Healthcare providers are under siege, not only from the COVID-19 pandemic, but also from cyber criminals. Following reports of targeted email phishing attempts, the FBI issued a FLASH alert warning healthcare providers on April 21, 2020, that they are at heightened risk for cyber attacks that use COVID-19 as bait. The FBI’s FLASH alert follows its repeated alerts about cyber … Continue Reading
Category Archives: HIPAA, Privacy, and Data Security
Subscribe to HIPAA, Privacy, and Data Security RSS FeedCalifornia Telehealth Updates
California has joined the growing ranks of states, as well as the federal government, in efforts to facilitate the efficient provision of healthcare services during the pandemic. Accordingly, in response to federal agency updates with respect to relaxations to existing requirements related to telehealth services, California’s Governor Gavin Newsom issued an Executive Order No. 43-20 on April 3, 2020 (the … Continue Reading
The CARES Act Impacts to Employer-Sponsored Health and Welfare Benefit Plans
Health and welfare benefit plans and insurers are affected by various provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) passed on March 27, 2020. In addition to provisions impacting tax-qualified retirement plans and executive compensation (summarized here), the CARES Act affects coverage of diagnostic testing, preventive services, telehealth services, and drug reimbursement. Here are the … Continue Reading
OCR COVID-19 Updates on HIPAA and Anti-Discrimination Laws
Hospitals will have a limited waiver of HIPAA sanctions and penalties during the COVID-19 outbreak as a result of a bulletin issued on March 16, 2020 by the U.S. Department of Health and Human Services. The Office of Civil Rights also issued a reminder that even during a medical emergency like the COVID-19 pandemic, all health care providers must comply … Continue Reading
Managing the Healthcare Workplace During the COVID-19 Outbreak
Healthcare providers have special concerns for their employees during the Coronavirus (COVID-19) global health pandemic.
Because COVID-19 spreads primarily as a result of close exposure to an infected person, healthcare employees are at higher risk of infection. While OSHA has a standard to protect employees from the spread of bloodborne pathogens, it currently has no standard for the spread of … Continue Reading
OCR Fee Limits for Third Party Directive Record Requests Struck Down
On January 28, 2020, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a notice (the OCR Notice) regarding individuals’ right of access to health records in response to a January 23, 2020 court ruling in the Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. Jan. 23, 2020) case. OCR noted that … Continue Reading
Hackers Raise the Stakes By Possibly Causing Physical Harm
Computer hacking, and the permutation of crimes that can be committed by hackers, generally does not spur images of infliction of physical harm. However, in a chilling turn of events, computer hackers have opened a new front in the damage that can be inflicted through cybercrime. In a nefarious series of developments, cyber-liabilities now arise from remote manipulation of the … Continue Reading
Is A Federal Privacy Law In The Cards for 2020?
In May of 2018, the European Union enacted the General Data Protection Rules, or GDPR, a legal framework that outlines not only how companies may collect and process personal information of EU residents, but how that data is stored and used. Since its enactment, GDPR has triggered a global push towards compliance with those standards. In the United States, there … Continue Reading
Healthcare Providers Must Remember HIPAA Before Responding to Online Reviews
The latest HIPAA resolution agreement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is a reminder that healthcare providers must take the high road when responding to unflattering online reviews by patients. While it is tempting to respond to a bad and perhaps untrue online review, healthcare providers need to take care to not … Continue Reading
Caution: Curb Your Enthusiasm for the Reduced HIPAA Annual Limits
Until recently, the annual limit for civil monetary penalties (CMP) that could be levied against covered entities and business associates in violation of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, as amended from time to time (collectively, HIPAA) was $1,500,000. On … Continue Reading
New York State Enforces Data Breach Notification Law
Earlier this month, New York Attorney General Eric Schneiderman announced his state had entered into a settlement with CoPilot Provider Support Services, Inc. (CoPilot)—a settlement resulting from CoPilot’s violation of the data breach notification requirements of the New York General Business Law (GBL) that requires companies, among other things, to provide notice of a breach as soon as possible. Under … Continue Reading
Global Ransomware Attack Makes Healthcare Organizations Wanna Cry
As has been widely reported, on May 12, 2017, organizations around the world, including Britain’s National Health Service, found their data held hostage by actors using a new variant of ransomware called WannaCry. According to news reports, 200,000 computers in more than 150 countries have been hit by the cyberattack which appears to be spread by phishing emails. There are … Continue Reading
April Showers Bring More HIPAA Settlements
