Search the News Archive

New HIPAA Risk Assessment Tool from HHS Is Much Ado About Nothing

"While the HHS Security Risk Assessment tool does provide some software, here are few specific cautionary notes: By design, it is intended 'to help guide health care providers in small to medium sized offices not larger organizations ... It comes with several disclaimers, among them: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.... It does not follow HHS' own Guidance on Risk Analysis Requirements under the HIPAA Security Rule' published in July, 2010 ... The HHS Security Risk Assessment tool is an interesting work product. Please be very careful."

Pharmacy Faces Heavy Fines Under Latest OCR Resolution Agreement

"Cornell Prescription Pharmacy ..., a single location, compounding pharmacy located in Denver, Colorado, has agreed to settle potential HIPAA violations, in OCR's latest Resolution Agreement. In this Agreement, Cornell will pay a resolution amount of $125,000. That's quite a hefty price tag for a small covered entity like Cornell. But, it reminds all covered entities and business associates that HIPAA applies to, and affects, organizations equally."

What We Learned From Last Year's Breaches

"Non-Digital Breaches Remain An Issue ... Purloined Portables Still A Problem ... Insider Mistakes and Malice Can Be Costly." [Infographic]

The Anthem Breach: Stanza Two Isn't Pretty

"So far, ten state attorneys general have complained that Anthem isn't moving fast enough in its notification efforts.... Meanwhile, questions abound about whether the breach was truly 'sophisticated' or not. The hackers had the skills to penetrate several Anthem security layers, but they were able to then access the vast database using a stolen password. Numerous reports suggest that Anthem had not encrypted the Social Security numbers found in that database."

HIPAA-HITECH Blue Ribbon Panel Addresses Growing Complexity of Privacy and Security Enforcement

"Among the best practices cited were: [C]omplete a thorough risk analysis.... [U]se the findings to formulate a risk management plan.... Build broad awareness and underscore the importance of information privacy and security.... Institute thorough background checks and implement rigorous controls around workforce access to PHI and termination of access."