HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Data breach at White Plains Hospital involving emergency room patients

Data breach at White Plains Hospital involving emergency room patients | HIPAA Compliance for Medical Practices | Scoop.it

A security breach has been disclosed at a hospital in Westchester County.

Personal information about hundreds of emergency room patients over a two year period was leaked to someone or some entity that shouldn't have it.

So what if you're one of those patients? And who gave away the information?

White Plains Hospital is the latest target of a data breach.

An employee working for a billing company called Medical Management LLC. allegedly copied personal information including names, dates of birth, and social security numbers then gave it away to a third party.

MML handles the billing and coding for White Plains Hospital's emergency room.

"It should be held securely. Its information you should not give to certain people. I don't like giving my information out at all to anybody," said Jeffry Jones, a former patient.

The employee was fired and other hospitals in the state are affected.

Now patients at White Plains Hospital are waiting to find out if they're personal information was compromised.

"We're going to have to catch the company that's doing it. Wipe them out. The hospital is great. They're making them look bad. It's not right for them to mess up our lives," said Diana Bennett, a patient.

The breach was from February 2013 to March 2015.

Now the hospital is offering identity theft protection services for anyone who may have been impacted.

Credit protection expert Adam Levine has this advice for the 1,100 people affected.

"...." Levine said.

Anyone who may have fallen victim will be notified by mail.

Those affected by the breach are also being offered identity threat protection services at no cost.

There was no indication that any medical history or treatment information was disclosed.

Victims are being advised to place a fraud alert or a security freeze on their accounts through a national credit bureau and to review all bills and account statements.

No comment yet.

Ebola Outbreak Prompts HHS Bulletin on Application of HIPAA During Emergencies

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and signed by President Bill Clinton in 1996. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes nationwide standards “to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” HIPAA also provides to patients the right to examine and obtain a copy of health records and to request corrections.

The HIPAA Privacy Rule places restrictions on the use and disclosure of patients’ protected health information, but also ensures that appropriate uses and disclosures of the information may occur for critical purposes, including when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Prompted in part by the recent Ebola outbreak, the HHS’s Office for Civil Rights (OCR), issued a November 10, 2014 bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation. “BULLETIN: HIPAA Privacy in Emergency Situations” also was issued to “serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

The bulletin, which can be accessed on the HHS’ Health Information Privacy page, addresses obligations imposed by the rule when “Sharing Patient Information” and in “Safeguarding Patient Information.” It also describes basic restrictions for sharing protected health information during treatment for the purposes of public health activities, for notification to family and friends, and for notification to media and business associates.

While the HHS bulletin specifically mentions that the HIPAA Privacy Rule is not suspended during a public health or other emergency, the bulletin goes on to say that the Secretary of HHS may waive certain provisions of the Privacy Rule under certain circumstances. Those circumstances include declaration by the President of the United States of an emergency or disaster or by the Secretary of a public health emergency. In those instances, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with provisions of the Privacy Rule to obtain a patient’s agreement before speaking to family members about the patient’s care—however, that waiver would apply only to hospitals that have instituted a disaster protocol and only would apply for 72 hours after that protocol begins.

The bulletin states that a hospital may release limited “facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.”

The Privacy Rule applies to disclosures made by employees, volunteers, and other members of a “covered entity” or its “business associates.”

Covered entities comprise “health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.”

Business associates are defined in the bulletin as “persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.”

The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. Therefore, HIPAA does not prevent managers, supervisors, or HR professionals from asking for a doctor’s note if the note is needed to implement or administer sick leave, workers’ compensation benefits, or health insurance. However, a health care provider may not give such information directly to an employer without an authorization from the employee.

No comment yet.