronic protected health information.
via OIG raps HHS agencies for lax PHI security.
