Colington Consulting

Helping Organizations Achieve HIPAA Compliance™ All assessments will include an action plan to prevent unauthorized access, tampering and theft.

HIPAA RISK ASSESSMENTS
The risk analysis is the first step to identify vulnerabilities and risks; determine the potential impact and provide a gap analysis. Our assessment is formatted to cover all the addressable and required specifications in the Code of Federal Regulations for the HIPAA Security Rule. HIPAA RISK MANAGEMENT PLAN
We develop and help your practice or business implement a Risk Mana

OCR’s 2024 HIPAA Audits & Clarification on Breach Reporting 06/04/2024

Read the latest blog post regarding the OCR proposed 2024 HIPAA audits and clarification on breach reporting requirements by Jay Hodes, President - Colington Consulting.

OCR’s 2024 HIPAA Audits & Clarification on Breach Reporting By Jay Hodes, President – Colington Consulting

How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits 05/10/2024

Our company conducts many initial consultations with potential clients. What we find is some organizations are not as far along with the process of implementing and maintaining a comprehensive HIPAA compliance program as they think they are. With OCR talk about increased enforcement activity, consider this a fair warning. If you organization is not in a defensible position and cannot withstand an audit of your HIPAA compliance program, please reach out to schedule a free, initial consultation. Don't wait until OCR is knocking on your door.

How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits As the Department of Health and Human Services works on a proposed update to the HIPAA Security Rule this year, regulators are also ratcheting up enforcement

Self-Insured Group Health Plans and HIPAA Requirements 03/11/2024

Is your organization considering becoming a self-insured group health plan? With some exceptions, the organization will need to implement a HIPAA compliance program if going this route. Read our short and to the point blog article to get a quick overview of the process.

Self-Insured Group Health Plans and HIPAA Requirements Some organizations are bringing their employee health plan options in house as a self-insured group health plan. Although, this conversion may not be right for certain companies based on several reasons and issues. Our s...

Challenges of Maintaining HIPAA Compliance in 2024 - Medical Webinar 03/01/2024

On Tuesday, March 5, at 11 AM EST, Jay Hodes, President - Colington Consulting will be hosting a webinar titled "Challenges of Maintaining HIPAA Compliance in 2024." Jay will cover 8 specific challenges he sees organizations face in meeting HIPAA compliance requirements this year. Please join Jay for this informative session.

Challenges of Maintaining HIPAA Compliance in 2024 - Medical Webinar HIPAA can be complicated!! Knowing what an organization must have in place to meet regulatory requirements can be challenging. For anyone tasked with managing a HIPAA compliance program, understanding the HIPAA security and privacy management process is critical to implementing a comprehensive compl...

OCR Releases Guidance for Implementing the HIPAA Security Rule 02/19/2024

Check out our latest blog post regarding OCR's release of updated guidance for implementing HIPAA Security Rule requirements.

OCR Releases Guidance for Implementing the HIPAA Security Rule On February 16, the U.S. Department of Health and Human Services (HHS) released of the final version of Special Publication 800-66 Rev. 2, titled “Implementing the Health Insurance Portability and Accountability Act (HIP...

Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore 02/07/2024

Yesterday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center (MMC), a non-profit hospital system based in New York City for several potential violations in the amount of $4.75 Million.

According to the Resolution Agreement, MMC submitted a breach notification to OCR in July 2015, indicating "one of its employees inappropriately accessed patient account information, including the patient’s name, address, SSN, next of kin, and health insurance information, of 12,517 patients from its electronic medical record system and then sold certain patient information to an identity theft ring."

Subsequently, OCR initiated malicious insider cybersecurity investigation. The investigation revealed a plethora of potential HIPAA Rules violations.

A lot of lessons learned here for organizations who lack the implementation and proper oversight of their HIPAA compliance programs. Read the entire agreement with link provided below.

Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore

How 2023 Broke Long-Running Records for Health Data Breaches 02/02/2024

No surprises here with 2023 being the worst year ever for healthcare data breaches in the U.S. In comments provided by HHS OCR for this article, organizations "should ensure they are implementing all of the HIPAA Security Rule requirements." This starts with the basic foundation of conducting an accurate and thorough HIPAA Security Risk Assessment (SRA), regardless of organization size or the amount of ePHI being stored, accessed, or utilized. If your organization needs to have an SRA conducted, give us a call at 844-740-7100 and we can quickly get this scheduled for you.

