Kimberly M. Wong

Subscribe to all posts by Kimberly M. Wong

Health System Pays $800,000 Fine for Leaving PHI in Doctor’s Driveway

While enforcement activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has focused primarily on a covered entity’s safeguard of electronic protected health information (ePHI), organizations cannot forget about PHI in nonelectronic form.  In 2009, a retiring physician filed a complaint with HHS against Parkview Health System, Inc. … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On May 7, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million—the highest data breach settlement amount to … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered … Continue Reading

OCR Settles Potential HIPAA Violations With County Government

To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA. Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Triple-S Salud, Inc. (Triple-S), a Puerto Rico Health Insurance Administration (PRHIA) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty (CMP) of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 dual eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Healthcare Privacy – 2013 Year in Review

Editor’s Note: This post is a joint submission with BakerHostetler’s Data Privacy Monitor blog. On January 25, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. … Continue Reading

OCR Releases Model Notices of Privacy Practices

Under the HIPAA Privacy Rule, an individual has the right to adequate notice of how a covered entity may use and disclose protected health information (PHI) about the individual, as well as his/her rights and the covered entity’s obligations with respect to that information. Thus, a covered entity must develop and provide individuals with a … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2M

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its fourth resolution agreement of 2013. Affinity Health Plan, Inc., a nonprofit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1.2 million. The resolution agreement … Continue Reading

HHS OCR Sends Message to CEs and Their BAs: Protect ePHI Accessible Over the Internet

In its third resolution agreement of 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company. The resolution agreement stems from WellPoint’s June 18, 2010, report to OCR regarding security weaknesses in an … Continue Reading

HIPAA, Business Associates and the Cloud

Under the Final Rule, as previously discussed, business associates must comply with the technical, administrative and physical safeguard requirements under the Security Rule. Liable for violations under the Security Rule, a business associate must comply with use or disclosure limitations in its contract, as well as limitations expressed in the Privacy Rule. A business associate is … Continue Reading
LexBlog