Healthcare compliances training and discussion blog

Archive for the ‘HIPAA compliance’ Category

TRIPLE-S Management Corporation Agrees to $3.5 Million HIPAA Settlement

On November 30, 2015 the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced the settlement of potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) by TRIPLE-S Management Corporation (“TRIPLE-S”).  TRIPLE-S agreed to pay $3.5 million to resolve the allegations and will adopt a robust corrective action plan to correct its past deficiencies. (Click here to view the Resolution Agreement and Corrective Action Plan.)

“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

TRIPLE-S, an insurance holding company based in Puerto Rico, provides a wide range of insurance products and services to residents through its multiple subsidiaries.  Beginning in November 2010 and concluding in August 2015, TRIPLE-S reported the first of five breaches impacting 500 or more individuals and two breaches impacting less than 500 individuals.  TRIPLE-S fully cooperated in the investigations conducted by HHS-OCR.

OCR’s investigations indicated widespread non-compliance that resulted in unsecured protected health information (PHI) breaches including:

  • Failure to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate Business Associate Agreement (“BAA”);
  • Use or disclosure of more PHI than necessary to conduct its business;
  • Failure to conduct an accurate and through risk assessment that incorporates all IT equipment, applications, and data systems utilizing PHI; and
  • Failure to implement security measures sufficient to reduce the risk to its ePHI to a reasonable and appropriate level.

Facts behind the breaches:

  • Two former TRIPLE-S employees were able to access restricted areas of the company’s database containing PHI because their access rights were not terminated upon leaving employment.
  • Twice an outside vendor disclosed PHI on a pamphlet that was mailed to beneficiaries.  TRIPLE-S did not have a BAA with the vendor.
  • A former employee copied PHI onto a CD and subsequently downloaded the protected information onto a computer at his new employer.
  • Staff placed the incorrect member ID card in mailing envelopes, resulting in beneficiaries receiving the member ID card of another individual.
  • Health Plan Identification numbers were placed on labels used in a mailing to beneficiaries.
  • A preventative mailing was sent to beneficiaries that included PHI for another member on the back of the letter.

The settlement requires TRIPLE-S to establish a comprehensive compliance program that includes:

  • A risk analysis and risk management plan;
  • A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
  • Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
  • A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all employees and business associates providing services on TRIPLE-S premises.

Terms of the settlement require the company to be monitored by OCR for three-year period and following that term, TRIPLE-S will be obligated to provide OCR all documents and records related to compliance with the settlement for six years. This settlement illustrates OCR’s heightened scrutiny of Business Associate Agreements and third-party vendor relationships.  A company’s PHI safeguards are only as strong as the safeguards of the vendors with whom the company does business.  Covered entities must exercise due diligence in the selection of third-party vendors, review the vendor’s cyber security and data breach plans, ensure that BAAs are in place and are being followed, review contractual obligations, and require audits of PHI safeguards.  It sounds as if there will be many more enforcements of this nature to follow.


Lahey Hospital Agrees to Settle Alleged HIPAA Breach

Recently, Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital located in Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $850,000 and adopting a robust corrective action plan.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) first received a HIPAA breach notification from Lahey in October 2011 upon Lahey’s discovery of a stolen laptop.  The laptop in question operated a portable CT scanner and produced images for viewing through Lahey’s radiology information system.  Its hard drive contained unencrypted electronic Protected Health Information (ePHI) of 599 individuals.  OCR investigated the breach and found that Lahey failed to: conduct a thorough risk analysis; safeguard the workstation associated with the CT scanner; and maintain certain required policies and procedures, among other deficiencies.

