Healthcare news and compliance from The Fulcrum GroupLooking for compliance guidance and a solid IT strategy for your healthcare based organization? Check here for healthcare news and compliance alerts from the IT experts at The Fulcrum Group.  This page is divided into several sections from news to general healthcare info to security alerts.

Just click on your section of interest below and you’ll be taken directly to relevant topics:



General Healthcare Information

Breach Notification

Recurring Security Risk Analysis

Business Associate Agreements

Recent Breaches and News 


General Healthcare Information 45 CFR Part 160 and Part 164   Healthcare HIPAA Compliance

Health Insurance Portability and Accountability (HIPAA) Act and The Health Information Technology for Economic and Clinical Health (HITECH) Act form a set national standards to assist healthcare and healthcare related entities to apply appropriate safeguards to protect the privacy of personal health information.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164

The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164


Check out the Security Rule Educational Paper Series section of the link below for beginner information on HIPAA Security guidance


HHS presentation on HIPAA Final Rule (sometimes referred to as Omnibus Rule) updated in January 2013


Nice glossary of HIPAA terms


Covered Entities and Business Associates explained


HIPAA FAQs, if you are searching for specific information


Signup for the OCR listserv that emails out updates. The Security listserv sends out a monthly Cybersecurity Guidance document


HIPAA Toll Free Numbers

CMS now has a toll free HIPAA Hotline: (866) 282-0659 and email:  available. For questions on HIPAA privacy regulations, contact the HHS Office for Civil Rights at (800) 368-1019.



Breach Notification 45 C.F.R. § 164.408 and Information

Generally defined as an unauthorized use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. If you have any questions, you may call HHS OCR toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to


HHS breach notification page (you can submit breach information here)


Breach report detailing activity over 500 records compromised



Recurring Security Risk Analysis 45 C.F.R § 164.308 

A Meaningful Use Core Measure is to conduct a comprehensive risk analysis. Stage 2 includes addressing encryption and driving mitigation as part of your risk management process. You should apply updates at least once prior to the end of the EHR reporting period and attest to that conduct or review. A larger entity would conduct at least annually and after major network changes but a smaller provider or business associate might only conduct every 2-3 years.


OCR kicks off its Phase 2 of HIPAA Audit Program. Audits are underway so be sure to exclude from your spam filter. Anyone is eligible but    sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.


HHS Guidance on Risk Analysis


The National Institute of Standards and Technology has issued 800 Series of Special Publications that cover a variety of security topics. NIST Special Publication 800-30

Revision 1 is a comprehensive Guide for Conducting Risk Assessments (but at 95 pages is not for the faint of heart).



Business Associate Agreements 45 C.F.R. § 164.504(e)  

Guidance on Business Associates and contracts


A post-Omnibus sample agreement with some standard provisions for firms to ensure compliance


Good BA information including a list at the bottom with advice on who is typically a BA, who might be a BA and who is usually an exception


OCR template to help organize your list of BAAs


Importance of updating your BAAs 



Recent Breaches and News    healthcare data breach prevention

1/10/2017 – OCR levies first enforcement and fine for slow response to breach notification. They have fined the organization $475,000 and stipulated a corrective action plan that includes how they handle potential breach response, completing breach assessments, revising policies covering workforce sanctions covering compliance with the Breach Notification Rule.

The Press Release, Resolution Agreement, and Corrective Action Plan may be found on the OCR website, here.


12/20/2016 – OCR releases fact sheet providing details on how Covered Entities can share PHI when supporting health initiatives through public health agencies. You may find the new Fact Sheet on ONC’s website, here.


11/14/2016 – $2.14m penalty Hits on importance of conducting a risk analysis when making changes to the environment and also going enterprise-wide. Read more here.


11/14/2016 – $400k penalty reviewing and updating business associate agreements.  Read more…


11/14/2016 –  HHS and ONC release guides to help clinicians select EHR solutions and get the most out of the relationship.  Details here.


8/04/2016  Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million  Firm has largest single entity penalty.  Challenges spotlighted here were: poor risk assessment, lack of good physical security, poor BA follow-up and lack of encryption.


7/19/2016  HHS OCR Offers New Materials for Covered Entities – Tools To Help
Earlier this year, HHS OCR finalized the rule under Section 1557 to advance health equity and reduce health disparities by strengthening protections for some of the populations that have been most vulnerable to discrimination in the health care context.  Section 1557 is the nondiscrimination provision of the Affordable Care Act and states that individuals cannot be subject to discrimination based on their race, color, national origin, sex, age or disability.

As of Monday, July 18, 2016, certain health care and coverage providers are subject to new requirements under Section 1557 and are expected to ensure their programs are in compliance with the law.  HHS OCR has added a number of downloadable resources to our website to reduce burden for covered entities.  Certain parts of the rule have a delayed applicability date and we encourage covered entities to review the procedural requirements of the final rule.

Available Materials:

  • Training materials for health care providers and employees of health programs and insurance issuers programs has also been added to our website. These training materials include a slide deck and a presenter’s guide. Click here for training materials.
  • Covered entities with 15 or more employees are required to have a grievance procedure and a compliance coordinator. A model grievance procedure is available on our website.
  • Beginning October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  Sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines are available for download in 64 languages. Click here for translated materials.

Additional information about Section 1557, including fact sheets on key provisions and frequently asked questions, are also available on our website. These materials are translated in the top 15 languages nationally. For questions about Section 1557 and the availability of materials, contact HHS OCR at


7/18/2016  Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University  The importance of encrypting repositories with ePHI is illustrated here. Both laptops and USB drives referenced.


6/30/2016  Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected health information (PHI) of hundreds of nursing home residents…read more


Ever wondered if your Book of Evidence would stand up to an audit? HHS released some details on their updated Audit Protocol (updated to reflect Omnibus Final Rule) for help in preparation. But, we’d caution against JUST trying to create only this information. Links to the pre-screening questionnaire and audit protocol are below.


2016-04-20   Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) settles $750k after sending x-ray film to BA for digitizing but had no BA in place prior to transfer


2016-04-15  Planning on building a mobile application for healthcare but want to be protected, learn what you need to know about Federal laws with interactive tool


2016-02-16   Complete P.T., Pool & Land Physical Therapy, Inc., a physical therapy provider, settles violations for $25k that it impermissibly disclosed patient info


2016-02-03  North Memorial Health Care hit with $1.55 million settlement and a robust corrective action plan for no BAAs with major contractor and no risk analysis


The ITRC (Identity Theft Resource Center) provides help to identity theft victims and producing some reports. Check out the breach report for the year.


2015-12-14 The University of Washington Medicine (UWM) settles for $750k for no organization wide risk analysis


2015-11-24  Lahey Hospital and Medical Center (Lahey) pays $850k for issues related to users of medical devices


2016-02-16  Cancer Care Group, P.C. pays $750k for issues related to risk analysis and device and media control policies