Posts Tagged breach

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

Business Associate Agreements (“BAAs”) are a necessary tool for ensuring HIPAA compliance, and the negotiated terms of BAAs are becoming more and more important as we venture into an era of mass cyber attacks and related HIPAA breaches. Covered entities, such a physician practices, are required to enter into a BAA anytime they hire a third-party contractor to perform a service on the covered entity’s behalf if such contractor will require the use of and/or access to the covered entity’s protected health information (“PHI”) in order to perform such service. Examples of potential business associates include accountants, attorneys, billing companies, consultants, and marketing agencies.

Although BAAs contain a large amount of form, standard language, below are my top three provisions to address when negotiating a BAA:

  1. Indemnity. The indemnity provision concerns whether or not the business associate will be responsible for any costs the covered entity incurs as a result of the business associate’s actions. If the business associate violates the terms of the BAA and/or HIPAA and such violation results in a fine, penalty, investigation, claim, etc. against the healthcare provider, the indemnity provision allows the healthcare provider to pursue the business associate and recoup such costs. It holds the business associate responsible for the incident responsible for the associated costs.
  2. Breach Reporting. Every BAA should address how quickly breaches of unsecured PHI, security incidents, and other improper uses and disclosures of patient information will be reported to the covered entity following the discovery by the business associate. I generally recommend no more than a 10-day notice period. The BAA should also specify what information will be provided in the notice, how the business associate will work with the covered entity to address the incident, and, with regard to a breach of unsecured PHI, who will be responsible for the costs of breach notification and who will provide the breach notification.
  3. De-identification of Data. De-identified data is not covered by HIPAA. Thus, if business associates are allowed to de-identify the patient data provided by a healthcare provider, they can use that data for any purpose, including a purpose directly profiting the business associate. For that reason, many healthcare providers disfavor allowing their business associates to de-identify patient data, and either prohibit de-identification entirely or limit the permitted uses and/or disclosures of de-identified data by the business associate to specific purposes (e.g., data aggregation or research).

Although it did not make my top three, seeing as more and more states are developing and expanding breach notification requirements and the obligations surrounding the privacy and security of patient information, the choice of law provision in a BAA is becoming more important. For providers located in Alabama, Alabama should serve as your choice of law—the location where the patient was treated and the location of the generation of the medical information.

Kelli Fleming is a Partner with Burr & Forman LLP and practices exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a preferred partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

How Are HIPAA Breaches Impacting Alabama?

How Are HIPAA Breaches Impacting Alabama?

HIPAA enforcement reached an all-time high in 2018, with financial settlements ranging from $100,000 to $16,000,000.  The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is responsible for providing oversight and ensuring HIPAA compliance. Last year alone, OCR resolved a total of 25,089 complaints of HIPAA violations and required at least 632 entities to adhere to Corrective Action Plans which document how those entities will attain and maintain compliance with all applicable components of the HIPAA regulations. While last year’s numbers set records and gained significant attention, those numbers are only expected to increase.

As compliance professionals and media outlets focus on the latest hacking incident or security breach, some may wonder how breaches of health care data are impacting the great state of Alabama. While Alabama has a population of fewer than 5 million people, it is no stranger to OCR investigations.  In fact, a look back at the last 15 years of OCR HIPAA enforcement data reflects that the same vulnerabilities that plague states with much larger populations align with issues that burden Alabama covered entities, as well.  Alabama, Florida, Minnesota, New Jersey and Ohio are identical with regard to OCR complaint resolution percentages. In these states, OCR concluded that 28% of the complaints received required corrective action on behalf of the HIPAA covered entity. Only 6 percent of complaints in these states were determined not to be violations and 66 percent of complaints were resolved after the intake and review process.

Several breaches impacting the PHI of 500+ individuals have been reported within the state of Alabama. The most recent was the 2018 breach of FastHealth Corporation, a HIPAA Business Associate which contracted with covered entities to perform website and operational services. An unauthorized third party accessed FastHealth’s web server and acquired information from their databases, impacting 1,345 Alabamians. This breach followed a previous breach by the same organization occurring in June 2017 that likewise involved their network server and affected 9,289 individuals.

While large breaches generally receive the most publicity and attention, smaller breaches can be equally as devastating. For instance, breaches involving mental health or communicable disease information can be harmful to the patient whose information was breached, even if it is just one individual. Pursuant to state statutes, breaching this type of information can open an entity up to civil liability, even if numerous individuals are not affected.

