Category: HIPAA / HITECH Enforcement

Business Continuity, Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week, Upcoming Events

Privacy and Security Forum

Rose

Boston Children’s Hospital Senior Vice President and CIO Daniel Nigrin, MD, will be one of the speakers at the Privacy and Security Forum to be held in Boston, MA. The discussion will include sharing “best practices, lessons learned, insights and information regarding the much debated practice of BYOD” or bring you own device (HIMSS, 2014). The hospital experienced having to defend against hackers who made several attempts in potentially exposing the organization’s internal network. The cyber-attack was linked to the renowned hacker group Anonymous (Boston Globe, 2014).

Boston Children’s Hospital is a 395 bed comprehensive center for pediatric health care. The services offered are for children from birth through 21 years of age. The hospital is home to the world’s largest research community. Their current initiatives have attracted $225 million in annual funding. Boston Children’s Hospital is a certified Magnet hospital for nursing excellence; according to the American Nurses Credentialing Center (ANCC), the Magnet Recognition Program signifies “quality patient care, nursing excellence and innovations in professional nursing practice” (2014).

US News surveyed 183 pediatric centers to obtain clinical data in 10 specialties and Boston Children’s Hospital was one of the Top Ten hospitals in the Honor Roll for high scores, ranking in the Top Ten in all Ten categories including eight 1st place rankings. Boston Children’s Hospital ranked number one in the 2014-2015 year, establishing excellence in treating children suffering from all types of illnesses. RTI International, a North Carolina-based research and consulting firm directed the surveys and analyzed the results.

Dr. Nigrin is part of an organization that shows integrity and accountability with regards to their patients’ sensitive information as well as provides excellent and innovative patient care.

 Privacy and Security Forum: Protecting Data Assets and Managing Risks

September 8-9, 2014

Westin Boston Waterfront

Boston, MA

For more information please visit: http://boston.healthprivacyforum.com/

References

American Nurses Credentialing Center. (2014). ANCC Magnet Recognition Program. Retrieved from http://www.nursecredentialing.org/magnet.aspx

Boston Globe. (2014). Hacker group Anonymous targets Children’s hospital. Retrieved from http://www.bostonglobe.com/business/2014/04/24/hacker-group-anonymous-targets-children-hospital-over-justina-pelletier-case/jSd3EE5VVHbSGTJdS5YrfM/story.html

HIMSS. (2014). CIO to discuss cyber-attack at Privacy and Security Forum. Retrieved from http://www.himss.org/News/NewsDetail.aspx?ItemNumber=32805

U.S. News & World Report. (2014). Children’s hospital rankings. Retrieved from http://health.usnews.com/health-news/best-childrens-hospitals/articles/2014/06/10/best-childrens-hospitals-2014-15-honor-roll-and-overview

Data Breach, HIPAA / HITECH Enforcement, News Events

An Employee Mistake Leads to a HIPAA Data Breach

CJ Michael

Just last month, a Pennsylvania-based hospital suffered a breach of patient data caused by unauthorized access and transmission of PHI by an employee. The 551-bed Penn State Milton S. Hershey hospital discovered through an internal investigation that a lab technician accessed and transmitted protected health data outside of the hospital’s secure network. The key in this breach was that the employee was authorized to work with PHI but in this case did not access and transmit the PHI securely. He used his own USB device and sent patient data through his own personal email address to two physicians.

The important thing to note in this situation is what your organization can do to avoid a situation like this: train your workforce. Not only is workforce training required by HIPAA, it is a prudent means of improving efficiency and confidence in your workforce. Many organizations believe that their biggest threat lies outside their walls. While it is a smart business decision to implement security controls to prevent intrusions from external threats, your organization should also prioritize properly training your workforce. Below is a list of the most investigated issues as noted in the OCR Enforcement highlights.

 

From OCR Enforcement highlights:

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Security Rule Enforcement Results as of the Date of This Summary

With regard to the subset of complaints specifically pertaining to the Security Rule, since the OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, HHS closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews.

 

Penn Breach Table

Here is the direct link to the Breaches Affecting 500 or More Individuals: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html