April proved to be a busy month for the U.S. Department of Health and Human Services Office for Civil Rights (OCR) under its newly appointed director, Roger Severino. OCR announced three settlements of potential HIPAA violations totaling nearly $3,000,000.00 in fines. The settling parties include a wireless health services provider, a federally-qualified health center (FQHC), and a pediatric specialty provider. … Continue Reading
Lack of Timely Action and Knowledge of Risk Results in $3.2 Million Civil Monetary Penalty for HIPAA Violations
Children’s Medical Center of Dallas (Children’s) was hit with a $3.2 million civil penalty from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) for failing to take steps to properly protect patient medical information. The civil penalty is the result of two data breaches caused by a lack of encryption and what was described as … Continue Reading
HIPAA Audits – Phase 2: On-Site Audits Scheduled for First Quarter of 2017
Covered Entities and Business Associates may be ringing in the New Year with the prospect of responding to on-site HIPAA audits by federal regulators. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced that a certain number of comprehensive on-site HIPAA compliance reviews will be done over the first quarter of next year. Details … Continue Reading
Recent CyberSecurity Incidents Emphasize Importance of Cyberinsurance
As the threat of cyberattacks continues to pose daily threats to businesses large and small, more companies have turned to cyber insurance products to shore up protection against these disruptive threats. A spate of recent incidents has highlighted the importance of taking steps to prepare for and mitigate possible damages. As such, healthcare entities have begun exploring Cyberinsurance as a … Continue Reading
Best Practices for Safeguarding Protected Health Information in Inclement Weather
As the East Coast prepares for the arrival of Hurricane Matthew, covered entities and business associates should take the opportunity to remind their workforce members to safeguard protected health information (PHI) that is in paper form. Certainly, HIPAA requires covered entities and business associates to protect and secure PHI at all times. However, healthcare providers that deal with volumes of … Continue Reading
Illinois’ Largest Health System Agrees to Stringent HIPAA Breach Settlement
The Department of Health and Human Services Office for Civil Rights (OCR) announced on August 4, 2016, a settlement agreement with Advocate Health Care Network, an integrated healthcare system with ten hospitals and a non-profit medical group of more than 1,500 physicians in Illinois (the System or Advocate). The System agreed to adopt a corrective action plan and to pay … Continue Reading
Breach or No Breach – OCR Weighs in on Ransomware
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released its much-anticipated guidance on ransomware (OCR Ransomware Guidance) this week in response to a number of highly publicized attacks targeting the healthcare sector. Ransomware is a type of malicious software that encrypts data, making it inaccessible until the data owner pays a ransom. … Continue Reading
Business Associates Beware! OCR Is Coming For You
Last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the first HIPAA settlement involving a business associate. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a nonprofit organization that provides management and information technology services to six wholly-owned skilled nursing facilities, agreed to pay $650,000 and enter into a corrective action … Continue Reading
Lights, Camera, Settlement: OCR says a picture is worth $2.2 million
A New York hospital has settled with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for $2.2 million after allowing a TV crew for the ABC documentary series “NY Med” to film patients receiving medical treatment without obtaining prior authorization from the patients or their representatives. The estate of one those patients is also suing … Continue Reading
Not a Check-the-Box Exercise: Failure to Have Signed BAA Results in Substantial Fine
A group practice that was the victim of a silver-harvesting scam has agreed to pay the U.S. Department of Health and Human Services (“HHS”) $750,000 to settle charges that it released protected health information (“PHI”) of its patients to a third party vendor without first obtaining a written business associate agreement. Raleigh Orthopaedic Clinic, P.A. (the “Clinic”) provided x-ray films … Continue Reading
Prepare for the Unexpected with Data Storage and Retrieval
Last week, a federal court in Illinois encountered another example of unexpected events causing problematic privacy and data storage implications for a healthcare company. The non-profit organization responsible for maintaining the MetroChicago Health Information Exchange (the HIE) filed suit against its information technology support contractor and the contractor’s owner to prevent the contractor’s plan to destroy all client data after … Continue Reading
Shhh….OCR Releases New HIPAA Audit Protocol
Just in time for the Phase 2 audits, the Department of Health and Human Services Office for Civil Rights (OCR) quietly posted the updated HIPAA Audit Protocol on its website. The new audit protocol has been updated to include business associates who became subject to HIPAA following the 2013 HIPAA Omnibus Final Rule. The protocol covers Privacy Rule, Security Rule … Continue Reading