Alabama Breach Notification Statute – A Wake-Up Call  

When Alabama passed the Alabama Data Breach Notification Act of 2018, many health care providers were pleased to note that there was a specific exemption for entities that were required to adhere to HIPAA. However, a careful review of the exemption language is warranted. Pursuant to Section 11, an entity that is subject to HIPAA regulations and complies with those standards are exempt so long as they do the following:

  1. Maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance.
  2. Provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.
  3. Timely provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.

Thus, to be exempt from the Alabama statute, HIPAA covered entities must do more than simply assert exemption status due to HIPAA regulations.  The entity must also demonstrate that it is in compliance with HIPAA.

New Day for Breach Notification Rule Adherence

According to Linda Sanches, Senior Advisor for HIT & Privacy at OCR, it is going to be tougher for entities to conceal breaches. It has come to the attention of OCR that there are HIPAA covered entities who do not report their breaches and have found success staying “under the radar of HIPAA enforcement.” However, Ms. Sanchez announced at the 2019 Health Care Compliance Conference that OCR was not only considering more severe action against entities that did not follow the regulations but that in the future OCR would be observing news reports, interviewing past and disgruntled employees and placing more resources towards seeking out entities that disregarded the regulations.

Alabama covered entities face the same federal regulatory authority as any other state, regardless of size, population or economy.  Thus, it is important for health care providers to understand the requirements and ensure that their entity and their workforce is aware of the regulations and how those regulation impact their organization. The most recent national trends on the location and type of breaches from 2018 can be reviewed in the charts below.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

What If No One Was On Call [at the Legislature]?

What If No One Was On Call [at the Legislature]?

2018 Recap of the Regular Session of the Alabama Legislature

In times of illness, injury and emergency, patients depend on their physicians. But what if no one was on call? Public health would be in jeopardy.  However, the same holds true for the Legislature. During the 2018 session alone, if the Medical Association had not been on call advocating for you and your patients, unnecessary and costly standards of care would have been written into law, lawsuit opportunities against physicians would have increased and poorly thought out “solutions” to the drug abuse epidemic ─ that could’ve made the problem worse ─ would have become law. Keep reading to find out more.

Moving Medicine Forward

The 2018 Legislative Session is over, but continued success in the legislative arena takes constant vigilance. Click here to download our 2018 Agenda.

If no one was on call…increased state funding for upgrading the Prescription Drug Monitoring Program (PDMP) would not have occurred. Working with the Governor’s Opioid Task Force, the Medical Association proposed increased funding for the PDMP, to allow it to be an effective tool for physicians. As a result, the Task Force made the request its number one recommendation to the Governor and the 2019 budget for the Alabama Department of Public Health (the PDMP administrator) has a $1 million increase for making a long-overdue upgrade to the user-friendliness of the drug database.

If no one was on call…legislation helping veterans at-risk for drug abuse get the care they need and also leverage technology to combat the drug abuse epidemic would not have occurred. Through enactment of SB 200, the prescription information of VA patients will be shared between the VA and non-VA physicians and pharmacists who are outside the VA system, the same kind of information sharing of prescription data that exists for almost all other patients. Passage of SB 200 also establishes a mechanism for vetting requests for release of completely de-identified PDMP information that can be used to spot drug abuse trends and help state officials better allocate resources in combatting this epidemic. The proposals that resulted in the drafting of SB 200 originated with a recommendation from the Governor’s Opioid Task Force, one the Medical Association supported.

If no one was on call…the concerns of physicians regarding the current state of affairs surrounding the Maintenance of Certification program would not have been heard. A formal recommendation from the Medical Association’s MOC Study Committee resulted in the enactment of SJR 62 by Senators Tim Melson, M.D., Larry Stutts, M.D., and the entire Alabama Senate. The resolution was signed by Gov. Kay Ivey. SJR 62 vocalizes Alabama physicians’ frustrations with MOC and urges the American Board of Medical Specialties to honor its commitment to help reduce the burden and cost of MOC. Pursuit of a legislative resolution was just one of several recommendations from the Association’s MOC Study Committee this year.

