Chat with us, powered by LiveChat

Recent HIPAA Settlement Warns: Safeguard Your ePHI

In what seems to be customary these days, The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced another HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).

MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Privacy and Security Rules by paying $2.2 million and implement a corrective action plan.mapfre

The violation dates back to September 29, 2011 when MAPFRE filed a breach report with OCR siting that a USB data storage device containing ePHI was stolen from its IT department. Per the report, the USB contained complete names, DOB and social security numbers for 2,209 individuals.

Following the breach, OCR’s investigation revealed MAPFRE failed to take the necessary steps to comply with the HIPAA Rules, including conduct a risk analysis and implement a risk management plan until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.

The moral of the story? The days of flying under the radar are over. Prioritize your ePHI and take the necessary steps now (not in a week, month or year..) to conduct a thorough security risk analysis and find out where your vulnerabilities lie. Do not put your organization in jeopardy and risk patient safety, costly fines and a damaging reputation.

To review the full Resolution Agreement and Corrective Action Plan, visit the OCR website: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE

Windows 10 and HIPAA Security Officer Compliance

Windows 10 Settings

CIOs, IT Directors and IT Managers are often deputized as their organization’s HIPAA Security Officer.  In addition to being responsible for HIPAA security and compliance, there may be a push to upgrade to Windows 10.   After all, everyone in the organization is already using it at home.  But during testing and planning deployment, Cortana and the mobile-OS-like features of sending data to third-parties begs the question, “Does Windows 10 violate HIPAA Privacy?”

The short answer is that the default configuration of Windows 10 may violate HIPAA.  The Windows 10 Privacy Statement as part of the Microsoft License terms July 2015 provides very flexible language on how Personal Data is collected, used and shared.    Specifically this provision states:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.”

As with any convenient features, there is always an impact on security.  Unfortunately, security and functionality are often inversely related.

Windows 10 Privacy Settings

The following Windows 10 features are new and cause concern for anyone responsible for maintaining HIPAA compliance in their organization:

  1. Cortana: Microsoft’s answer to Siri and Google Talk.  Cortana “learns” how each person speaks and writes by taking samples.  In addition, names, nicknames, recent calendar events and contacts are maintained.
  2. Data Sync: Default setting allows the operating system to sync settings and data into Microsoft’s servers. It is intended to sync passwords, website plugins, favorites, etc.; however it may lead to users’ credentials being vicariously breached by Microsoft.
  3. 3rd party Advertisers: The Advertising ID provides a unique identifier per user allowing collections of data to be shared with 3rd party advertisers.  This may help fund the “free” upgrade to Windows 10 from previous versions, and is provided to help provide more effective targeted ads when using 3rd party applications.  Turning this off will not block ads from appearing, but they may not be as targeted, as your users will remain more anonymous with this feature turned off.
  4. Bitlocker: Windows 10 will automatically backup your encryption key to OneDrive, unless you are using Active Directory Group Policy to manage this element.  Also, if you are using Bitlocker or planning to use Bitlocker, ensure you use the TPM+PIN option or turn off hibernation/sleep support to avoid having to report a breach if a Bitlocker-encrypted laptop is lost or stolen.
  5. Telemetry:  Those familiar with the Windows Pop-up sending diagnostic information after a program crashes to Microsoft for product improvement will want to know about Telemetry.  Telemetry is an enhanced diagnostics and tracking service which sends additional information to Microsoft for new features such as per-application updates, Windows 10 upgrade offers, etc.  This is a well-documented How-To disable Telemetry from our friends at Winaero.

Although it is still early to tell if specific HIPAA Privacy considerations are violated with Windows 10; HIPAA Privacy, at a high level, ensures individuals have the minimum protections which may be violated. Therefore depending on whether ePHI is released as these Windows 10 features are used; we believe the violation of the following laws may lead to HIPAA non-compliance:

  • Access to the health record – see patient rights §164.522, §164.524 §164.526
  • Minimum necessary uses of PHI – see use and disclosure §164.514
  • Content and right to an Accounting of Disclosures – see privacy management process §164.528
  • Business Associate Contracts – see privacy management process §164.504, §164.502, §164.524, §164.526,§164.528.

To ensure diligence with HIPAA Privacy, it is unclear whether Microsoft will be sending ePHI from PCs anytime soon, which may result in “collateral damage” for those Covered Entities using Windows 10.   And although the question on HIPAA Privacy violations is a tenuous answer, following some basic steps may significantly reduce your organization’s risk of violating HIPAA.

