Jessica Davis

The U.S. Department of Health and Human Services’ Office for Civil Rights fined Children’s Medical Center of Dallas $3.2 million for HIPAA noncompliance and impermissible disclosure of unsecured ePHI stemming from two data breaches caused by a lack of encryption, HHS announced today.   Children’s is part of Children’s Health, the seventh largest pediatric healthcare provider in the U.S.   The first breach involved the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of about 3,800 patients. Children’s reported the breach to OCR on January 18, 2010.   The second incident involved the theft of an unencrypted laptop from Children’s the first week of April 2013. The computer contained the ePHI of 2,462 patients. The hospital failed to report the theft to OCR until July 5, 2013.   Although Children’s physically protected part of the laptop storage area with badge access and a security camera, it also allowed access to staff members who weren’t authorized to access ePHI, officials said.   The subsequent OCR investigation further revealed HIPAA noncompliance that included a failure to implement risk management plans – despite external recommendations to do so. Further, the hospital failed to use encryption or equivalent method on its laptops, workstations, mobile devices and removable storage until April 9, 2013.   Children’s also issued unencrypted BlackBerry devices to nurses and allowed staff to continue use of unencrypted laptops and mobile devices until 2013, although the hospital was warned about the risk of unencrypted ePHI on devices as far back as 2007, officials found.   OCR issued a Notice of Proposed Determination, which provided instruction on how Children’s could request a hearing, officials said. However, Children’s didn’t request it. As a result, Children’s paid the full penalty.   “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” OCR Acting Director Robinsue Frohboese, said in a statement.   “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” she added.  

HIMSS is recognizing North York General for its clinical decision support, computerized provider order entry and closed-loop medication administration initiatives that improved patient outcomes.

Epic landed the top spot for Overall Software Suite in the 2017 Best in KLAS: Software and Services report, for the seventh consecutive year. It also earned the top Overall Physician Practice Vendor and Best in KLAS awards in eight other segments.

Christina Hoffman discusses common challenges and suggests that medical schools should teach students creative time management skills to use during patient encounters. 

Employees of Wyoming-based Campbell County Health and eHealthInsurance are the latest victims of a W-2 phishing scam, the organizations announced last week.

McKesson has entered into a definitive agreement to acquire CoverMyMeds, a developer of electronic prior authorization technology, for $1.1 billion. CoverMyMeds has partnered with McKesson's RelayHealth subsidiary since 2010.

Arizona-based Banner Health and Royal Philips have extended their ongoing collaboration on connected health innovations with a 15-year agreement. They plan to determine how telehealth can improve care management for patients with chronic conditions.

The grant will be awarded over the next decade and will help expand the UW’s Institute for Health Metrics and Evaluation as a global population health hub.

Lack of regulation and visibility of hacks to the public allow organizations to put IoT and mobile security on the back burner, but Arxan exec Mandeep Khera expects both regulations and hacks to increase this year.

While officials made no major changes to the security guidance, the proposed updates evolve the voluntary guidance and introduces measurement methods for cybersecurity.