If no one was on call…the Board of Medical Scholarship Awards could have seen its funding reduced but instead, the program retained its funding level of $1.4 million for 2019. The BMSA grants medical school loans to medical students and accepts as payment for the loan that student’s locating to a rural area to practice medicine. The BMSA is a critical tool for recruiting medical students to commit to practice in rural areas. As well, the economic footprint of every physician is at least $1 million, which improves both community health and local economies.

If no one was on call…Medicaid cuts could have been severe, possibly reducing access for patients within an already fragile system in which less than 20 percent of Alabama physicians participate. The 2019 budget has sufficient funds available for Medicaid without scheduled cuts to physicians. However, increasing Medicaid reimbursements to Medicare levels could further increase access to care for Medicaid patients and remains a Medical Association priority.

Beating Back the Lawsuit Industry

While Alabama’s medical liability laws have fostered fairness in the courtroom and improved the legal climate, each year personal injury attorneys seek to undo parts of the very law that helps keep “jackpot justice” and frivolous suits in check.

If no one was on call…bill language that could have pulled physicians into new lawsuits targeting opioid drug makers and opioid wholesale drug distributors could have been included in the final version of the legislation, whose subject matter was originally limited to placing new criminal penalties on unlawful possession, distribution and trafficking of Fentanyl. After the liability language was added on the House floor, a committee of the House and Senate removed the new cause of action language that could have affected physicians. Additionally, an unsuccessful attempt was made to amend this same bill to give law enforcement the authority to determine what is the unlawful “prescribing” or “dispensing” of prescription drugs. The final bill that passed contained neither of these elements that would have been problematic for physicians.

If no one was on call…physicians and medical practices could have been forced to provide warranty and replacement coverage for “assistive medical devices.” As originally drafted in the bill, the term “assistive medical devices” was broadly defined to include any device that improves a person’s quality of life including those implanted, sold or furnished by physicians and medical practices like joint or cochlear implants, pacemakers, hearing aids, etc. However, the Medical Association successfully sought an amendment to remove physicians, their staff and medical practices from having any new warranty or assistive device replacement responsibility under the act, and the final version doesn’t expand liability on doctors.

If no one was on call…legislation granting nurse practitioners and nurse midwives new signature authority outside of a collaborative practice and for some items prohibited under federal law – thereby significantly expanding liability for collaborating physicians – could have become law. The Medical Association successfully sought to ensure that all new signature authority granted to CRNPs and CNMs was subject to an active collaborative agreement and all additional forms or authorizations granted were consistent with federal law, protecting collaborating physicians from new liability exposure. The final bill was favorably amended with this language.

If no one was on call…physicians could have been held legally responsible for others’ mistakes including individuals following or failing to follow DNR orders on minors. The language of the final bill does not expand liability for physicians.

Protecting Public Health and Access to Quality Care

Every session, various pieces of legislation aimed at improving the health of Alabamians are proposed. At the same time however, many bills are also introduced that endanger public health and safety, like those where the Legislature attempts to set standards for medical care, which force physicians and their staffs to adhere to non-medically established criteria, wasting health care dollars, wasting patients’ and physicians’ time and exposing physicians to new liability concerns.

If no one was on callcollaborative practice in Alabama between nurse practitioners, nurse midwives and physicians could have been abolished. The legislation did not pass. Read the joint statement on the bill from the Medical Association and allied medical specialties here. The bill may return next session.

If no one was on call…legislation to give law enforcement the authority to determine what is the unlawful “prescribing” or “dispensing” of controlled substances (and making violations a Class B Felony) could have become law. The Medical Association sought changes to the bill to require prosecutors to have to prove beyond a reasonable doubt that a physician knowingly or intentionally prescribed controlled substances for other than a legitimate medical purpose and outside the usual course of his or her professional practice, and also to ensure sufficient qualifications for expert witnesses. The sponsor however – arguing that expert witness testimony for prosecuting a physician should not be required – asked the bill not be passed and instead “indefinitely postponed it,” killing the bill for the 2018 session. The bill will return next session.

If no one was on callmarriage and family therapists could have been allowed unprecedented authority to diagnose and treat mental illnesses without restriction. The legislation would also have deleted numerous prohibitions in current law including prescribing drugs, using electroconvulsive therapy, admitting to a hospital and treating inpatients without medical supervision, among other things. The Medical Association offered a substitute bill that (1) ensures all diagnoses and treatment plans made by MFTs are within the MFT treatment context; (2) ensures MFTs cannot practice outside the boundaries of MFT services; (3) prohibits MFTs from practicing medicine; and, (4) ensures all the current prohibitions in state law regarding prescribing of drugs, electroconvulsive therapy and inpatient treatment remain intact. The final bill that is now law contains all of these elements.

