Author Archives: Frank Sivilli

HIPAA Alliance Marketplace Connects CEs and BAs

For many health care providers, finding HIPAA compliant business associates poses a significant challenge–one with implications on the security of their sensitive health care data. The newly launched HIPAA Alliance Marketplace is a platform that simplifies the process for covered entities to find HIPAA compliant business associates.

Health care providers can connect with health care vendors like never before with confidence that their prospective business partners will keep their data safe and secure.

Access to the marketplace is limited to vendors that have been verified by the Compliancy Group HIPAA Seal of Compliance. The HIPAA Seal of Compliance is the industry standard, third party HIPAA verification tool used by health care providers and vendors across the country. The Seal of Compliance demonstrates that the organization in question has executed all of the necessary standards mandated by HIPAA regulation.

Vendors can use the marketplace to break into the valuable health care market. Whether already HIPAA compliant, or just starting on their journey, vendors can speak with one of Compliancy Group’s HIPAA experts to determine the status of their compliance and get listed on the marketplace today.

About the HIPAA Alliance:

The HIPAA Alliance Marketplace is a closed ecosystem that allows health care professionals (covered entities, CE) to find HIPAA compliant solution providers (business associates, BA). HIPAA compliant vendors in the HIPAA Alliance Marketplace are heavily vetted against the HIPAA rules, and verified by the Compliancy Group HIPAA Seal of Compliance™.

Our Partners at Compliancy Group Help Client Pass HIPAA Audit

Compliancy Group announced today that it has helped a long-time client pass a HIPAA audit. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigation into a potential HIPAA violation resulted in no fine for a user of their web-based compliance solution, The Guard.

HIPAA audits target hundreds of health care professionals a year, according to the HHS Wall of Shame.

Compliancy Group is the only HIPAA solution on the market today that gives clients access to a HIPAA Audit Response Program™ (ARP). The Compliancy Group HIPAA Audit Response Program gives clients the ability to formulate all the necessary reports that OCR auditors are requesting in order to illustrate their compliance efforts. Compliancy Group’s team of expert Compliance Coaches gather the reports and adhere to strict audit deadlines to ensure that clients stand their best chance at emerging from an audit without being fined.

At Compliancy Group, not a single client has ever failed an OCR or CMS audit. Learn more about how our HIPAA compliance partner helps simplify compliance for health care professionals now!

Recent Ransomware Attacks Could be HIPAA Violations

By now, you may have heard about the massive ransomware attack that has struck over 150 countries, including The United States, over the past week.
If health care data taken hostage in a ransomware attack is unencrypted, it could constitute a HIPAA violation. Any electronic protected health information (ePHI) that is affected by a breach without proper encryption methods in place is very likely to be compromised in the event of a ransomware attack.
These recent attacks come out of a growing trend in malware incidents over the past year. OCR has released guidance about how to handle a ransomware incident in your health care practice. The federal government has stressed the importance of safeguarding your organization and protecting your confidential patient data.
If you’re interested in protecting your organization from a ransomware incident–and want education about how to prevent ransomware attacks from spawning HIPAA breaches and fines–attend the upcoming webinar,
ransomware attacks HIPAA violations

2017 HIPAA Enforcement to Target Ransomware, Interoperability, Medical Apps

“With big data, comes big responsibility,” says Office for Civil Rights (OCR) Director Roger Severino. This is just a fragment of the insight he gave into upcoming HIPAA enforcement trends in his plenary talks at Health Datapalooza 2017.

Severino, the newly appointed Director of the Department of Health and Human Services’ (HHS) OCR, spoke about the Office’s role in the enforcement of the HIPAA Privacy and Security Rules in the changing face of medical technology and health care IT.

OCR is ready to “adapt to changing circumstances” of data security and interoperability in health care. Severino stressed the importance of security, especially as it relates to protected health information (PHI) of patients. HHS has presented a unified message of increasing the quality of patient care this morning–first mentioned by HHS Secretary Tom Price earlier in the session.

2017 HIPAA Enforcement Trends

“Security with data is essential,” said Severino. He suggested that OCR enforcement of HITECH and the HIPAA rules will be advancing to address changes in health care data and technology. He mentioned the string of ransomware incidents that have been affecting hospitals across the country over the past year, in addition to the recent $2.5 million fine that OCR levied against medical device company, CardioNet.