Windows 10 Cortana settings

To maintain your organization’s level of due-diligence under HIPAA and the HITECH act, there are items to configure in Windows 10 to help avoid long-term repercussions that result from upgrading to Windows 10.   By taking measures to test, configure and restrict information being sent outside your organization’s networks with Windows 10; you may request set of instructions below.

In conclusion, Windows 10 does send information back to Microsoft and does such on a per-feature, per-benefit basis.  Microsoft has provided a way to turn off these data-collecting features however, traditional system-level information will still be sent (as it always has been) to Microsoft.  We strongly recommend turning these data-collecting features off.  It is better to be safe than sorry!

To request your copy of the full whitepaper, which includes specific instructions on which Active Directory Group Policies to edit, along with sources of Microsoft Administrative Templates for Windows Server 2012 and the Windows 7 & 8 KB patches to avoid, please request it by contacting us now, and we will be happy to send you a full copy.

 

For a copy of the pcapng file replay of our tested Windows 10 Enterprise configuration in the updated version of this whitepaper, win10Run1.

 

 

 

Individual Patient Rights vs HIPAA Security

electronic-health-records-safety

At HIPAA One, we hope to have potential clients contact us for questions around HIPAA Compliance and risk management.  As we post our phone number online, we get sometimes get random questions from Individuals regarding their rights, employer questions, NPI management and complaints.

We recently had a call from a man complaining he has requested his Physician take more detailed notes about his encounters.  He has a medical condition that will be shared with other specialists.

His question was as follows:

“I have a great relationship with my Physician but his note-taking is very generic in nature.  I have asked him over the past year repeatedly to provide more details about my condition, observations and he says he will.  When they provide me with a copy of my encounter notes, they are still generic and [the clinic] has not entered in the details I requested.  This is concerning because other Physicians will need to know more details than generic diagnosis as I plan to see other specialists to help with my condition…”  “… Don’t I have rights to have my information edited the way I feel is necessary?”

After responding to this concerned Individual indicating we are not legal counsel, and we do provide HIPAA risk management professional services and compliance software, he insisted we should know about his rights.

So at that point, I explained how there are provisions under 45 CFR Section 164.524 and 45 CFR Section 164.526 that the Clinic must honor in terms of allowing the amendment, documenting and either amending his record or providing a rejection with explanation as to why.

It sounds pretty elementary, right?

Then came the kicker, as stated by this individual, “What if they don’t comply or take me seriously?”

My answer, “You can let them know if they won’t edit your record or provide you with a reason why they will not, you can report them to Health and Human Services by filing a complaint.  If you meet the requirements, the Office of Civil Rights is required to investigate the complaint and audit your Physician’s clinic…”

He was very excited at the idea and responded, “I don’t want to get him in trouble.  I just want them to edit my record but no matter how many times I ask, they say they will but never do.  Thanks for your help I knew you would know what my rights would be.  Thank you.”medical-record-technician

How do you handle the situation when a Physician will only put basic chart notes regarding the patient encounter, yet the patient is concerned for their health and feels powerless to have their record amended with the level of detail that would make them comfortable for their safety?  It is not like they can login to their chart and make edits, they can only request it and have the clinic/office make the change.

There are several HIPAA citations I could reference here (e.g. 170.314(d)(4)) as part of the requirements for Critical Access Hospitals and Hospitals to prove they can amend patient records under Meaningful Use Stage 2.   And of course legally speaking, per above the Physician does have a responsibility to honor the patient’s request under their HIPAA Privacy rights.

Any organization that goes through a proper HIPAA Security and Privacy Risk Analysis will cover, among other things, the ability of the organization to do these amendments.  If not, the HIPAA Security Risk Analysis process will require the organization to “figure it out” using their EHR software (or write them if still using paper charts).

He did offer us to call his Physician and require them to go through the process of the HIPAA Security Risk Analysis under 45 CFR Section 164.308(a)(1)(ii)(A), which is required by all Covered Entities.  But that is, in my mind, extortion to some degree and requested he simply focus on his health condition and wished him improved health through his illness.

How would you respond to this concerned Individual?  Feel free to leave comments below or contact us if you would like to learn more about preparing for this, and all other scenarios under the HIPAA rule.

