Category: Data Privacy and Security

CMS Extends EHR Attestation Deadline for Eligible Hospitals

This week, the Centers for Medicare & Medicaid Services (“CMS”) announced that it is extending the deadline for eligible hospitals and critical access hospitals (“CAHs”) to attest to meaningful use for the Medicare Electronic Health Record  Incentive Program for the 2014 reporting year from 11:59 PM EST on November 30, 2014 to 11:59 PM EST on December 31, 2014.

This extension will allow more time for applicable hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment.

CMS is also extending the deadline for eligible hospitals and CAHs that are electronically submitting clinical quality measures to meet that requirement of meaningful use and the Hospital Inpatient Quality Reporting program. Hospitals now have until December 31, 2014 to submit their eCQM data via Quality Net.

If you have questions regarding meaningful use attestation deadlines, please contact:

OIG Fiscal Year 2015 Work Plan

On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained in electronic health records (“EHRs”). The continued focus on data security contained in EHRs aligns with the goals of the OIG Strategic Plan 2014-2018, where OIG identified EHRs as one of its key focus areas until at least 2018.

Given the increased frequency and publication of health information breaches, it is no surprise the OIG for the first time indicated it plans to examine hospitals’ contingency plan policies and procedures to determine if adequate safeguards are in place in the event systems containing PHI are damaged. OIG also indicated it will continue to examine the Centers for Medicare & Medicaid Services’ (“CMS”) oversight of hospitals’ security controls over networked medical devices, such as dialysis machines, radiology systems and medication dispensing systems. OIG will also continue to conduct audits of eligible hospitals and professionals who received Medicare and Medicaid Meaningful Use Incentive payments to determine whether such payments were proper.

It is worth noting the Work Plan did not include assessing the security and vulnerabilities of portable devices containing PHI as a priority. This may be an indication  OIG has completed its review of the issue.

Click here to read OIG’s Work Plan.

If you have any questions or would like additional information about these topics, please contact:

Impacts of Heartbleed Exploit Come to Light

Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack, or possibly unscramble encrypted communications they’ve collected in the past…. Continue Reading →

IT Security Standards Hospitals Should Know About

Health information technology solutions that are remotely hosted or cloud based are becoming more common.  In these scenarios, a health care provider  is allowing its data – often times including protected health information (“PHI”) – to flow through or be stored in the vendor’s data center.  If PHI is involved, the parties should determine whether a Business Associate Agreement (“BAA”) is necessary for HIPAA compliance.  But knowing a vendor’s security standard – regardless of whether a BAA is in place – can provide the health care provider confidence that its data will be protected, with a lower risk of damaging breaches occurring…. Continue Reading →

FTC Issues Mobile Privacy and Security Publications

On February 1, 2013, the Federal Trade Commission (FTC) issued two publications recommending ways that key players in the mobile marketplace, such as operating system providers, application developers, advertising networks and analytics companies, can promote mobile privacy and security.

Continue Reading →

Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations

Attached is a link to a webinar that I recently conducted with Teramedica on Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations.

This one-hour webinar helps health care organizations gain tactical insight into the essential legal and business requirements of establishing an effective records management and data retention program. Patient data storage and data access is becoming one of the most costly and challenging areas of health care delivery.Continue Reading →

Court finds security system of bank is not commercially reasonable


In analyzing a claim under Article 4A (Electronic Funds Transfers) of the Uniform Commercial Code, the U.S. Court of Appeals for the First Circuit determined that a bank did not utilize commercially reasonable security procedures when it failed to monitor risk reports and decreased the dollar threshold which triggered use of challenge questions by customers.   Patco Construction Company, Inc. v. Peoples United Bank (July 3, 2012) . The practical take away from this ruling is that “commercially reasonable security” requires active monitoring and that the effectiveness and commercially reasonableness of security procedures can be impacted by treating all transactions as “high risk.”… Continue Reading →

Opinions about Mobile Device Privacy and Security Due to ONC by March 30, 2012

The public comment period regarding securing health information while using mobile devices ends on March 30, 2012. Information regarding ONC’s Mobile Device Roundtable discussion and a link to provide comments can be found here.

Should you have any questions, please contact Alisa Kuehn at 317.977.1475 or


HHS Settles First Enforcement Action Resulting From HITECH Breach Notification Rule

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on Tuesday, March 13, 2012, that Blue Cross Blue Shield of Tennessee (“BCBST”) will pay $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  BCBST had previously notified HHS that 57 unencrypted hard drives containing protected health information, social security numbers, diagnosis codes, dates of birth, and other sensitive information were stolen from a BSCST leased facility.

This settlement represents the first enforcement action by OCR under the Health Information Technology for Economic and Clinical Health  (“HITECH”) Act Breach Notification Rule.  HITECH requires that covered entities report a protected health information breach for 500 individuals or more both to the media and to HHS.  BCBST reported the breach, but according to OCR, failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

For additional details regarding the enforcement action and settlement click here.

Should you have any questions, please contact Ammon Fillmore at 317.977.1492 or

Financial Impact of Breached PHI Study Released

On Monday, March 5th, the American National Standards Institute (“ANSI”) issued its long-awaited report, “Financial Impact of Breached Protected Health Information” (  The Report provides a good summary of the current state of health data privacy and security in the U.S., HIPAA legislative history, and some potential measures that can be taken to strengthen the protection of health data privacy and security.  Most interesting, the Report also discusses the financial impact of breached PHI, giving examples of actual costs that an organization might incur when a data breach occurs.

Let us know what you think of the Report’s findings and what steps your organization is taking to protect PHI. We’re also interested in any insights you have for other organizations to better protect PHI.

Should you have any questions, please contact Mark Garsombke at 414.721.0907 or