Category Archives: HIPAA, Privacy, and Data Security

Subscribe to HIPAA, Privacy, and Data Security RSS Feed

Shhh….OCR Releases New HIPAA Audit Protocol

Just in time for the Phase 2 audits, the Department of Health and Human Services Office for Civil Rights (OCR) quietly posted the updated HIPAA Audit Protocol on its website. The new audit protocol has been updated to include business associates who became subject to HIPAA following the 2013 HIPAA Omnibus Final Rule. The protocol covers Privacy Rule, Security Rule … Continue Reading

Phase 2 of HIPAA Audits Is Underway – Covered Entities and Business Associates Beware

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced that it has started obtaining and verifying entity contact information to identify covered entities and business associates for potential audit subject pools for the 2016 Phase 2 HIPAA Audit Program. In Phase 2, OCR will review the policies and procedures adopted and employed by covered … Continue Reading

OCR Issues New Guidance on “Reasonable and Cost-Based” Fees Associated with Medical Record Copying and Access

On February 25, 2016, the Office of Civil Rights (OCR) released a set of FAQs directed at healthcare providers and plans that are required to comply with the HIPAA Privacy Rule (the Privacy Rule). The guidance emphasizes that any fees charged for access to or copies of patient information must be “reasonable and cost-based” and specifically addresses what this means … Continue Reading

HIPAA Privacy Rule Now Permits Reporting for Firearms Background Checks

On January 4, 2016, the U.S. Department of Health and Human Services (HHS) issued a final rule that modifies the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. This modification expressly allows certain covered entities to disclose to the National Instant Criminal Background Check System (NICS), without consent, the identities of individuals who, for mental health reasons, … Continue Reading

The Silent Threats of Breaches to Medical Devices are Starting to Make Noise

The U.S. Food and Drug Administration (FDA), which is responsible for guidance on medical devices, has acknowledged that certain devices are susceptible to breaches. The FDA has identified cybersecurity vulnerabilities in medical devices that could allow unauthorized users to not only access patient information, but also to control the device. The FDA’s oversight comes at a critical time, as hospitals … Continue Reading

Medical Devices And Risks Of Unauthorized Disclosure Of Protected Health Information

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) kicked off the holiday season by publishing a settlement agreement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) relating to the theft of an unencrypted laptop from a hospital. Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital in Massachusetts, agreed to pay … Continue Reading

“My, what beautiful eyes you have . . .” – Biometric Data and Privacy

Biometric data – obviously not in just the movies anymore. It is alive, well, and increasingly being used in our everyday society. But, on September 23, 2015, when the Office of Personnel Management revealed that fingerprint data of nearly six million individuals had been compromised in a cyber-security attack, fear came home to roost. Let’s address the journalistic questions:… Continue Reading

Can We Talk? Florida Court Rejects Latest Challenge to Med Mal Presuit Authorization Law

In the latest challenge to a Florida law designed to promote early settlement of meritorious medical malpractice claims, the Florida First District Court of Appeal recently rejected a plaintiff’s arguments that 2013 amendments to the law violated the Florida Constitution. See Weaver v. Myers, Case No. 1D14-3178 (Fla. 1st DCA July 21, 2015). The court also summarily rejected the … Continue Reading

Recent HHS Settlement Highlights Risks of Electronically-Sharing Protected Health Information

On July 10, 2015, the United States Department of Health and Human Services Office for Civil Rights (OCR) announced its second settlement of the year for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital in Massachusetts, must pay $218,400 and adopt a “robust corrective action plan” to … Continue Reading

Illinois Appellate Court Holds No Standing to Sue for Medical Information Data Breach Where Injury is Speculative

On June 2, 2015, the Second District Illinois Appellate Court affirmed the decisions of two lower courts, which had dismissed breach of privacy cases for lack of standing. The cases were consolidated for the purposes of the appeal. Both cases were brought against Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (Advocate), an Illinois network of affiliated physicians and … Continue Reading

New HIPAA Guide to Privacy and Security of Electronic Health Information

The HHS Office of the National Coordinator for Health Information Technology (ONC) recently released Version 2.0 of its Guide to Privacy and Security of Electronic Health Information (Guide). The Guide is primarily applicable to physician groups and smaller health care providers and businesses, but it provides a good overview of HIPAA for any covered entity. It also provides information on … Continue Reading

HHS Settlement: Dumpster-Diving Leads to Settlement for Improper Disposal of Documents Containing Protected Health Information

The U.S. Department of Health and Human Services Office for Civil Rights (HHS) recently announced that it has reached an agreement with a small pharmacy to resolve potential HIPAA violations. The settlement arose from the disposal of unsecured paper documents containing protected health information (PHI) of the Pharmacy’s customers. The more well-known data breaches usually involve the improper disclosure of … Continue Reading

