Blog Banner

Tag Archives: Security

Hospice of North Idaho to Pay $50K to Settle HIPAA Violations

Image of the Welcome to Idaho signThe U.S. Department of Health and Human Services (HHS) had announced that the Hospice of North Idaho has agreed to pay $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The HHS press release detailed the breach:

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

This incident represents the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

MEEI Fined by HHS

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI) will pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The breach, submitted by MEEI reported the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects.

Texas House Bill 300 in Effect

As of the beginning of September, new Texas health privacy regulation is in effect for any entity that:

  • Engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information;
  • Comes into possession of protected health information; and
  • Obtains or stores protected health information.

Under House Bill 300 (HB 300), a bill that exceeds HIPAA Privacy Rule requirements, Texas physicians, for example, must comply with privacy and patient access requirements. See the HIMSS website for more details.

Worst Data Breaches of 2012

It’s hard to believe we are already in August. It’s even harder to believe that there have been 189 breaches recorded from the beginning of 2012 through mid-June according to Identify Theft Resource Center. That’s 31 breaches per month and we’re only in August!

Protecting Our Children; COPPA Compliance Changes

The Children’s Online Privacy Protection Act (COPPA) has the primary goal of placing parents in control over what information is collected from their young children online. COPPA is set to be updated and as reported by Law360, revisions will be released this fall.

EPA Security Breach

The U.S. Environmental Protection Agency has confirmed an IT security breach of 8,000 Social Security numbers, bank routing numbers and other personal data.

SharePoint Security: The Security, Compliance and Risk Case


With SharePoint serving as a centralized collaboration platform, it is the unknown security risks that can really hurt the organization.


Boston Children’s Hospital Health Data Breach

As reported by the Boston Globe, a Boston Children’s Hospital employee lost a laptop while attending a conference in Buenos Aires that contained a file with information about 2,159 patients, including names, birth dates, diagnoses and treatment information.

In line with HIPAA regulations, Boston Children’s has now notified patients and their families of the breach by e-mail. The hospital was also required to notify the media as the breach affects more than 500 people in one state.

In a recent article EHR Intelligence commented the following about the breach:

“Two things are immediately disturbing about the incident:

  1. Why is child patient data even on the laptop in the first place?
  2. What compelled the hospital staff member to bring a device potentially containing protected health information (PHI) out of the hospital, let alone the country?”

I think there are another two issues to add to that list:

  1. While the laptop was password protected it was not encrypted.
  2. The file was not saved to the hard drive but was on the laptop in an e-mail attachment when it was stolen.

To address the first point, all content should be encrypted based upon the presence of Protected Health Information (PHI). And to the second point, any e-mail attachments with sensitive information should also be encrypted to protect against misuse. To go one step further in preventing a breach like this, the PHI should not have been sent via email; rather it should be saved on an intranet with specific permission rules and prevention rules automatically applied.

It’s time we put health breaches like this behind us. Not only because of the risks it causes for the patients, but also because of the implications for the hospital.

Content compliance solutions that can automatically monitor to prevent situations like this are essential for healthcare and other organizations that handle personal information.

Check out the webinar recording on information security risks and penalties associated with HIPPA/HITECH and the measures health providers and insurers can take to protect PII and PHI.





IAPP Presentation: US Department of Veterans Affairs’ Battle to Protect Privacy

Last month, the Director of the VA Privacy Service, John Buck, and HiSoftware c0-presented a session at the IAPP Global Privacy Summit entitled “US Department of Veterans Affairs’ Battle to Protect Privacy.” This blog post summarizes that presentation.

The US Department of Veteran’s Affairs (VA) provides benefits and services to more than 20 million veterans and over 350,000 agency employees worldwide through a range of Web pages and Web-enabled applications.

With a brief to provide universally accessible online services, while safeguarding protected health and other personally identifiable information, the VA has taken an aggressive approach to data privacy.

The VA is keen to promote best-in-class privacy practices and its evolving approach is a good model for how all government agencies can embrace new technologies, balancing the need to protect sensitive information against the benefits of collaboration, sharing information and the need for public services transparency.

With 663 privacy officers and a Privacy Service staff of nine, the VA takes its compliance responsibilities seriously. To support its staff in managing risk across 1,000 sites, some of which are public facing, it has taken steps to automate compliance and collaboration relating to content in its SharePoint 2010 system. The department faced compliance challenges arising from its huge and diverse contributor base and the massive expansion of its content.

Following a successful pilot of HiSoftware Compliance Sheriff, the VA signed a three-year contract for the HiSoftware solution to meet a requirement for a practical privacy program that achieves compliance and regulatory conformance while supporting the evolving business needs of the agency. The VA’s aim is to deliver a privacy program that makes it easier for users to ‘do the right thing’.

There are three key components to this project:

  1. Set up a SharePoint 2010 ‘Model Farm’ to demonstrate a best practices approach for privacy and Section 508 accessibility compliance across government. This will model business requirements underpinned by a comprehensive review of who uses SharePoint within the organization and how they use it. Perhaps they used it to send emails collaborate on documents, share calendars – or they may use all three applications and more. The ‘Model Farm’ will also model compliance requirements by exploring all the privacy regulations and how they may be best addressed. Finally it will model the technical requirements that determine how Compliance Sheriff, SharePoint 2010 and other Microsoft technologies can work together to automate compliance enforcement. The hope is that this will provide a best practice resource for securing SharePoint content across government.
  2. Add two new SharePoint 2010 sites
  3. Expand existing MOSS sites for continuous improvements, automated notification and continued scanning of existing sites.

HiSoftware Compliance Sheriff delivers a balance between data management and protection with a platform that:

  • Honors data privacy and security policies, laws and regulations
  • Enables enforcement
  • Minimizes risk of data loss or misuse
  • Minimizes potential impact of data loss or theft
  • Generates proof of effectiveness and execution of data protection policies and measures compliance

View the IAPP presentation: US Department of Veterans Affairs’ Battle to Protect Privacy

Read more about the VA’s battle to protect privacy.




Securing your SharePoint Content & Infrastructure

A few weeks ago, we participated in a webinar with Axceler on securing content and infrastructure within SharePoint. I thought I’d point out some of the pertinent points raised during the presentation.

Powered by WordPress