How 2023 Broke Long-Running Records for Health Data Breaches Thanks to the massive Anthem hack, for nearly a decade 2015 has been the record year for U.S. health data breaches - with 112.5 million people affected. But 2023

Attorney General James Secures $300,000 from NewYork-Presbyterian Hospital for Failing to Protect Patient Data 01/02/2024

Although we have yet to see any enforcement action by HHS OCR regarding tracking technologies, the New York State Attorney General has jumped out as the first agency to do so. The settlement, announced on December 27, 2023, said the NewYork-Presbyterian Hospital agreed to pay "$300,000 for its use of third-party tools that disclosed the protected health information of people who visited its website."

Attorney General James Secures $300,000 from NewYork-Presbyterian Hospital for Failing to Protect Patient Data NEW YORK – New York Attorney General Letitia James today secured $300,000 from The NewYork-Presbyterian Hospital (NYP) for disclosing the health information of

Understand the HIPAA Privacy Rule and the Use of Tracking Technologies - Medical Webinar 12/05/2023

On Tuesday, December 12, at 1 PM EST, Jay Hodes, President of Colington Consulting, will conduct a webinar titled "Understand the HIPAA Privacy Rule and the Use of Tracking Technologies. With recent OCR guidance and the threat of enforcement actions, please join Jay for the informative webinar.

Understand the HIPAA Privacy Rule and the Use of Tracking Technologies - Medical Webinar If you are a healthcare organization that has vendors providing services that utilize tracking technologies, you must understand the requirements found within the HIPAA Privacy Rule. Tracking technologies are used to collect and analyse information about how users interact with covered entities webs...

HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter 11/21/2023

Interesting settlement for an impermissible disclosure of PHI. If you take a look at the Resolution Agreement, Appendix A, V. Corrective Action Obligations, the organization is now required to have a "workforce member actively monitor all photography, video recording, and audio recording conducted on [the organization's] premises by a third party including for purposes not related to medical treatment or health care operations in compliance with the Privacy Rule."

Organizations have as much culpability under the HIPAA Privacy Rule, as they do under the HIPAA Security Rule. The Security Rule requires a risk assessment, where the Privacy Rule does not.

This is why, as part of our process, we conduct a HIPAA Privacy Rule Assessment and provide a great deal of education regarding permitted and authorized disclosures. Even after almost 30 years of HIPAA being enacted, there is still confusion about when and how PHI can be properly disclosed.

HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter

HIPAA Compliance: Learning from Mistakes Others Have Made - Medical Webinar 10/16/2023

Tomorrow at 1 PM EDT, Jay Hodes, President - Colington Consulting will be conducting a webinar titled "HIPAA Compliance: Learning from Mistakes Others Have Made." The webinar will breakdown recent HIPAA enforcement cases showing how organizations failed to comply with some basic compliance requirements. There is still time to register for this webinar.

HIPAA Compliance: Learning from Mistakes Others Have Made - Medical Webinar To date, more than $135 million in HIPAA fines and penalties have been imposed since the HIPAA violation enforcement began. This webinar will closely examine actual HIPAA enforcement case examples to see what areas of HIPAA compliance were not clearly met. The goal is to help organizations try and a...

09/29/2023

Conducting a Security Risk Assessment is a critical HIPAA requirement. It determines potential vulnerabilities and threats to an organization's electronic protected health information. Our comprehensive process also addresses HIPAA Privacy Rule, Breach Rule Notification, HIPAA related Information Security, and Facility Security requirements, as part of the assessment. We also review an organization's overall HIPAA compliance program to determine any gaps.

Organizations looking to earn a score greater than zero for the Promoting Interoperability performance category for MIPS must conduct and attest to completing a Security Risk Assessment.

Security Risk Assessments must be completed regardless of size of the organization and also applies HIPAA Business Associates.

Schedule your organization's risk assessment today. Give us a call at 844-740-7100 for more information.

HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations 09/11/2023

OCR just announced a significant settlement of $1.3 million with LA Care, one of the largest health plan providers in the country. There where substantial "potential" violations found by OCR which included failure an organization-wide risk assessment and failure to implement sufficient procedures to regularly review records of information system activity.

LA Care agreed to a comprehensive corrective action plan for three years to ensure compliance with HIPAA requirements.

HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations Press release for OCR L.A. Health Plan

How to Manage the HIPAA Business Associate Process - Medical Webinar 08/28/2023

This Thursday at 1 PM EDT, Jay Hodes, President - Colington Consulting, will be conducting a webinar titled "How to Manage the Business Associate Process" hosted by Medical Webinar. Please join Jay for this educational webinar that will include a significant portion regarding the use of online tracking technologies.