Illinois Court Dismisses Plaintiffs Privacy Claims Arising out of HIPAA Breach

On July 10, 2014, a Kane County, Illinois Circuit Court granted a motion to dismiss with prejudice in favor of Advocate Health & Hospitals Corporation (Advocate) in a class action case arising out of a breach of patients’ protected health information (PHI). In August 2013, Advocate reported one of the largest data breaches to date under the Health Insurance Portability … Continue Reading

The Downside to Sharing – Two Hospitals to Pay Largest HIPAA Fine Yet

On May 7, 2014, the U.S. Department of Health and Human Services Office for Civil Rights  (“OCR”) announced the largest settlement to date under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  New York and Presbyterian Hospital (“NYP”) and Columbia University (“Columbia”) agreed to pay $4.8 million and enter into resolution agreements as the result of a breach … Continue Reading

Security Breach May Not be Covered by Your General Liability Policy

Data breaches are certainly not unique to the healthcare industry.  Large data breaches like the one experienced by Target stores in late 2013 seem increasingly common. Retail, financial, and other types of companies hold consumers’ financial information, but the healthcare industry also holds sensitive health information protected by HIPAA, making a data breach all the more problematic.  Especially given the … Continue Reading

The Government is Here to Help: HHS Releases HIPAA Security Risk Assessment Tool for Small Providers

The U.S. Department of Health and Human Services (“HHS”) has just released a new security risk assessment (“SRA”) tool to assist small and medium sized health care practices (one to ten providers) conduct a HIPAA risk assessment of their organization.

The HIPAA Security Rule requires that all health care organizations that are HIPAA covered entities or business associates must conduct … Continue Reading

HHS Settlement: Reminder That HIPAA Applies to Local Governments Big and Small

The U.S. Department of Health and Human Services Office for Civil Rights (HHS) recently announced that it had reached an agreement with Skagit County, Washington to settle potential HIPAA violations involving the County Public Health Department. The settlement arose from a 2011 incident involving the unauthorized disclosure of electronic protected health information (ePHI) of over 1,500 individuals. The settlement … Continue Reading

Unique Data Breach Settlement – A Sign of Things to Come?

A judge in the United States District Court for the Southern District of Florida has approved a $3 million data breach class action settlement agreement between AvMed, Inc. and plaintiffs. The settlement arises out of a December 2009 theft of unencrypted laptops containing the personal information of individuals who received  healthcare coverage through AvMed and for the first time permits … Continue Reading

35 Days and Counting – R.I.P. Windows XP

Effective April 9, 2014, Microsoft will no longer provide technical support or security updates for the Windows XP operating system. According to Microsoft, personal computers running Windows XP after April 8, 2014 should not be considered to be protected.

This announcement means that covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) … Continue Reading

New Privacy Rule Gives Patients Right to Access Lab Test Reports

On February 6, 2014, the Centers for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) issued a final rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to access … Continue Reading

Accretive Health Data Breach Leads to Twenty-Year Settlement with the FTC

On December 31, 2013, the Federal Trade Commission (“FTC”) announced that Accretive Health, Inc., (“Accretive”) agreed to settle charges that the company’s inadequate data security measures exposed sensitive consumer information to the risk of theft or misuse. Accretive provides medical billing and revenue management services to hospitals around the country. Accretive experienced a data breach in 2011 when one of … Continue Reading

HHS Gives a Thumbs Down for Stolen Thumb Drive

On December 26, 2013, the U.S. Department of Health and Human Services Office for Civil Rights (HHS) announced that it had reached an agreement with a Northeastern dermatology practice to settle potential HIPAA violations arising from a 2011 theft of an unencrypted thumb drive containing patient information. This is HHS’ first settlement with a covered entity arising from the failure … Continue Reading

Florida’s New Med-Mal Law is Pre-empted by HIPAA and is Voided by Federal Judge

A new part of Florida’s medical malpractice law has been voided by a federal judge on the grounds that it is pre-empted by HIPAA. The law, passed during the 2013 legislative session and effective only on July 1 2013, requires, as a pre-condition to filing a malpractice claim, an aggrieved patient to sign an authorization that allows the potential defendant … Continue Reading

HHS Makes Good on Its Promise: Releases HIPAA Guidance for Refill Reminder Programs

As previously reported, HHS announced earlier this month that it would be providing clarification on the HIPAA Privacy Rule as it relates to marketing and prescription refill reminder programs.  On September 19, 2013, HHS made good on that promise when the Office for Civil Rights announced guidance on when refill reminders and other communications about drugs currently being prescribed … Continue Reading

LexBlog