2014’s ePHI Data Breaches & How CEs Can Prepare for the Next One

Each quarter Alan Davis at Proteus Consulting, LLC, disperses the Northwest’s Security Bulletin: HIPAA Safe. While typically focusing on the HIPAA Security Rule in particular, the spring issue of HIPAA Safe focuses on preparing for a data breach.

Before diving into Davis’ recommendations for pre-breach activities and processes, let’s examine the breaches that occurred during 2014.

ePHI Data Breaches: 2014

Over the 12 months of 2014, approximately 9 million patients were affected by ePHI data breaches. That’s over 1000 patients per hour! Below you’ll find the table outlining 2014’s 164 ePHI data breaches, included in this quarter’s HIPAA Safe.

2014 ePHI Breaches

While theft accounted for the most frequent number of breaches at 67, hacking or IT incidents caused the highest number of patient records lost. Even though there were just 23 incidents over the year, nearly 5 million patient records were compromised.

Key Takeaway for Covered Entities: CEs need to ensure that their networks are secure and free from vulnerabilities.

Devices You May Miss

Most often when we think of patient data, we envision a record located somewhere inside a typical desktop computer. However, patient data doesn’t only exist here. Davis points out that medical devices are one of the most often-overlooked facet in a CEs typical risk assessment process. Almost all medical devices either store or transmit patient information and some even connect with billing systems. This means that omitting any medical device from a security risk analysis almost surely will result in vulnerabilities.

medicaldevice

Image Courtesy of Philip Dean

Key Takeaway for Covered Entities: Identify and note each system that stores or transmits ePHI, place appropriate controls on those that meet standards and replace those that cannot be fully protected.

Security Incident & Breach Planning

Knowing what to do immediately after you suspect a breach occurrence is essential, regardless of the amount of safeguards you may have in place. The best approach for incident management is to craft a detailed and comprehensive process. Davis suggests that the goal shouldn’t be to have a specific plan for every single breach possibility, but to have a broad approach and sequential steps that can be applied in every situation. Having a Security Incident Plan in place will allow CEs to respond to and even avoid potentially dangerous threats to ePHI.

planning

Image Courtesy of NEC Corporation of America

Key Takeaway for Covered Entities: Formulate a comprehensive Security Incident Plan that is maintained and reviewed by the CEs HIPAA Security Officer.

Breach Notifications

The Breach Notification Rule (§164.402) is a facet of HIPAA regulations that most CEs want to avoid thinking about. But as we said before, knowing what to do after a breach is essential! That includes reporting a breach to the proper entities. It’s important to note that both Covered Entities and their Business Associates must have procedures in place to exhibit compliance to this rule.

To aid in the facilitation of reporting breaches, The Office of Civil Rights (OCR) updated its online portal where CEs must report all breaches (CFR-45 §164.408). The new portal is “significantly different” from the previous and offers many more functions and more specific recommendations.

security

Image Courtesy of Pixabay

Key Takeaway for Covered Entities: CEs and BAs must have policies and procedures in place that comply with The Breach Notification Rule, and must also report any and all breaches to the OCR.

Here at HIPAA One, we look forward to Alan Davis’ HIPAA Safe bulletin every quarter. Each one is full of countless actionable items for Covered Entities and Business Associates alike. To read the entire issue as well as archived issues, be sure to head to over to Proteus Consulting.

How Long Can You Fly Under the Radar? HIPAA Security is Mandatory.

Risks of Ignoring HIPAA

Think you can disregard or only be partially compliant with HIPAA?

Think again.

The HIPAA Privacy and Security Rules are federal and national standards to protect patients’ privacy of their sensitive medical records. The Office for Civil Rights strictly enforces these rules to protect all patients from discrimination and to keep their sensitive health information private. Any covered entity or business associate found not upholding these rules will be severely punished.

How Compliance Is Enforced

OCR enforces HIPAA’s Privacy and Security Rules in three ways:

  • Investigating complaints that are filed with them.
  • Performing compliance reviews to decide if organizations are HIPAA compliant.
  • Conducting training and outreach to promote compliance with these rules’ requirements.

As of January of this year, OCR had received more than 109,000 HIPAA complaints and opened more than 1,100 compliance reviews since April 2003.