How to Manage the HIPAA Business Associate Process - Medical Webinar If you are a healthcare organization that has vendors providing services as a HIPAA Business Associate, managing this process can be confusing. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health inform...

08/25/2023

Yesterday, OCR announced on their Privacy and Security Listserv accounts another settlement in their Right to Access initiative. This case involving United Healthcare Insurance Company was settled for $80,000 with the company agreeing to implement a corrective action plan. From an enforcement perspective, these types of cases are low hanging fruit and easy to investigate.

According to OCR's HIPAA News Releases, it appears only six HIPAA related cases have been settled so far this year. Although the enforcement trends seem to favor the healthcare sector, it does not lessen the burden for organizations to implement and maintain a comprehensive HIPAA compliance program.

Is your organization's HIPAA compliance program is still on summer vacation? With summer coming to an end, now may be the time to focus on critical regulatory requirements.

We can quickly evaluate your organization's HIPAA compliance program with a free, initial consultation. Please give our office a call at 844-740-7100 to schedule a consultation.

Third-Party Data Tracking on Hospital Websites Raises Patient Privacy Concerns 08/21/2023

Jay Hodes, President of Colington Consulting, provided comments for this article. Does your healthcare organization know and understand the use of tracking technologies and the regulatory requirements HIPAA calls for? If not, give our office a call at 844-740-7100 for a free, initial consultation to discuss this topic.

Third-Party Data Tracking on Hospital Websites Raises Patient Privacy Concerns Hospitals may have to step up their game to protect user information on their websites, given the recent attention to the largely unregulated universe of third-party data transfers. About 98 percent of all acute care US hospitals use tracking software that captures data pertaining to patient visits,...

Vendor Data Breach Impacts 1.7M Oregon Health Plan Members 08/09/2023

Add more reported HIPAA data breaches to the list. As OCR has indicated in the past, most ransomware attacks will be considered reportable breaches.

Does your organization understand how to conduct a breach risk assessment utilizing the 4 factors of probability? If not, give us a call at 844.740.7100 for a free, initial consultation and will pleased to discuss the process.

Vendor Data Breach Impacts 1.7M Oregon Health Plan Members Other recent incidents reported recently include a major ransomware attack against Prospect Medical Holdings and a data breach at the Chattanooga Heart Institute.

Former Methodist Hospital Employees Plead Guilty to HIPAA Violations 05/02/2023

It is rare to see criminal prosecutions for HIPAA violations. All defendants pleaded guilty and sentencing is upcoming for most.

Former Methodist Hospital Employees Plead Guilty to HIPAA Violations Department of Justice U.S. Attorney’s Office Western District of Tennessee FOR IMMEDIATE RELEASE Tuesday, April 25, 2023 Former Methodist Hospital Employees Plead Guilty to HIPAA Violations Memphis, TN – Five former Methodist Hospital Employees and Roderick Harvey, 41, of Memphis, have pled guil...

HIPAA Key Fact: Disposing of PHI 02/20/2023

Read our latest HIPAA Key Fact article regarding what needs to be in place for an organization to dispose of any PHI or ePHI.

HIPAA Key Fact: Disposing of PHI Our series is designed to explain best practices about HIPAA compliance, HIPAA settlements, and the various requirements an organization must have in place under the HIPAA Security & Privacy Rules.

HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking 02/03/2023

In the first HIPAA Security Rule settlement of the year and the first since last July, OCR announces Banner Health will pay $1.25 million for a cybersecurity breach that affected 2.81 million individuals.

Last year, hacking accounted for 80% of the reported HIPAA breaches that occurred. That stat and this cases sends a strong message to the healthcare sector: Time to up your game when it comes to cybersecurity safeguards.

HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking HHS Office for Civil Rights Settles HIPAA Investigation with Hospital System Following Cybersecurity Hacking

Hacking Accounted For Nearly 80% of Healthcare Data Breaches Last Year 01/24/2023

This is not surprising at all.

Hacking Accounted For Nearly 80% of Healthcare Data Breaches Last Year In past years, unauthorized disclosures, loss, theft, and improper disposal accounted for more healthcare data breaches than malicious hacking.

01/06/2023

This week OCR announced another settlement in their HIPAA Right of Access Initiative. In this case, Life Hope Labs based in Sandy Springs, Georgia, agreed to implement a corrective action plan and pay $16,500 to resolve this investigation. In the complaint, OCR alleged Life Hope Labs took over seven months to provide a personal representative with a copy of her deceased father’s medical records.

