Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate

In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter.  This month’s newsletter focuses on the topic of authentication.  OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).

Continue Reading OCR Reminds Companies that Authentication is Key

Written by Stephen Bentfield

Yesterday the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft.  OIG had two objectives for commencing this study.  First, OIG sought to determine whether CMS’s response to breaches of Medicare beneficiaries’ protected health information (PHI) met the notification requirements in the HITECH Act.  Second, because such breaches could result in medical identity theft, OIG wanted to gauge whether CMS’s response to medical identity theft protected both beneficiaries and the Medicare Trust Fund from potential harm.   

Continue Reading HHS OIG Identifies Shortcomings in CMS’s Response to Data Breaches and Medical Identity Theft

The use of employee-owned devices in the business setting – often referred to as “bring-your-own-device” or “BYOD” – presents data security challenges for all businesses.   In addition to worrying about loss or theft of intellectual property and trade secrets, companies doing business in the health care sector must also ensure compliance with security standards under HIPAA as well as the HITECH Act.  As demonstrated by two settlement agreements related to data breaches in the health care context, the risks presented by employee use of personal devices for business purposes are real.  If you are interested in learning more about this issue, I encourage you to read an article in HealthData Management written by Stephen Bentfield and Dianne Bourque.  It examines the risks associated with BYOD programs in the health care setting and provides tips on development and implementation of compliant policies and procedures.