Mobile apps, in particular, are going to be an area of focus for OCR in the years ahead. Severino specifically mentioned the Office’s concerns about how mobile apps can work within the HIPAA rules in order to advance interoperability of health care data.

Finding a means of achieving effective interoperability for health care providers and balancing data security is going to be an area of ongoing concern. Severino spoke about the state of trust between patients and their providers. Breaches of sensitive data cause both financial hardship, and a loss of trust between patients and health care practitioners. “If health care information is not protected, the relationship [between patient and provider] breaks down.”

Data breaches are comparable to identity theft in this way–and Severino suggests that voluntary patient data collection is at risk unless this problem is remedied.

HHS Secretary Tom Price Stresses Burdens of Health Care IT

Secretary of Health and Human Services (HHS) Tom Price spoke about the future of innovation in health care IT during his opening remarks at Health Datapalooza 2017. “People, patients, and partnerships” are going to be the driving forces behind the Trump Administration’s work in health care IT.

Secretary Price commented on reducing the burden of health care IT processes to physicians, with patient-oriented care as the central focus.

Price stressed that “True interoperability has always been the goal,” but that somewhere in the last few years the process has become muddled. He suggested new HHS guidance on the matter, as a means of “deciding on the rules of the road” for interoperability processes.

New Regulation on the Horizon?

Future HHS work on the matter will focus on “accessibility, affordability, quality, and empowering patients,” and patient-focused care with fewer burdens on health care practitioners.

Price suggested that high-level policy making should be the goal of any work done on interoperability in the future–which could come in the form of new HHS guidance, or even new regulation on the matter.

The Obama Administration made interoperability a central goal of its health care IT policy, with such measures as the Precision Medicine Initiative. The Precision Medicine Initiative focused on using patient data to collectively improve health research and care.

This work could continue under The Trump Administration, under the auspices of a different name and fewer “burdens” on doctors. The promulgation of Electronic Health Records (EHR) platforms in the past decade has been the foundation of interoperability initiatives.

Price stated that taking the focus away from patient care toward “data entry” has had challenging “and sometimes destructive consequences.” It’s clear the Administration is dedicated to changing the face of interoperability in the years to come.

Striking a balance between advancing and achieving interoperability within the limits of current health care technology capabilities will clearly be a challenge. Price stressed the importance of “partnerships” in this endeavor. Public-private partnerships could do the work of creating the infrastructure needed for “true interoperability.”

Fraudulent HIPAA Notifications Target Health Care Professionals

HHS OCRRecently, health care professionals have reported being solicited by organization fraudulently presenting themselves as federal entities.

Instead of typical phishing emails involving a hack, one IT security firm based out of Miami, Florida is posing as HHS as a part of its marketing efforts. Emails sent from the account appear to steal legitimate HHS letterhead and conclude with a fraudulent use of OCR Director, Jocelyn Samuels’ signature.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email.

“The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services,” OCR notes in its announcement. “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights,” said Samuels. “We take the unauthorized use of this material by this firm very seriously.”

If you or a member of your organization receives an email or call from an entity claiming that you need to have a:

“Mandatory HIPAA Risk Assessment Review with a Certified HIPAA Compliance Adviser”

Be advised that this is not a legitimate notice form any federal or state regulatory agency. You should not feel obligated to provide or share any information with these organizations if you receive such notice. There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or fraudulent language.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will only contact you directly via a certified letter or email.

These fraudulent emails are being sent from ‘‘, while a legitimate OCR email will be sent from ‘‘. The distinction is subtle, but that’s characterstic of scams such as these.

This kind of fraud is a growing trend being executed by some security and compliance companies in the health care space. Being equipped with the right tools can protect you and your organization from being scammed.

OCR Announces HIPAA Desk Audits for Business Associates


Starting in November, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is slated to begin HIPAA compliance desk audits for business associates. This is just the beginning of OCR’s ongoing push for a permanent HIPAA audit program, which will kick into higher gear come 2017.