A secret doesn’t stay secret for long. So if you think you can fly under OCR’s radar, change your thinking. Your non-compliance secret will eventually come out, and you will receive the unwanted ramifications of being non-compliant — and your punishment will be harsher if you have willfully neglected HIPAA compliance.

Consequences of Non-Compliance

Consequences of HIPAA NonCompliance

The ramifications you could face include civil and criminal penalties. The minimum monetary fine is $100 per violation with an annual maximum of $25,000 for repeat violations, while the maximum monetary fine is $50,000 per violation with an annual maximum of $1.5 million. Criminal penalties involve paying a monetary fine and being imprisoned between 1-10 years. Other ramifications include losing the respect of your industry peers, losing the trust and business of your paying clients and experiencing security breaches, which are a headache you don’t want to deal with.

How To Stay HIPAA Compliant

You may think it’s a time-consuming pain to become HIPAA compliant, but it’s more so when you aren’t compliant. So what can you do to become and remain HIPAA compliant?

  • Hire HIPAA Privacy and Security Officers.
  • Perform a formal HIPAA Security Risk Analysis on a regular basis to ensure requirements are being met internally.
  • Implement security breach policies and plans to handle breaches.
  • Limit who has access to PHI amongst your employees.
  • Take the necessary precautions with paper files, computers and mobile devices that store and send data so they aren’t accessed by the wrong eyes.
  • Educate your staff on the HIPAA Security and Privacy regulations.

While flying under OCR’s radar is an option, it’s not a smart option. Don’t risk your business and personal reputation by being non-compliant. Being HIPAA compliant is mandatory, and following the above steps is how you can easily become and remain compliant.

HIPAA Compliance for Developers

Health and Fitness Mobile Apps

Are you a mobile app developer who’s developing a healthcare-focused mobile app? If you answered yes, then you need to know what HIPAA is and why you need to be HIPAA compliant.

While not every health-related app needs to comply with HIPAA rules, those involved with gathering, storing or distributing personally identifiable health information with covered entities, i.e. doctors, dentists, hospitals and health plans, must remain compliant or face severe non-compliance penalties.

What Is HIPAA

HIPAA, developed in 1996, is the acronym for the Health Insurance Portability and Accountability Act. HIPAA’s job is setting the standard to protect sensitive patient data. HIPAA requires business associates and covered entities to safeguard the privacy and security of protected health information, commonly referred to as PHI. Another need-to-know term is ePHI. This stands for electronic protected health information and refers to data that’s saved, transmitted or collected in electronic form.

There are four rules of HIPAA: the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule. As a developer, the HIPAA Security Rule is the one you need to focus on.

The HIPAA Security Rule is made up of three parts, summarized:

  • Administrative Safeguards — Significant with implementing a compliant HIPAA app and tell you what you’re required to do.
  • Technical Safeguards — Summarize what your app needs to do when handling PHI.
  • Physical Safeguards — Determine who has authorized access to your PHI data and how said data is going to be managed.

If you want your app to be HIPAA compliant, you must follow each of the above safeguards.

Determining If Your App Must Be HIPAA Compliant

When trying to figure out whether or not your healthcare app is compliant with HIPAA or not, you must take into account the following considerations:

Data Security With Mobile Devices

There are several ways a security breach or violation can occur with a mobile device. Some common ways include mobile devices being lost or stolen, users not using passcodes or users using easily cracked passwords. As you develop your mobile app that’s intended to send and/or share patient data, you have to contemplate these possibilities and others so you can do all you can during the development process to prevent your app from being non-compliant. Not everything is in your hands, but you must control what is so your mobile app obeys HIPAA’s Privacy and Security rules.

How To Decide If Your App Needs To Comply With HIPAA

Like was mentioned above, not every health app on the market needs to be HIPAA compliant. As a matter of fact, most don’t. But let’s decide whether or not yours should be.

Your mobile app should be compliant if:

  • It records or shares PHI with a covered entity.
  • It has personal information about people directly identifying them and can be communicated with a covered entity.

Your mobile app doesn’t need to be compliant if:

  • It Lets users access illness or medical reference information.
  • It Permits users to keep track of their diet, weight or exercise habits.
  • It Describes diseases and illnesses.