If no one was on call…legislation creating a new state board with unprecedented authority over medical imaging could have passed. The legislation would have required x-ray operators, magnetic resonance technologists, nuclear medicine technologists, radiation therapists, radiographers and radiologist assistants to acquire a new license from a new state board, a board granted total control over the scope of practice for each licensee. Quality and access to care concerns abounded with this legislation that many saw as unnecessary. The legislation did not pass, but is likely to return next session.

If no one was on call…proposals to move the PDMP away from the Alabama Department of Public Health and instead under the authority of some other state agency or even to a private non-profit organization could have been successful. In working with the Governor’s Opioid Task Force, the Medical Association stressed the Health Department was the proper home for the PDMP and the Task Force did not recommend that the PDMP be moved elsewhere.

If no one was on call…legislation to place new requirements on and increase civil liability exposure on referring physicians under the Women’s Right to Know Act could have become law. The legislation aimed to provide a woman seeking an abortion with notice that she can change her mind at any time and be entitled to a full refund for not going through with the abortion. The Medical Association sought to fix a longstanding problem that places information-provision requirements on referring physicians under the Women’s Right to Know law. While the Association’s language was adopted, the bill failed to pass. The bill is expected to return next session.

If no one was on call…state law could have been changed to require mandatory PDMP checks on every prescription. Attempts to change this are expected in 2019.

If no one was on call…law enforcement could have been granted unfettered access to the prescriptions records of all Alabamians. Attempts to change this are expected in 2019.

Other Bills of Interest

Rural physician tax credits…legislation to increase rural physician tax credits and thereby increase access to care for rural Alabamians did not pass but will be reintroduced next session.

Infectious Disease Elimination…legislation to establish infectious disease elimination pilot programs to mitigate the spread of certain diseases failed to garner enough support to pass this session.

Data breach notification…relating to consumer protection, is known as the “data breach bill.” In the event of a data breach by a HIPAA-covered entity, as long as the entity follows HIPAA guidelines for data breaches and notifies the attorney general if the breach affects more than 1,000 people, the HIPAA-covered entity is exempt from any penalties. Now, only North Dakota lacks a “data breach” notification statute. The bill was signed by the Governor.

School-based vaccine program…a Senate Joint Resolution urging the State Department of Education and the Alabama Department of Public Health to encourage all schools to participate in a school-based vaccine program passed in 2018. The Medical Association, Alabama Academy of Pediatrics and Alabama Academy of Family Physicians issued a joint statement in opposition to the resolution.

While we remain committed to increasing vaccine rates in Alabama for the very reasons outlined in the “Whereases” of the resolution, we are very concerned about the potential disruption that a widespread school-based program could bring to local practices and the likelihood of detrimental effects of adolescents not visiting the doctor-their medical home–during the critical teen years,” the joint statement from the medical societies reads.

While Gov. Ivey did not sign the resolution, it was ratified under state law without her signature.

Workers comp…legislation to penalize an individual from obtaining workers comp benefits by fraudulent means was introduced this session. The Medical Association successfully sought an amendment to require notice to the physician of termination of a worker’s benefits and to ensure continued payment of claims submitted by a physician until that notice is received. The bill failed to see any action this session.

Genital mutilation…legislation criminalizing the genital mutilation of a minor female was introduced this session. The Medical Association successfully sought an amendment to exclude emergency situations and procedures. The bill died in the Senate during the last days of the session. It is expected to return next year.

If the Medical Association was not on call at the Legislature, countless bills expanding doctors’ liability, placing standards of care into state law, lowering the quality of care provided and diminishing the practice of medicine could have passed. At the same time, positive strides in public health – like new funding for a much-needed PDMP upgrade, better data-sharing with VA facilities and the resolution on MOC – would not have occurred. The Medical Association is Alabama physicians’ greatest resource in advocating for the practice of medicine and the patients they serve.

Questions? For more information contact Niko Corley at

Posted in: Advocacy

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.





PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at and

Posted in: MVP

Leave a Comment (0) →

Breach Notification…Who, How, When?

Breach Notification…Who, How, When?

