Healthcare news and compliance from The Fulcrum GroupHealthcare News- Protect your practice, hospital or business associate

Finding it hard to get current healthcare news? Looking for compliance guidance and a solid IT strategy for your healthcare based organization? Check here for healthcare news and compliance alerts from the IT experts at The Fulcrum Group.  This page is divided into several sections from news to general healthcare info to security alerts.

Just click on your section of interest below and you’ll be taken directly to relevant topics:

Latest Healthcare Blog

General Healthcare Information

Breach Notification

Recurring Security Risk Analysis

Business Associate Agreements

Recent Breaches and News 

IMPORTANT REMINDER:  The March 1st deadline for reporting Minor Breaches (fewer than 500 records) to HHS is fast approaching! Any healthcare provider or vendor that has had a breach of unsecured protected health information (PHI) must submit their annual reports if they haven’t done so already. Click here to report!

Latest Healthcare Blog

10/9/2019 – Cybersecurity Tips for Healthcare Executives & Leaders

9/12/2019 – Interesting HIPAA Facts

7/22/2019 – How To Avoid Multi-Million Dollar HIPAA Phone & Data Penalties

1/3/2018  What Is a HIPAA Business Associate Agreement (BAA)?

General Healthcare News and HIPAA Privacy Information 45 CFR Part 160 and Part 164   

Healthcare HIPAA Compliance

Health Insurance Portability and Accountability (HIPAA) Act and The Health Information Technology for Economic and Clinical Health (HITECH) Act form a set national standards to assist healthcare and healthcare related entities to apply appropriate safeguards to protect the privacy of personal health information.

– The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164

– The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164

Breach Notification Rules 45 C.F.R. § 164.408 and Information

Generally defined as an unauthorized use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. If you have any questions, you may call HHS OCR toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to

HHS breach notification page (you can submit breach information here)

Breach report detailing activity over 500 records compromised

Recurring Security Risk Analysis 45 C.F.R § 164.308 

A Meaningful Use Core Measure is to conduct a comprehensive risk analysis. Stage 2 includes addressing encryption and driving mitigation as part of your risk management process. You should apply updates at least once prior to the end of the EHR reporting period and attest to that conduct or review. A larger entity would conduct at least annually and after major network changes but a smaller provider or business associate might only conduct every 2-3 years.

OCR kicks off its Phase 2 of HIPAA Audit Program. Audits are underway so be sure to exclude from your spam filter. Anyone is eligible but    sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

HHS Guidance on Risk Analysis

The National Institute of Standards and Technology has issued 800 Series of Special Publications that cover a variety of security topics. NIST Special Publication 800-30

Revision 1 is a comprehensive Guide for Conducting Risk Assessments (but at 95 pages is not for the faint of heart).

Business Associate Agreements 45 C.F.R. § 164.504(e)

Recent Breaches, Penalties and Healthcare News    healthcare data breach prevention

  • 5/31/2017 – eClinicalWorks sued for false claims.
  • 2/16/2017 – Memorial Healthcare System (MHS) pays $5.5 million for poor audit controls. The login credentials of a former employee were used to continue accessing PHI.
  • 1/10/2017 – OCR levies first enforcement and fine for slow response to breach notification. They have fined the organization $475,000 and stipulated a corrective action plan that includes how they handle potential breach response, completing breach assessments, revising policies covering workforce sanctions covering compliance with the Breach Notification Rule. There was a delay after paper-based operating room schedules with PHI went missing.
  • 12/20/2016 – OCR releases fact sheet providing details on how Covered Entities can share PHI when supporting health initiatives through public health agencies. You may find the new Fact Sheet on ONC’s website, here.
  • 11/14/2016 –  HHS and ONC release guides to help clinicians select EHR solutions and get the most out of the relationship.
  • 10/18/2016 – St. Joseph Health (SJH) $2.14m penalty hits on importance of conducting a broad and deep risk analysis when making changes to the environment. Their file sharing server was publicly accessible using a default setting. and their risk analysis efforts conducted in a patchwork fashion.
  • 09/23/2016 – Care New England Health System (CNE) pays $400k penalty for lack of reviewing and updating business associate agreements after they lost  unencrypted backup tapes.
  • 8/04/2016 Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million, the largest single entity penalty to date.  Challenges spotlighted here were poor risk assessment, lack of good physical security, poor BA follow-up and lack of encryption.
  • 7/19/2016  HHS OCR Offers New Materials for Covered Entities – Tools To Help. Earlier this year, HHS OCR finalized the rule under Section 1557 to advance health equity and reduce health disparities by strengthening protections for some of the populations that have been most vulnerable to discrimination in the health care context.  Section 1557 is the nondiscrimination provision of the Affordable Care Act and states that individuals cannot be subject to discrimination based on their race, color, national origin, sex, age or disability.
    • As of Monday, July 18, 2016, certain health care and coverage providers are subject to new requirements under Section 1557 and are expected to ensure their programs are in compliance with the law.  HHS OCR has added a number of downloadable resources to our website to reduce burden for covered entities.  Certain parts of the rule have a delayed applicability date and we encourage covered entities to review the procedural requirements of the final rule.
      • These training materials include a slide deck and a presenter’s guide.
      • Covered entities with 15 or more employees are required to have a grievance procedure and a compliance coordinator. A model grievance procedure is available on our website.
      • Beginning October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  Sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines are available for download in 64 languages. Click here for translated materials.
      • Additional information about Section 1557, including fact sheets on key provisions and frequently asked questions, are also available on our website.
      • These materials are translated in the top 15 languages nationally. For questions about Section 1557 and the availability of materials, contact HHS OCR at
  • 7/18/2016 Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University  The importance of protecting all repositories with ePHI is illustrated here as they used a cloud-based server without a business associate agreement.
  • 2016-06-30 Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to $650,000 HIPAA Settlement after the Business Associates’s employee lost an unencrypted iPhone that also had no password. They had no policy for mobile devices or incident response.