Mobile App Requirements To Be HIPAA Compliant

If you checked off the bullet points under being compliant, then clearly your mobile app needs to be HIPAA compliant. Here are some things your app must include to be HIPAA compliant, which protects you and your app from severe non-compliance consequences:

  • Encrypt data that’s going to be stored on your app.
  • Make users access PHI securely with unique user authentication.
  • Provide backup measures for data if a device is lost or stolen.
  • Apply consistent updates for the safety and protection of data.
  • Don’t include PHI with push notifications.
  • Don’t use a third party hosting or storing system unless they’re HIPAA compliant and sign a business associate agreement with you.

As a mobile app developer, it’s imperative that you understand HIPAA and its rules and take the necessary precautions to ensure your healthcare app is HIPAA compliant before it’s launched.

HIPAA Compliance Saves Money AND Time

Save Time and Money with HIPAACompliance

Image Source: Tax Credit

When you’re in the healthcare industry, you have to comply with HIPAA privacy and security rules. And although the government’s rules concerning HIPAA compliance continue to change and the process of becoming HIPAA compliant appears complicated and tedious, it’s imperative that you adhere to each of the HIPAA compliance requirements.

Why is it so imperative that you take the steps necessary to be completely HIPAA complaint? For starters, compliance does two big things for you that everyone in the healthcare industry (and in every industry for that matter) wants — it saves you money and saves you time. What better reasons do you need?

 

Below you can find out just how HIPAA compliance saves you money and time, which in turn makes your job a little easier and helps take some of the stress out of your life.

How HIPPA Compliance Saves You Money

While you have to first invest money to become HIPAA complaint, the upfront investment costs are way less than the hundreds of thousands to millions of dollars you could pay in penalties for non-compliance and your patients will pay in out-of-pocket costs.

population of medical identity theft for hipaaonepopulation of medical identity theft for hipaaone - 2

“…36 percent did pay an average of $18,660, as shown in Table 1b (above). These

costs are: (1) identity protection, credit reporting and legal counsel; (2) medical services and

medications because of lapse in healthcare coverage; (3) reimbursements to healthcare

   providers to pay for services to imposters. Based on our extrapolation, we estimate the total

        outof-pocket costs incurred by medical identity theft victims in the United States at $12.3 billion.”

**Tables and Reference from the Ponemon Institute 2013 Survey on Medical Identity Theft Report

 

When you conduct your own security risk analysis, which most types of HIPAA compliance software let you do, you’re able to find and manage any security risks in your system so you can anticipate future issues and create action plans to prevent those issues from happening before your system is compromised. Knowing of and preventing security risks saves you the major costs associated with security breaches, i.e. fines for not being HIPAA compliant and paying someone to fix the holes and issues within your network.

HIPAA compliance also saves you money when it comes time for your organization’s HIPAA audit. Government audits can be a scary process to go through because when you don’t meet their standards, high costs are involved on your part. But when you’re prepared for an audit, there’s nothing to fear. HIPAA compliance software lets you conduct your own mock-audit so you can discover how compliant your organization is, and it usually provides the needed documentation for an audit.

Using compliance software also saves you money on labor costs because it’s a single solution that does everything for you, and does so in a shorter amount of time than manually doing everything on your own or amongst a group of employees. With this cost-effective solution, you no longer have to pay employees overtime pay for the countless hours they would spend because with this software less people and time are needed to ensure you’re HIPAA complaint.

How HIPAA Compliance Saves You Time

Like was mentioned above, HIPAA compliance saves you money with security issues and HIPAA audits, but it also saves you time in those areas. Performing a security analysis with your compliance software allows you to find any holes in your network or other potential security problems within your system, so you can prevent security breaches from ever happening. The time spent with a security analysis is just a small fraction to the time, stress and money you’d spend dealing with the hassles of a security breach. An analysis also makes sure you’re ready for a HIPAA audit so you don’t have to worry about failing the audit and having to go back and fix any problems found during an audit. Again, taking care of potential problems upfront is much better than trying to deal with problems after the fact.

HIPAA compliance software is easy to use and the all-encompassing tool. When you implement the right compliance software, it majorly cuts down the process of becoming HIPAA complaint. The process goes from taking days or weeks, to only a few hours or up to a day to complete. When you spend less time dealing with security issues and making sure your organization is HIPAA compliant, you can focus your time on your patients, employees and the other important areas within your organization that need your attention.

You might only see giant dollar signs and a mess of wordy rules that constantly change when you think about becoming HIPAA complaint. But what you should see and understand is making that upfront investment of your money, resources and time to be HIPAA compliant is the better choice. HIPAA compliance saves you a great amount of money and time compared to the costs of recovering from HIPAA violations.

