Suchismita Pahi

Subscribe to all posts by Suchismita Pahi

GAO Report Criticizes HHS’ HIPAA Cybersecurity Guidance and Program

By Lynn Sessions and Suchismita Pahi on November 16, 2016 Posted in Uncategorized

Recently, the Government Accountability Office (GAO) reviewed the U.S. Department of Health and Human Services’ (HHS) security and privacy oversight and identified significant gaps in the cybersecurity guidance provided by HHS to entities regulated by HIPAA. The report’s primary criticism emphasized that though HHS prepared a crosswalk with the National Institute of Standards and Technology … Continue Reading

$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis

By Lynn Sessions and Suchismita Pahi on August 18, 2016 Posted in Uncategorized

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices. Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

By Lynn Sessions and Suchismita Pahi on July 15, 2016 Posted in Uncategorized

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

Practice Fusion Settles With FTC for Deceptive Practices in Posting Consumer-Generated PHI

By Suchismita Pahi on July 8, 2016 Posted in Uncategorized

“I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012 The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to … Continue Reading

OCR Clarifies “Reasonable, Cost-Based” Fee Calculations for Access to Medical Records

By Lynn Sessions and Suchismita Pahi on June 30, 2016 Posted in Uncategorized

The HHS Office for Civil Rights (OCR) recently issued guidance that clarifies open questions for covered entities on how to charge for copies of personal health information requested by patients and members, regardless of state laws. Read more >>… Continue Reading

Caution Ahead: Illinois’ Biometric Information Privacy Act Puts Companies in the Crosshairs

By Suchismita Pahi and Paul Karlsgodt on April 11, 2016 Posted in Uncategorized

Although healthcare entities are exempt from BIPA’s requirements because of HIPAA, they are likely next in line for lawsuits because of their rapid adoption of biometric authentication measures for employees and contractors. Despite being on the books since 2008, the Illinois Biometric Information Privacy Act (BIPA) has only recently become the subject of litigation – … Continue Reading

Ransomware Targets Healthcare Industry

By Lynn Sessions and Suchismita Pahi on April 8, 2016 Posted in Uncategorized

Just four months into 2016, the healthcare industry is already facing a permanent and increasing threat to hospital operations: ransomware. Previously, BakerHostetler reported that Hollywood Presbyterian Hospital paid 40 bitcoins to access its own electronic health records after its information systems were locked with ransomware. Since then, at least five other healthcare entities have been infected with … Continue Reading

One Week, $5.45 Million in Resolution Agreements for HIPAA Violations

By Lynn Sessions and Suchismita Pahi on April 5, 2016 Posted in Uncategorized

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and theFeinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

By Suchismita Pahi on March 3, 2016 Posted in Uncategorized

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

By Lynn Sessions and Suchismita Pahi on February 16, 2016 Posted in Uncategorized

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory … Continue Reading

SAMHSA Proposes Updates to Substance Abuse Records Security and Confidentiality Regulation

By Suchismita Pahi on February 15, 2016 Posted in Uncategorized

The U.S. Department of Health and Human Services’ (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) has released proposed changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 C.F.R. Part 2) for the first time since 1987. The proposed changes address challenges that 42 C.F.R. Part 2 programs have faced … Continue Reading

HHS Removes Barriers to Reporting Federal Mental Health Prohibitor Status for Gun Background Checks

By Lynn Sessions and Suchismita Pahi on January 21, 2016 Posted in Uncategorized

On January 6, 2016, the U.S. Department of Health and Human Services (HHS) released amodification to the Health Insurance Portability and Accountability Act (HIPAA) removing barriers to reporting federal mental health prohibitor status for gun background check purposes. The new section, 45 C.F.R. § 164.512(k)(7), allows a covered entity to use or disclose protected health information … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

By Suchismita Pahi on December 8, 2015 Posted in Uncategorized

On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

By Lynn Sessions and Suchismita Pahi on November 16, 2015 Posted in Uncategorized

The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading

Meaningful Use Stage 3 Final Rule Reduces Provider Burdens

By Lynn Sessions and Suchismita Pahi on October 28, 2015 Posted in Uncategorized

CMS and the Office of the National Coordinator for Health Information (ONC) recently released the 752-page final rule for Meaningful Use Stages 2 (MU2) and 3 (MU3). The final rule provides a flexible timeline for providers and reduces the number of objectives and accompanying clinical quality measures required for reporting. The rule further provides that: … Continue Reading

HIPAA Fine Underscores OCR’s Focus on Physician Group Compliance

By Lynn Sessions and Suchismita Pahi on October 15, 2015 Posted in Uncategorized

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C. (CCG), a private organization made up of 18 physicians. The CCG investigation and resolution demonstrates that OCR does not exempt even modest-size physician … Continue Reading