KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
Data Breaches Involving Business Associates
According to data on OCR’s website, there have been 292 breaches affecting 500 or more individuals since September 2009. Business associates have been involved in 57, or about 20%, of those breaches.
An official at HHS Office for Civil Rights says the agency has not decided whether to include business associates in its HIPAA-compliance audit plans, HealthLeaders Media reports.
The Department of Health and Human Services should not require hospitals and other entities covered by the Health Insurance Portability and Accountability Act to provide to individuals on request a report detailing all internal disclosures of their personal health information from electronic designated record sets, the AHA told the department in a letter today. AHA said the proposal, included in a proposed rule modifying the HIPAA privacy rule under the HITECH Act, fails to meet the law’s requirement to “appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals.” The association urged HHS to withdraw the proposal and “reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation’s effectiveness with the compliance burdens.” While generally endorsing the rule’s proposed accounting of disclosures revisions, AHA urged additional changes to ensure a proper balance of the value of the information to patients with the burdens to covered entities of producing it. AHA also urged HHS to retract the rule’s preamble commentary about the HIPAA security rule in order to reflect longstanding department guidance.
An Alabama woman has been charged with violations of the HIPAA privacy rule for stealing paper surgery schedules of about 4,500 patients from Trinity Medical Center in Birmingham and intending to use the names, dates of birth and Social Security numbers to commit identity theft.
An Alabama woman has been charged with violating the HIPAA Privacy Rule following allegations that she stole identifying information on about 4,500 patients from Trinity Medical Center in Birmingham
Legal experts say a Michigan court ruling over disclosing patient names places tighter restrictions on what information physicians can release during legal proceedings.
The decision also could impact peer review and lead to a rise in lawsuits against health care professionals over patient-privacy violations, they said.
7 tips to avoid HIPAA violations in social media
The Office for Civil Rights has requested $46.7 million in funding in its FY 2010 budget, with 76 percent of new funding to go toward enforcing HIPAA regulations, according to a Health Data Management news report
Susan McAndrew of the HHS Office for Civil Rights discusses recent high-profile HIPAA cases, upcoming state attorneys general training and the pending HIPAA audit program.