Adult & Pediatric Dermatology Fined $150,000 For Lost Thumb Drive

thumb driveRecently a dermatology practice learned that something so small could be very costly.

Adult & Pediatric Dermatology, P.C., of Concord, Mass., lost a thumb drive, which doesn’t seem like a huge deal except that specific thumb drive was unencrypted and contained the electronic protected health information of about 2,200 individuals.

The US Department of Health and Human Services Office for Civil Rights received a report that the thumb drive was stolen from an APDerm employee’s vehicle and never recovered. After conducting its investigation, OCR and APDerm agreed to a $150,000 penalty. APDerm received this HIPAA penalty because it not only lost the thumb drive but also because the dermatology practice didn’t identify it in a HIPAA risk analysis nor had it managed the risk so its patients’ data was protected.

Besides paying the $150,000, APDerm was given a corrective action plan that requires it develops a risk analysis and management plan that addresses and alleviates any security risks and vulnerabilities, and it must give OCR an implementation report once the plan is completed.

There are three ways this practice could have prevented this from happening:

  1. Don’t put your protected data onto a remote or portable device since those can be easily lost or stolen. Use a secure remote access tool if you need the information outside of your office.
  2. Encrypt all of your data to protect your patients and your practice. Use encryption for all devices, portable and stationary.
  3. Have a risk analysis done by a professional. It’s cheaper to hire a professional to do the analysis for you than to do it yourself and risk receiving a HIPAA penalty.

If you’re a healthcare provider, be sure to follow these steps. If not, you risk following in the footsteps of APDerm and costing your practice lots of money and time, as well as your reputation, from something as small as a thumb drive.

 

Atlanta Children’s Hospital Fires and Files Suit Against Executive

According to a recent report,  an award-winning Atlanta children’s hospital recently fired and filed suit on one of its former top executives for allegedly stealing hospital data.

Children’s Healthcare of Atlanta filed a complaint in Atlanta federal court on Oct. 25 against Sharon McCray, who was its corporate audit adviser, claiming she stole a considerable amount of proprietary information.

The list of data McCray is alleged of stealing includes patient health information of children, DEA numbers, financial information, state license numbers for more than 500 health care providers, along with other private information of Children’s.

McCray, who was an employee since 2000, announced her resignation to Children’s on Oct. 16, which was to be effective Dec. 20.

It was only two days later the hospital noticed McCray had been emailing its protected health information to her personal email account. Children’s claimed McCray started emailing herself this information the day she announced her resignation and then continued through Oct. 21, when the hospital shut off her access to her corporate email account.

A meeting occurred between Children’s and McCray on Oct. 21 where she admitted to emailing information to her personal email account. The next day, McCray was fired.

Children’s Healthcare of Atlanta, which has been a renowned pediatric facility since 1998, requested McCray give back the information. But she has yet to do that, so Children’s is asking a federal judge to force McCray to do so.

Privacy breaches In VA Health Records Wound Veterans

With HIPAA being enforced more stringently recently there have been a number of cases where health providers are facing HIPAA related fines or lawsuits. The most recent is none other than the U.S. Department of Veteran Affairs.

While some previous cases seemed unintentional or simple mistakes, according to a Pittsburgh Tribune-Review investigation there were widespread violations at the VA. The investigation stems from a former VA employee who claims the privacy of her medical records was abused.

The subsequent investigation found there were an astounding 14,215 violations that affected 101,018 veterans and 551 VA employees at 167 facilities since 2010. These violations included using patient information for fraudulent purposes, snooping through patient records and even sharing records publicly on social media as well as privately without patient consent. This sharing of records was both intentional and unintentional but nonetheless violates HIPAA provisions. There were even previously stolen computers and lack of encryption that led to problems concerning patient record privacy.

The list of violations and problems within the VA seem to be systemic. The investigation made a number of recommendations to fix the root causes of these problems but it remains to be seen how effective the VA’s efforts to do so will be in the future.

Without a doubt protecting the privacy of medical records should be paramount for any medical provider, even more so for the Veterans who’ve helped this country. A thorough HIPAA risk analysis and HIPAA compliance software solution can go a long way in preventing these types of systemic issues within the VA and helping other medical providers be HIPAA compliant.