OCR first began its Phase 2 HIPAA Compliance Audits in March of 2015. An initial group of 167 Covered Entities, such as doctors and insurance companies, were randomly selected for a HIPAA audit. A questionnaire was posed to auditees asking them to compile lists of their business associates along with relevant contact information.

OCR has collected some 20,000 BAs through this process, and now plans to select organizations from this list and move forward with onsite audits, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw.

In June of this year, OCR reached its first settlement with a BA in the history of enforcement, resulting in a $650,000 fine. OCR has redoubled its efforts toward BA enforcement, and this recent announcement marks the first time that OCR has instigated wide-scale random audits for business associates and HIPAA compliance–a practice that will become standard once HHS launches its permanent audit program.

McGraw went on to state that business associates chosen for desk audits after November 2016 could also be subject to additional onsite audits if widespread HIPAA compliance issues are uncovered. “It’s not a game of ‘gotcha’ or a vehicle for punitive measures. But we can open an investigation if what we see in an audit” raises alarms, she said.

McGraw also outlined plans for a “comprehensive roll-up report” once these desk audits are completed. This report will be a publicly accessible document that will outline the major findings of OCR’s Phase 2 Audits. OCR intends for the report to act a resource for HIPAA-beholden organizations to address their compliance plans in the future.

The 20,000 contacts that OCR has gathered across the health care industry represent a wide range of different business associates. Organizations that weren’t contacted over the course of OCR’s initial outreach for Phase 2 are at risk of being audited just because of the business relationships they have with covered entities.

“In order to best prepare for these audits, business associates should be able to illustrate their HIPAA compliance through supporting documentation,” says Marc Haskelson, President and CEO of Compliancy Group. “If a BA has yet to address their HIPAA compliance, now is a better time to start than ever before.”


See our recommended HIPAA products!

HIPAA Roundup: Pharmacy Settlements and OCR Investigations

Over the past few years, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has considerably ramped-up its enforcement efforts for HIPAA violations.

Pharmacies have continued to be hit with OCR investigations and massive fines for breaches of protected health information (PHI). These investigations are often initiated for minor privacy or security incidents, and become major HIPAA violations once the organization’s full-scale non-compliance is brought to light.

Below, we’ve looked at three important settlements that speak to the future of HIPAA enforcement for pharmacies across the country.


CVS Pharmacy, $2.25 Million HIPAA Settlement

On January 16, 2009, HHS reached a settlement with CVS Pharmacy, Inc. to settle alleged violations of the HIPAA Privacy Rule. The $2.25 million settlement came after OCR investigators determined that stores across the nation were improperly disposing of labels containing the PHI of patients and customers.

OCR investigators found that CVS failed to implement the appropriate policies and procedures to safeguard the integrity of disposed PHI, that it failed to train employees on how to properly dispose of PHI, and that it did not implement an appropriate sanctions policy for employees and pharmacists who failed to properly dispose of PHI.

The integrity of PHI is paramount to compliance with the HIPAA Privacy Rule and pharmacies face especially difficult challenges to maintain proper privacy standards. As these next examples will show, improper handling of PHI is one of the most significant risks that pharmacies are exposed to under HIPAA regulation.


Rite Aid Pharmacy, $1 Million HIPAA Settlement

Rite Aid reached a $1 million settlement with HHS on July 27, 2010 for alleged violations of the HIPAA Privacy Rule. The chain operates nearly 4,800 retails pharmacies across the country.

Investigators determined that PHI was being disposed of incorrectly, without policies and procedures governing the disposal process. Additionally, Rite Aid’s employees weren’t trained on the proper disposal of PHI, nor were appropriate sanctions applied to employees who improperly disposed of PHI.

The Rite Aid settlement and corrective action plan closely mirrored the 2009 CVS settlement discussed above. Often, OCR will follow trends in enforcement, building cases and going after chronic issues of non-compliance across major health care industries. Large-scale national franchises make for easy targets in investigations like these, but the risk is just as material for smaller health care entities as well.


Cornell Prescription Pharmacy (Denver, CO), $125,000 HIPAA Settlement

Cornell Prescription Pharmacy is a small, single-location pharmacy based out of Denver, Colorado. The $125,000 settlement was announced on April 27, 2015 in response to the improper disposal of documents containing the PHI of 1,610 patients.