February is typically a very busy month for health care compliance professionals because the majority of breaches are required to be reported to the Department of Health and Human Services (HHS) within the first 60 days of the calendar year following the breach. However, the type of breach determines the applicable deadline so it is very important to know what needs to be reported to whom and when.

Entities regulated by HIPAA, including healthcare providers, health plans and business associates, must identify breaches in an adequate and timely manner and respond to breaches accordingly. This response includes identifying the occurrence, thoroughly investigating the incident, completing a thorough Breach Assessment of the incident and timely reporting conclusions to the appropriate parties.

A “breach” is an impermissible use or disclosure that compromises the privacy or security of protected health information. When a breach occurs in a health care setting, the entity may be required to provide notice of the breach to affected parties, including the patient or client, HHS and in some instances media outlets.


Health care entities are required to assess all breaches by considering the likelihood that patient or client protected health information was compromised. This is different than the previous harm standard, which required a determination of whether the breach caused a significant risk of financial, reputational or other harm. Under the compromise standard, consideration is given to the identity of the individual to whom the information was wrongfully provided and the possibility of that individual being able to retain and/or utilize the information.

Entities rely on their Breach Assessment tool to assist them with developing conclusions about the status of a breach. Unless an entity can substantiate and document that the breach was low-risk, it must be reported to appropriate parties as a breach. Pursuant to federal regulation, specific elements must be considered before an entity can determine a breach to be low-risk. Those elements include:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.[1]

These elements, in addition to other documented analysis, must be included on the entity’s Breach Assessment. This document should be customized to the entity and identify criteria that would lead to an objective determination about the nature of the breach.

The adequacy of an entity’s Breach Assessment tool is vital to that entity reaching an appropriate conclusion. The Breach Assessment should document the type of breach and the source of the breach. It should reflect whether it was an oral breach or whether documentation was shared. It should consider whether the individual with whom the information was shared is also a workforce member of a HIPAA-covered entity or whether that individual had any duty to keep the information confidential. After considering these questions, in addition to other factors, the entity should be able to make a reasonable determination about whether the protected health information was compromised.

Content of Notice

If an entity determines that a breach occurred and that breach notification is necessary, they must provide notice of the breach, which at a minimum includes the following:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.[2]

Timeliness Requirements

Entities must adhere to specific deadlines for breach reporting. The timeline is considered to have started on the date that the entity “knew or should have known of the breach.” Meaning that the entity either had direct knowledge of the breach or in the exercise of due diligence the entity should have been aware that the breach took place. This should have known element is important because it holds entities responsible for breaches based on an objective standard which discourages entities from pretending to be unaware of breach incidents.

Notification deadlines are directly related to the size of the breach. Breaches fewer than 500 individuals require notification to the patient within 60 days of discovery of the breach, also known as Individual Notice. Additionally, for breaches fewer than 500, notification must be provided to HHS within the first 60 days of the following calendar year.

Breaches involving 500 individuals or greater require entities to meet the Individual Notice standard described above, but it also requires simultaneous notice to HHS and media notice. Media notice is required to take place both in the place where the entity does business and in the location where the individuals affected by the breach reside. For example, a practice is located in Montgomery, Ala., and they provide services to patients in Montgomery and in Huntsville, Ala. The entity will be responsible for contacting media outlets in both Montgomery and Huntsville to ensure that consumers are informed of the breach. Additionally, if the entity has a website the notice must also be placed on the entity website.

Wall of Shame (for breaches of 500 individuals or greater)

The HHS Office of Civil Rights (OCR) notifies the public of large breaches in an effort to strengthen consumer trust and transparency. These breaches can be found on the HHS website and are known in the health care industry as the “Wall of Shame.” This Wall of Shame identifies entities that are currently under investigation, as well as entities who have already settled their cases with HHS or otherwise resolved their cases through administrative proceedings. It documents the name of the entity, the exact number of people involved in the incident and the type of breach. While the Wall of Shame generally reports incidents that occurred within the last two years, there is also an archive section that allows consumers to review cases occurring before that cut off period. You can view the HHS Wall of Shame by utilizing the following link:

Understanding the Breach Notification Rule can be tricky. This area of the regulations has many aspects that require professionals to perform specific analysis as they navigate each incident. Your entity compliance professional should be trained on the requirements and ensure that your policies and procedures are updated regularly. Your entity can report breaches to HHS by utilizing the following link:

Should your entity have questions regarding the Breach Notification Rule, they should contact a healthcare compliance professional for guidance.