Big picture perspective is these are easy cases to investigate and seems to be very low hanging fruit from an enforcement perspective. With over 800 open investigations of breaches affecting more than 500 individuals, OCR seems content these days to focus more on HIPAA Privacy Rule violations than Security Rule enforcement.

HIPAA Breach Rule Notification Requirements 12/30/2022

Read our latest blog post regarding HIPAA Breach Rule notification requirements.

HIPAA Breach Rule Notification Requirements HIPAA Key Fact: HIPAA Breach Rule Reporting

Managing the Evolving Cyber Risk Posed by Third Parties 12/23/2022

Great interview by Marianne Kolbasuk McGee. As a Covered Entity, the concept of vetting Business Associates (BA) prior to signing a Business Associate Agreement is clearly trending in the healthcare sector.

At Colington, we can conduct vendor security assessments and provide an expert opinion to determine if a BA has the necessary safeguards in place to receive, store, create, or transmit a Covered Entity's ePHI. We have also customized topic questions specifically for the organization.

For more information, give our office a call at 844-740-7100.

Managing the Evolving Cyber Risk Posed by Third Parties As major cyber incidents involving vendors surge, healthcare entities must carefully and continuously scrutinize the security practices of their third-party

OCR Settles Another HIPAA Right of Access Case 12/16/2022

Helping Organizations Achieve HIPAA Compliance

OCR Settles Another HIPAA Right of Access Case On December 15, The HHS Office for Civil Rights (OCR) announced another settlement of their HIPAA Right of Access Initiative. According to the information released through the OCR Listserv, "Health Specialists of Centra...

12/15/2022

Yesterday, OCR announced a $23,000 settlement for the impermissible disclosure of patient protected health information (PHI) in response to online reviews. According to the OCR listserv, New Vision Dental, based in California, disclosed PHI, including patient names, treatment, and insurance information, which is clearly a HIPAA violation.

New Vision will be required to be under a Corrective Action Plan monitored by OCR for two years.

How do organizations prevent these types of cases from occurring? By having a HIPAA related Social Media Policy in place. If your organization needs to develop a comprehensive policy to address this topic, we can help. Give our office at a call at 844.740.7100 to schedule a free, initial consultation.

Use of Healthcare Related Tracking Technologies 12/13/2022

If healthcare organizations are utilizing any website tracking technologies, please be aware of a recent bulletin issued by OCR.

Use of Healthcare Related Tracking Technologies On December 1, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a bulletin to highlight the obligations of HIPAA covered entities and business associates under the HIPAA ...

Improve Your Organization's Cybersecurity & Prevent Data Breaches 12/06/2022

We would like to thank Gabby Williams, from Hushmail, who authored this guest post on our blog site. Very informative article regarding cybersecurity safeguards to deploy to address the persistent threats to electronic protected health information.

Improve Your Organization's Cybersecurity & Prevent Data Breaches Guest article authored by Gabby Williams – Content Specialist at Hushmail

Developing HIPAA Policies and Procedures | AssentGlobal 11/29/2022

Does your organization understand how to develop HIPAA policies and procedures; know what must be covered; and how to implement? If not, join Jay Hodes, President of Colington Consulting, on December 5 for a webinar covering these topics.

For anyone tasked with managing a HIPAA compliance program, it is critical to have the comprehensive policies and procedures in place. Find out how to create policies and procedures or see if your current ones address all the required topics.

Developing HIPAA Policies and Procedures | AssentGlobal Developing HIPAA Policies and Procedures

Five Former Methodist Hospital Employees Charged with HIPAA Violations 11/23/2022

On rare occasion, individuals can be charged with HIPAA violations. This case was more than just chart snooping and involved a conspiracy charge according to the indictment for one of the individuals. The press release did not indicate how the case was uncovered.

Five Former Methodist Hospital Employees Charged with HIPAA Violations Department of Justice U.S. Attorney’s Office Western District of Tennessee FOR IMMEDIATE RELEASE Thursday, November 10, 2022 Five Former Methodist Hospital Employees Charged with HIPAA Violations Memphis, TN – A federal grand jury has indicted five former Methodist Hospital Employees for conspir...

Want your business to be the top-listed Business in Fairfax County?
Click here to claim your Sponsored Listing.

Videos (show all)

HIPAA Security Risk Assessments
The Reality of HIPAA Compliance

Telephone

Address


Fairfax County, VA
22009

Opening Hours

Monday 9am - 5pm
Tuesday 9am - 5pm
Wednesday 9am - 5pm
Thursday 9am - 5pm
Friday 9am - 5pm