February 13, 2018 - Office of Civil Rights

On February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ protected health information (PHI).

OCR’s investigation indicated that between January 28, 2015, and February 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.

Filefax is no longer in business. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others.  In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

The resolution agreement and corrective action plan may be found on the OCR website here.

October 31, 2017


The Office of Civil Rights issued in its October Cybersecurity Newsletter guidance regarding the use of mobile devices that are used to create, store, and transmit ePHI.  Among the helpful hints provided in the text, a staunch reminder to be sure your IT Security staff assigns the appropriate risk level to the use of mobile devices.  Bulleted suggestions offered in the newsletter include:


Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.

·         Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.

·         Install or enable automatic lock/logoff functionality.

·         Require authentication to use or unlock mobile devices.

·         Regularly install security patches and updates.

·         Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.

·         Use a privacy screen to prevent people close by from reading information on your screen.

·         Use only secure Wi-Fi connections.

·         Use a secure Virtual Private Network (VPN).

·         Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps,                    securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.

·         Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.

·         Include training on how to securely use mobile devices in workforce training programs.

The full newsletter may be found here.

Released August 30, 2017 from HHS.GOV


HHS Secretary Waives Certain HIPAA Privacy Rule Provisions for Texas and Louisiana Hospitals; OCR Issues Bulletin for Medical Professionals Navigating HIPAA Rules in Emergency Situations

In response to Hurricane Harvey, U.S. Department of Health and Human Services (HHS) Secretary Tom Price, M.D., declared a public health emergency in Texas and Louisiana and has exercised the authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:

• The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care

• The requirement to honor a request to opt out of the facility directory

• The requirement to distribute a notice of privacy practices

• The patient's right to request privacy restrictions

• The patient's right to request confidential communications

Other provisions of the Privacy Rule continue to apply, even during the waiver period.

When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; (3) with respect to the provisions identified above; and (4) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.  All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect.  For more information on the bulleting click here.

April 20, 2017

Reinsurance carrier, Summit Re, suffered a ransomware attack in August, 2016 that affected thousands of members covered by major insurance carriers, self-funded employer groups and small regional health plans.  In multiple articles, Summit Re has stated there is no evidence that the data accessed has been used inappropriately; however, breach notification procedures and investigations have been put in place as well as mitigation measures to those members identified. Business Associates were notified in October of the ransomware attack.  A partial list of impacted entities and their covered members includes:

Highmark Blue Cross Blue Shield of Delaware, Louisiana Health Cooperative Inc., PrimeWest Health of Minnesota, Select Health Network of Indiana, Alliant Health Plans of Georgia, and Tufts Health Public Plans Inc.

Additionally, Alliant Health Plans was advised some time after the initial notification of an impermissible access of its member date which occurred in March, 2016.  It is unclear if additional carriers were impacted by that impermissible access of member data.

ThinkAdvisor.com: Subcontracting Complicates Summit Re Ransomware Outreach, March, 16, 2017; retrieved April 20, 2017

HealthITSecurity.com: Another Healthcare Organization Affected by Summit Ransomware Attack, January 12, 2017; retrieved April 20, 2017