Perhaps the strictest of the three incidents we’ve discussed, OCR Director Jocelyn Samuels stated that: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” Samuels continued, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

Since taking office in June of 2015, Samuels has overseen more fines than in the prior nine years combined. And with her focus turning to organizations that have historically been spared from HIPAA enforcement, such as independent pharmacies, the possibility of a HIPAA audit has become a real threat to players across the health care industry.

Massive Data Breach Affects Thousands of NFL Players


The NFL has reported that thousands of players’ health care records were breached in late April after a laptop was stolen from the car of a Washington Redskins trainer.

The records are extensive, dating back a full 13 years. They’re reported to include current and former players’ protected health information (PHI), as well as that of the attendees of the annual scouting Combine.

In an official statement from the NFL to the players’ union about the theft, NFLPA Executive Director DeMaurice Smith said:

The NFLPA [NFL Players Association] has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League.

The severity of the breach is such that the NFL has contacted the Department of Health and Human Services (HHS), the arm of the federal government that deals with HIPAA enforcement and personal data privacy and security. It’s unlikely that the NFL will be persecuted as a HIPAA Covered Entity in this breach, sparing potential fines and litigation. HHS has made it clear that high-profile patients’ medical records must be afforded the same legal protection as anyone else’s. Athletes and celebrities alike face heightened risks to their privacy and are often targeted by attacks to their personal data.

Physical theft continues to plague the health care industry. Paper and physical records are easy targets, but it’s becoming apparent that electronic health records (EHR)–the long-heralded solution to this industry-wide problem–falls short of any kind of guaranteed security. Though the stolen laptop containing the players’ health data was password protected, it wasn’t encrypted.

Even though there have been industry-wide pushes for EHR adoption and migration away from paper records, their integrity of those records can be tenuous without the accompanying encryption and privacy measures needed to ensure they’re being kept secure.

In a statement given to Deadspin, an NFL spokesperson said that: “We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.” The spokesperson also confirmed that the NFL’s electronic medical record (EMR) system that encompasses player data for the entire league was unaffected by the breach.

Over 112 million Americans had their health data breached in 2015 alone. In this case, HHS has the opportunity to make a decisive statement on EHR adoption and patients’ rights to privacy in an effort to curb the frightening trend that these massive data breaches are starting to take.

Is Apple Finally Entering the HIPAA Game?


For years, Apple has notoriously avoided stepping into the burgeoning HIPAA-compliant health-tech market. Its peers–tech giants the likes of Amazon, Microsoft, Google, and FitBit–have all willingly begun signing Business Associate Agreements (BAAs), allowing their products and services to be used across the health care industry to store, transmit, or create protected health information (PHI).

So when Business Insider reported on a job listing posted by Apple looking for a “Privacy Counsel” focused on HIPAA and Health, heads rightfully turned.

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with Apple users in the health care field, but its own iMessage messaging service remains insecure and non-compliant.

The job listing itself is vague, asking only for “health privacy expertise” in addition to a slew of requirements that make it clear they’re going for the best in the business to spearhead their interests in HIPAA compliance.

So it seems that Apple is poised to move ahead in a few directions.

They can go the way of Google and develop an end-to-end encrypted messaging service for doctors or other covered entities and business associates. This would serve the function of allowing PHI to be safely transmitted without risking the security or integrity of health data.

The other option is to go the way of health-tech manufacturer FitBit and create a suite of HIPAA-compliant health tracking services for the Apple Watch.

In the year since its release, the Apple Watch has been widely adopted as a health monitoring device. One report from April 2016 indicated that 80% of Apple Watch owners utilize its health and fitness tracking, and 56% say that that’s the primary reason they use it.

With discussions of data security and privacy reaching the national stage, the pressure is mounting against tech companies to take the plunge and begin protecting their customers’ data. Apple CEO, Tim Cook, commented on his plans for the Apple Watch. “One day,” he said, “this is my prediction, we will look back and we will wonder: how can I ever have gone without the Watch? Because the holy grail of the watch is being able to monitor more and more of what’s going on in the body.”

With this renewed focus on health, it’ll be worth watching Apple to see if anything comes of this new job listing and their potential foray into the world of HIPAA compliance.