“Health nuts are going to feel stupid someday, lying in hospitals dying of nothing.”
— Robert Orben
Top Story
After a breach of 14,500 employees and patients, Avalon Healthcare has agreed to settle. During an investigation in 2019 by the Oregon and Utah Attorney Generals, a HIPAA violation was uncovered.
Who is Avalon Healthcare
Avalon Healthcare is part of the Avalon Health Care Group, which provides nursing, therapy, senior living, and assisted living, as well as other medical services in Oregon, Utah, California, Nevada, Washington, and Hawaii.
Tell Me About the Breach
A HIPAA breach occurred when an employee responded to a phishing email and disclosed credentials in July 2019. By responding to the email an unauthorized individual was able to obtain access such as names, addresses, Social Security numbers, and much more. The breach went unreported to the HHS and those affected were not notified for 10 months.
So What Has Happened?
Ellen Rosenblum, Oregon Attorney General, and Sean Reyes, Utah Attorney General, launched an investigation against Avalon Healthcare based on the HIPAA Security and Breach Notification Rules. The Breach Notification Rule requires notifications of a breach to be issued within 60 days. In Oregon, a notification must be issued within 45 days after the breach is discovered. The investigation showed violations in the Oregon Unlawful Trade Practices Act and HIPAA regarding breach notifications and data security. Avalon Healthcare agreed to settle as not to have further controversy and monetary expenses.
The Outcome
Avalon Healthcare agreed to comply with all state laws and HIPAA requirements. They also will develop, implement, and maintain an information security plan. This plan requires data security practices to keep all personal information and health information protected. One individual will be appointed to control the security program, and a HIPAA compliance officer will be appointed as well. The security will have logging and monitoring of the network, multi-factor authentication, email filtering, and security awareness training twice a year. The security training will cover phishing and social engineering and have phishing simulation exercises.
Avalon Healthcare also agreed to develop, implement, maintain, and test a data incident response plan, as well as a risk assessment and risk management program. They will revise their email data retention policies which will cause data to only stay in email accounts for a set amount of time and encrypt all emails containing PHI. Avalon Healthcare also must pay $200,000 to be split equally between Oregon and Utah’s state attorney generals. This will pay legal fees, the cost of the investigation, and future enforcement of HIPAA and state law compliance.
Both attorney generals have been vocal about their commitments to ensure that trusting individuals’ health information is kept safe. Over 14,000 people thought their information was safe with Avalon Healthcare, but unfortunately, they were wrong.
Diamond of the Week
Dr. Jesse Ehrenfeld 💎
Dr. Ehrenfeld has just been chosen to be the new President of the American Medical Association. After watching the impacts of COVID-19, doctor burnout, and other healthcare issues, Dr. Ehrenfeld has high hopes for changes he plans to make in the healthcare system. To read what Dr. Ehrenfeld has to say, click here.
Who’s the WOAT
Medical Debt 😡
A recent survey found that 81% of Americans have medical debt. The majority of this debt comes from essential healthcare. Now people are having to sacrifice their health or their financial security! To read details from this survey click here.
Who Knew
The misconception: HIPAA prohibits all disclosure of patient information without explicit consent.
WRONG! While HIPAA does impose strict regulations on the use and disclosure of protected health information (PHI), it also allows for certain circumstances where disclosure is permitted without obtaining individual authorization. For example, healthcare providers may disclose PHI for treatment purposes, payment activities, and healthcare operations. Additionally, there are situations where PHI can be shared for public health activities, law enforcement purposes, or in cases involving a serious threat to health and safety. It’s important to understand that HIPAA provides a framework to safeguard patient privacy, but it also recognizes the need for information exchange in various healthcare settings to ensure appropriate care and support public health efforts.
Upcoming Events
June 28th at 11 am CDT HIPAA $100 Challange
A Round of Applause For…
Carosh’s CEO Roger Shindell 👏
Roger just hosted an extremely successful webinar for potential investors! If you missed it and want to watch the video and or are interested in investing in Carosh, click here.
Sources:
- Alder, Steve. “Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty.” The HIPAA Journal, 1 Jan. 2023, www.hipaajournal.com/avalon-healthcare-settles-hipaa-case-with-oregon-and-utah-state-ags-and-pays-200000-penalty/. Accessed 1 Apr. 2023.
- Think You’re Compliant? Find Out!
- Carosh Compliance Solutions, 10769 Broadway #106, Crown Point, IN, 46307