The Office of Civil Rights (OCR) in the Department of Health and Human Services is expanding its fight against HIPAA security and privacy violations, as mandated by the HITECH Act. The OCR, a relatively small office with limited manpower, is now inviting the attorneys general of all 50 states to receive training in HIPAA enforcement.
According to Government Health IT, the training course will help the attorneys general and their staffs understand HIPAA rules and the penalties for violating them, and also will teach them how to investigate possible violations. The HITECH Act gives the attorneys general the authority to bring civil actions in this area.
The two-day training courses will begin in April in Dallas, and will continue on in Atlanta, San Francisco, and Washington, D.C. OCR also will provide online training to supplement its in-person sessions.
In addition, OCR will supply information to state attorneys general about pending or concluded OCR actions against healthcare providers, health plans and business associates. So far this year, OCR has levied fines of $1 million against Massachusetts General Hospital and $4.3 million against Cignet Health for HIPAA violations or potential violations.
Besides the frequent losses and thefts of HIPAA-protected personal health information, which continue to be a major problem, John Moore of Chilmark Research has focused attention on a new challenge: Applications designed for Android mobile devices, he says, are insufficiently vetted for security gaps. Google Health recently had to remove 50 malware apps in the Android mode, he says.
Moore says that iPads–which are catching on rapidly among doctors–have less vulnerability because Apple scrutinizes outside applications more thoroughly for security flaws.