
States Taking Actions Against Health IT Companies Over Data Breaches
Twelve state attorneys general have brought suit against two medical Information Technology companies. The suits allege that Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, had poor security practices that led to medical data breaches, impacting close to four million patients. This case is the first coordinated multi-state attorney general HIPAA- related action, according to JD Supra. The AGs are accusing the companies of not taking adequate step

OCR Fines Colorado Provider $111,000 for HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights fined Pagosa Springs Medical Center $111,400, for failing to terminate a former employee’s access to electronic protected health information, after the employment ended, according to HealthITSecurity. According to officials, the employee continued to have remote access to PSMC’s scheduling calendar, which contained the ePHI of 557 patients. The employee accessed the calendar on two separate occasions, two mo

Small Emergency Center Fined in HIPAA Violation
The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that Pagosa Spring Medical Center (“PSMC”), a Colorado hospital, agreed to pay $111,400 to settle allegations related to HIPAA violations stemming from the hospital’s failure to deactivate a former employee’s access to protected health information (“PHI”) and failing to have a business associate agreement (“BAA”) in place with Google. PSMC is a critical access hospital with 11 inpatien

The Importance of a Business Associate Agreement
The Health and Human Services’ Office of Civil Rights (“OCR”) recently entered into a Resolution Agreement with a Florida physicians’ group after investigating an alleged HIPAA breach at the hand of a third-party billing service, as reported by Lexology. Through its investigation, OCR discovered physicians’ group did not have a business associate agreement with the company, thus violating HIPAA Rules. Although the group has been in existence since 2005, it failed to implement

California Podiatrist Hit with Ransomware, Corrupting 24,000 Patient Records
A ransomware attack on the Podiatric Offices of Bobby Yee corrupted and possibly altered the medical records of 24,000 patients, according to a recent notification. Typically, ransomware merely encrypts the data on the infected computers, workstations or servers, along with any systems connected to the impacted device. However, this attack altered and potentially corrupted medical files – including patient data. The affected data included patient names, Social Security number

OCR Seeks Feedback for Modifying HIPAA Rules to Promote Efficiency and Reduce Burdens on Covered Ent
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), recently issued a Request for Information (RFI) for public input on modification of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA) to further promote coordinated, value-based healthcare. This was this reported last week by White & Williams LLC. Announcing that the OCR is “looking for candid feedback about how the existing HIPAA regulatio

Email Hack on Vermont Provider Breaches 32,000 Patient Records
Elizabethtown Community Hospital, part of the University of Vermont Health Network, notified about 32,000 patients that their personal health information was breached during an email hack, as reported by HealthITSecurity. On October 18, 2018, hospital officials discovered an unauthorized user had accessed an employee email account. The password to the account was immediately changed and officials hired a forensics team to investigate. The 60-day investigation determined the b