As we celebrate Thanksgiving, we thought it would be a good idea to cover three reasons why you should be thankful. Or better yet, three situations you should be thankful that you’re not caught up in…. unless, unfortunately, you are.
In this episode:
3 Reasons To Be Thankful – Ep 383
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
3 Reasons To Be Thankful
[05:36] 3 “situations” you are not caught up in nor are we!1 – Meta Pixel mess causing concern for insurance providers. This notice was distributed by Tokio Marine:
ALERT TO POLICYHOLDERS: Class Actions against Organizations for Using Meta Pixel for Violating Privacy Laws
We’re seeing hundreds of healthcare providers and other businesses targeted by class action lawsuits across the country, alleging the unauthorized disclosure of personally identifiable information (PII) and personal health information (PHI), and seeking civil damages for each disclosure. PII and PHI was gathered through the use of a tracker called Meta Pixel. Potential exposure from this litigation may be significant, and we wanted to be sure you are aware. Recently, a class action against a healthcare organization in the Northeastern United States alleging unauthorized disclosure of PHI, in part because of the Meta Pixel, resulted in a settlement of $18.4 million.
In addition to the exposure organizations may face from class action lawsuits, breach notifications and regulatory enforcement may also cause significant expense. The allegations of unauthorized disclosure of PHI and/or PII may thus be a violation of HIPAA as well as relevant state privacy laws prohibiting the unauthorized disclosure of PII/PHI to third parties. In just the past month, two large health systems have sent data breach notifications to approximately 3.5 million patients because of Meta Pixel.
They recommend you remove all Meta Pixels from your website:
We strongly encourage you to identify any specific forms or pages on your company websites containing Meta Pixel and removing it using the following information:
2 – Memphis hospital employees
[14:57]Former Methodist employees charged with HIPAA violations
Between Nov 2017 and Dec 2020, Roderick Harvey paid five Methodist Hospital employees to give him the names and phone numbers of patients who had been involved in car accidents. Harvey then sold that information to other people, including personal injury attorneys and chiropractors.
Harvey was charged with conspiracy for unlawfully disclosing patient information in violation of HIPAA as well as 7 counts of obtaining patient information with the intent to sell it for financial gain. The 5 former Methodist employees were each charged with separate violations of disclosing the information to Harvey in violation of HIPAA.
We’ve said this before… you, as an individual, can be held personally liable for failure to follow HIPAA if it’s with malicious intent or for monetary gain that you are violating HIPAA.
3 – PA patient representing 84k in suit?
[21:37]Family Practice Center (FPC) in Pennsylvania, with 40 facilities in the center of the state, had some sort of a cyber attack in Oct 2021 affecting nearly 84,000 patients. One patient has filed suit, on behalf of the 84,000 patients, against FPC for failing to implement reasonable measures to ensure personal and health information was safeguarded. The suit points out that FPC did not announce the breach until June 2022. It seems letters to the affected patients didn’t go out until July 2022.
This case is dicey. Aside from the cyberattack itself, it appears FPC didn’t do their notifications within the 60 day time frame as required under HIPAA. It’s not clear why it took so long. But, needless to say, they will be under an OCR investigation at some point as well.
Building a robust privacy and security program can help prevent things from going wrong. But more important than that is when things do go wrong, you can prove you have a privacy and security program in place and documentation of the safeguards you’ve implemented. Showing that you have taken reasonable and appropriate steps to protect patients and their data and have a response plan in place when things do go wrong can help limit the damage to your business as well as your patients.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
