HIPAA Journal – Compliance with HIPAA Right of Access

Highlights from the HIPAA Journal

From the May 4th Newsletter

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Citizen.

  • Research saw a 27% increase in HIPAA compliant responses’ from Healthcare Providers when reporting PHI information to patients.

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance.

  • In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure.

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.

  • After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020.

Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom.

  • APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national priorities.

Recent cyber/ransomware attacks related to the Healthcare industry

  • BJC Healthcare had emails accounts of their employees accessed by an unauthorized individual after responses to phishing emails in March of this year. Information of patients were potentially compromised as well as 19 hospitals linked to BJC Healthcare were potentially affected by this.
  • Saint Francis Healthcare Partners in Connecticut incurred a cyber attack that may have affected around 38,500 patients as an unauthorized individual gained access to its email system.