In addition to agreeing to pay $850,000, Lahey entered into a corrective action plan that will remain in place for 2 years.  The corrective action plan requires Lahey to take certain steps to improve HIPAA compliance.  Specifically, Lahey must conduct a risk analysis, develop and revise certain policies and procedures, train its workforce, alert OCR of instances of suspected noncompliance, and issue annual reports to OCR regarding HIPAA compliance.  Regarding Lahey’s settlement, OCR Director Jocelyn Samuels commented that “it is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment.  Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”


Safeguard your confidential data by implementing HIPAA Privacy Rule’s De-Identification Standard

A legislative act passed in year 1996, called HIPAA or in other words the Health Insurance Portability & Accountability Act affected the health care administration. For years, we have researched upon the safety rule along with three types of security safeguards based mainly on technical and physical grounds.

Amongst the above mentioned three safety points, we delved at the administrative safeguards and its obligatory as well as addressable implementation specifications. In this article, we will examine the main key factors pertaining to the technical and physical safeguards of the security rule. The motive of this article is to simplify and state the main concepts of HIPAA Privacy Rule’s De-Identification Standard.

Physical Safeguards

Physical safeguard rule laid by the HIPAA Privacy Rule’s De-Identification Standarddeals with the strategies and procedures required to be implemented in order to control physical admission to systems or devices containing health information and facilities covering electronic records.

It is therefore mandatory to take maximum care when beginning and removing hardware and software that deals with secured Health Information (PHI) from the network. Utmost care must be taken in disposing off any equipment which is on the edge of retirement, so that PHI contained within such systems is not compromised.

  • Health data stored in the equipment must be controlled and monitored carefully.
  • Access to the hardware and software must be operated by proper trained and authenticated individuals.
  • Make sure that workstations must be situated away from high traffic areas to avoid direct view of the monitor screens to the public.
  • The main person taking the services of contractors and agents must assure that the contractors and agents are professionally trained and are aware of their duties and responsibilities.

Technical Safeguards

Technical security measures deals with factors that require to be executed when transmitting health information electronically over open networks in order to ensure that health information do not go into wrong hands.

  • Responsible entity must follow a strict procedure to make sure information integrity which includes digital signature, check sum, message confirmation.
  • Execute right methods to confirm that the entity entitle to access the electronic records is the one it claims to be. There are some signs to confirm the same that includes card systems, password systems, giving a return call, and hand showing signs
  • Drafting and maintaining all policies implemented and practices followed for HIPAA Privacy Rule’s De-Identification Standard that needs to be presented as and when required by the compliance auditors.

Implementation Specifications

We cannot ignore with the healthcare compliance, as it becomes essential to safeguard Protected Health Information.

It is required to employ a system that will take utmost care of the health information, for this our heath care providers like doctors, hospitals and health plans must be given a unique identifier. At present most of them are using either tax-id numbers or employer identification number.

The security and privacy rules have laid down certain provisions to assure that the personal records of people is not misused, secured and kept confidential, any person failing to follow the rule will be fined up to $250,000 and possible jail time for severe enough violations by HIPAA. HIPAA rule was indeed designed and created to ease the massive process of health care administration.

About emPower

emPower is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as O.SHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit

$1.5M Fine Marks A New Era In HITECH Enforcement

Data breach at BlueCross BlueShield of Tennessee and subsequent penalty stands an example of the financial fallout from poor healthcare IT security practices

By Ericka Chickowski, Dark Reading
Contributing Writer

Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.”It’s certainly a warning shot for the healthcare industry,” says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. “But is that a sufficient amount to act as a deterrent? It’s hard to tell at this point. It’s at the upper end of what organizations can be penalized and when you break it down it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that’s just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, ‘Eh, it’s another one.'”

But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn’t been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA Training) security requirements changes that financial equation for these organizations, he says.

“What I’m seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because that’s going to pay off in revenue,” he says. “But when it comes to making sure HIPAA requirements are up to date, that’s usually the last line item on the budget because it’s really a sunk cost. Now they’re going to have to look at the risk involved and wonder ‘Do I risk having a million dollar lawsuit if I don’t put the right security protocols in place?'”

The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.

