Skip to main content

Privacy & Security

Privacy & Security
By Jeff Lagasse | 05:47 pm | April 20, 2016
Raleigh Orthopaedic Clinic of North Carolina will pay $750,000 to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 Privacy Rule. The group allegedly handed over protected health information for approximately 17,300 patients to a potential business partner without first executing a business associate agreement. HIPAA-covered entities cannot disclose protected health information without authorization, and the lack of a business associate agreement left this information without safeguards, rendering it potentially vulnerable to misuse or improper disclosure.  [See them all: 10 stubborn cybersecurity myths, busted] Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopedic surgery center in the Raleigh, North Carolina, area. The Office of Civil Rights, a division of the U.S. Department of Health and Human Services, launched its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013. The investigation found that Raleigh Orthopaedic released X-ray films and related protected health information of 17,300 patients to a group that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopedic allegedly failed to execute a business associate agreement with this company prior to turning over the X-rays and health information. [Also: OCR unleashes second wave of HIPAA audits, but will it diminish patients' privacy and security expectations?] In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to establish a process for assessing whether entities are business associates. It is also required to designate a "responsible individual" to ensure business associate agreements are in place prior to disclosing public health information to a business associate; create a standard template business associate agreement; and establish a standard process for maintaining documentation of business associate agreements for at least six years beyond the date of termination of such a relationship. The group also must limit disclosures of personal health information to any business associate to the minimum necessary to accomplish the purpose for which it was hired. [Also: Tips for detecting ransomware and other malware before it cripples your network] "HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," OCR Director Jocelyn Samuels said in a statement. "It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected." Twitter: @JELagasse
By Bill Siwicki | 09:26 am | April 20, 2016
More than 100 million records reportedly were compromised in 2015 in healthcare, which now is the top industry for cyberattacks, according to new IBM research.
By Bill Siwicki | 08:14 am | April 20, 2016
CISOs and security analysts from top-tier firms offer highly effective advice and tactics for rooting out and getting rid of malicious code.
By Healthcare IT News | 01:12 pm | April 19, 2016
Recent cyberattacks on healthcare have been highly disruptive and publicly embarrassing for the industry. Take part in the 2016 HIMSS Cybersecurity Survey to help identify how organizations are mitigating the risk of being the next victim.
By Bill Siwicki | 08:36 am | April 19, 2016
A top security expert says healthcare entities need to apply a more scientific and evidence-based approach to the practice of security. Here’s what Seattle Children’s is doing to harden its threat environment.
By Bill Siwicki | 08:59 am | April 18, 2016
The imminent set of best practices will help healthcare organizations become more penetration-resistant, more effective at limiting damage attackers can inflict and ultimately better able to withstand cyberattacks. 
By Bill Siwicki | 06:47 pm | April 15, 2016
Healthcare entities that want to be well positioned against cybersecurity threats must know what resources they have, how those are configured, and tightly control any changes, IT Process Institute chief executive Scott Alldridge said.
By Mike Miliard | 05:42 pm | April 15, 2016
Now that Apple is no longer issuing security updates for the software, known vulnerabilities are wide open to exploitation, the security experts say.   
By Jessica Davis | 08:58 am | April 13, 2016
Symantec and Identity Resource Center in separate reports attributed nearly 17 percent of breaches to healthcare, found ransomware up by 35 percent, and said that organized criminals are using best practices much like nation-state attackers.
By Jessica Davis | 11:41 am | April 12, 2016
More than 1,000 patients of the Florida Department of Health Clinics in Palm Beach County could be at risk of identity theft after a recent medical records breach, department officials announced Monday.