[1] 45 CFR 164.402(a)(2)

[2] 45 CFR 164.404 (c)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

How Can You Avoid a HIPAA Mega Breach?

How Can You Avoid a HIPAA Mega Breach?

A HIPAA breach often occurs when a health care entity wrongfully discloses the protected health information of a patient or client. These incidents can occur by accident, like faxing patient information to the wrong fax number. They can also be the result of willful or intentional acts, like employees who gather patient information for the purpose of filing false tax returns. They occur in many forms and can affect any number of individuals.  Breaches can range in scale from a single individual being compromised to an incident affecting thousands and even millions of people.

The Department of Health and Human Services requires a breaching entity to take specific reporting action based on the number of individuals the breach affects. In the world of HIPAA breaches, 500 is a magic number. Breaches affecting greater than 500 individuals are generally considered a HIPAA “Mega” breach. These mega beaches have more stringent notification requirements that could cause your health care practice to be featured on the evening news. Just as with breaches affecting fewer than 500 people, mega breaches require that you provide individual notice to each patient. This often requires staff time as they work to locate each patient’s last known address and send them a breach notification letter explaining what happened, who was involved, how their data was compromised, and what the entity is doing to avoid similar incidents in the future. Often, entities will offer their patients credit monitoring for a two-year period to mitigate the breach and demonstrate to the patient that the entity is serious about data security.

Mega breaches also require individual notice. However, these large breaches also require simultaneous notice directly to the HHS Office of Civil Rights and local media and news outlets. Entities reporting these large breaches will deal with immediate issues like loss of business and loss of reputation while also responding to patients and clients who are angry that their information has been compromised.

How can you avoid dealing with a HIPAA Mega breach in your practice?

You Must Perform a Competent and Thorough Risk Analysis. Many compliance professionals refer to this as your entity’s “annual exam.”  During this process, you and your team should determine every system that contains electronic protected health information and assess its vulnerability for inappropriate disclosure. This analysis is a requirement of the HIPAA Security Rule and must occur annually or sooner if necessitated by changes to your IT system or turnover in your workforce. Entities must remember to document this process and have it readily available to produce to HHS upon request. Failure to perform, document, and/or produce an adequate Risk Analysis is often a sign to HHS that an entity is non-compliant and may lead to a more extensive audit. This is an opportunity for entities to determine the adequacy of their cybersecurity and how to protect their entity from malware.

Invest in Encryption. HIPAA categorizes patient data in two ways: (1) secured and (2) unsecured. Entities most often find themselves in trouble when they have a breach of unsecured  The breach notification requirements discussed above which include notice to patients, HHS and media outlets ONLY refer to breaches of unsecured data. However, secured data is exempt from notice requirements. Secured or encrypted data is considered to be unusable, unreadable, or indecipherable to unauthorized individuals; thus, a breach of that device cannot occur. Encrypting patient data is the ultimate safety net! For example, a nurse uses a business laptop to store patient information of the 550+ individuals that are treated in her practice. She takes it home for the night and leaves it on the passenger seat of her car. Her vehicle is broken into overnight and the laptop is stolen. If the laptop is unencrypted, she now faces HIPAA breach notification requirements, loss of reputation, and the overwhelming threat of possible fines and lawsuits. However, if the laptop is encrypted, she would simply document the occurrence and have the laptop replaced.

Enforce Privacy and Security Policies and Provide Training. Often, the most effective tool in your health care compliance arsenal is a competent and well-informed workforce. Employees must understand how their actions can affect the security of data along with the consequences of violating policies and procedures. Additionally, having policies and procedures that are customized to your practice demonstrates a serious approach to compliance. Often, being able to produce copies of polices and training that employees were mandated to review and participate in will reflect that the entity itself was aware of its risks and sought to avoid or minimize them. An employee who has documented that they have reviewed the policies and participated in training, but nevertheless participated in negligent or reckless behavior, is more likely to be seen as a “bad actor” and not a reflection of a culture of non-compliance within the entity.

You’re entity may also want to reflect on how the following devices are utilized and stored:

  1. Hard Drives
  2. CDs/DVDs
  3. Flash Drives
  4. Back-Up Storage Tapes

To ensure that your practice is complying with federal regulations, and for assistance with avoiding or navigating a mega breach, please consult a health care compliance professional.




























Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: HIPAA

Leave a Comment (0) →