“This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said Leon Rodriguez, director of HHS OCR. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. “One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don’t know for sure, but it seems like BlueCross BlueShield of Tenessee may not have done that evaluation. If they had done it, they might have said, ‘We’ve got these hard drives containing this unencrypted PHI and it’s in a locked closet but that’s not sufficient in this leased space,'” he says. “That’s probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI.”

For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.

“Really, it’s all about making sure that if you have data servers in your office or workplace, they need to be locked down–they need to locks on them–and they need to be encrypted,” he says. “Those are two of the main things that are not commonplace but they should be.” Health Care Compliance

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

How to understand the new HIPAA requirements to make sure you’re in compliance

The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”

Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.

Smart Business asked Porter for more information about the changes to HIPAA Training.

Who is covered by HIPAA?

You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services ( and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.

What changes have been made regarding penalties for noncompliance?

The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

What is the impact on state privacy laws?

Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.

What is considered protected health information?

Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

What is a permissible disclosure?

Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.

Do patients have any new rights?

Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

How can covered entities best keep up with the changes and protect themselves?

1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This article was originally posted at


MGMA Calls for New Contingency Plan for HIPAA 5010 Transaction Standards

The Department of Health and Human Services should “immediately” issue an expanded contingency plan on the transition to the new Health Insurance Portability and Accountability Act (HIPAA) Version 5010 electronic transaction standards, since many practices and state Medicaid agencies are not ready for the transition, the Medical Group Management Association (MGMA) recommended Dec. 19.

According to the latest research from MGMA, many state Medicaid plans are unable to accept Version 5010 claims and “a significant number of practices” have not yet completed the software upgrades and health plan testing needed for the transition.

The new contingency measures should permit health plans to continue accepting HIPAA Version 4010 transactions and resolve Version 5010 claims that lack all the required data. Additionally, this contingency plan should last for a minimum of six months, MGMA said.

Currently, the compliance date for implementation of these standards is Jan. 1, 2012.

“We have been tracking the Version 5010 coordination between physician practices and their key trading partners throughout 2011 and it is clear that a significant number of these stakeholders are not ready to meet the January 1 compliance date,” Susan Turney, president and chief executive officer of MGMA, said in a statement. “Our main concern is that the failure to implement Version 5010 by the compliance date will impact payment to practices for the services they provide.”

“We oppose requiring the submission of a transition plan and timeline as a needless bureaucratic exercise that adds to the workload of the providers who have to produce them and the government employees who have to review them,” she said.

Implementation of Version 5010 is a prerequisite for using the updated International Classification of Diseases, 10th Revision (ICD-10) Clinical Modification diagnosis and ICD-10-PCS inpatient procedure code set in electronic health care transactions effective Oct. 1, 2013.

On Nov. 14, the Centers for Medicare & Medicaid Services announced that it would not initiate enforcement of the new HIPAA transaction standards until March 31, 2012 (see previous article).

Additional MGMA Findings

According to findings from a survey conducted by MGMA and the American College of Medical Practice Executives (ACMPE), 32 percent of study respondents reported that their organizations’ practice management system software has been upgraded to the HIPAA Version 5010 standards and that internal testing was complete.

Nearly 25 percent of those respondents indicated that either their software has not yet been upgraded or that testing is not even scheduled, the release said.

Additionally, less than 18 percent of respondents to the survey said they have completed testing with their Medicaid plans, and 79 percent of study respondents indicated that testing with all major commercial health plans remains incomplete.

Overall, the study found that less than 14 percent of respondents rate their 5010 implementation status as fully complete.

HIPAA Activity on the Rise

HIPAA Audit Program

The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.

To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.

Accounting of Disclosures and Access Report

The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.

Accounting for Disclosures

While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which 
breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep 
in mind these exemptions may still 
be subject to the Access Report. 
Other proposed changes include decreasing response time to 30 days 
and specifically including business associates.

Access Report

This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.

Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.

Monetary Penalties

For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!

Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.

Tag Cloud