Tag Archives: HIPAA

Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation

By Paulette Thomas on February 19, 2019 Posted in HIPAA, Medical Privacy

Recently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which had affirmed the Unemployment Compensation Referee’s decision that Jami M. Dantry (Dantry) was ineligible for unemployment compensation benefits because Dantry’ s conduct … Continue Reading

The Use of Smart Speakers in Healthcare

By Paulette Thomas on January 31, 2019 Posted in HIPAA, Medical Privacy

Smart speakers are voice-activated, internet-connected devices with an integrated virtual assistant that can answer questions, follow instructions and control other smart devices. Nearly one in five U.S. adults has access to a smart speaker, and it has been estimated that in 2018, the number of smart speakers installed reached 100 million worldwide. Using voice recognition, … Continue Reading

Provisioning Workforce Access to Electronic Protected Health Information: It May Be ‘Common Sense,’ but Is It Easy to Implement?

By Paulette Thomas on January 22, 2019 Posted in HIPAA

In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on December 18, 2018 Posted in Medical Privacy

On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

OCR Issues Alerts Regarding Phishing Email Disguised as Official OCR Audit Communication

By Patrick H. Haggerty on December 2, 2016 Posted in Uncategorized

The OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates should alert … Continue Reading

FTC Issues Compliance Guidance for Organizations that Share and Collect PHI

By Paulette Thomas on November 16, 2016 Posted in Uncategorized

The Federal Trade Commission (FTC) recently issued Guidance to remind HIPAA compliant organizations that share and collect protected health information (PHI) for commercial activities that they must also comply with FTC Act disclosure requirements. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. The Guidance cautions that organizations should consider all disclosure … Continue Reading

ONC Contracting Guide Aims to Restore Balanced Bargaining Between Providers and EHR Vendors

By Vimala Devassy and Elizabeth O’Connell on October 27, 2016 Posted in Uncategorized

The HHS Office of the National Coordinator for Health Information Technology (ONC) recently published a contracting Guide to assist healthcare providers when entering into electronic health record (EHR) contracts with EHR vendors. Issued in response to provider complaints that EHR contracts often contain hidden fees and restrictions that prevent sharing of patient health records with other providers, … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

By M. Scott Koller on September 6, 2016 Posted in Uncategorized

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

By M. Scott Koller on September 6, 2016 Posted in Uncategorized

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis

By Lynn Sessions and Suchismita Pahi on August 18, 2016 Posted in Uncategorized

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices. Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

By Lynn Sessions and Suchismita Pahi on July 15, 2016 Posted in Uncategorized

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

Practice Fusion Settles With FTC for Deceptive Practices in Posting Consumer-Generated PHI

By Suchismita Pahi on July 8, 2016 Posted in Uncategorized

“I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012 The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to … Continue Reading

OCR Clarifies “Reasonable, Cost-Based” Fee Calculations for Access to Medical Records

By Lynn Sessions and Suchismita Pahi on June 30, 2016 Posted in Uncategorized

The HHS Office for Civil Rights (OCR) recently issued guidance that clarifies open questions for covered entities on how to charge for copies of personal health information requested by patients and members, regardless of state laws. Read more >>… Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program

By Paulette Thomas on June 15, 2016 Posted in Uncategorized

The health system needs to understand its IT capabilities and operating competencies and develop the required infrastructure to support clinical integration of the physician practices The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for … Continue Reading

Deeper Dive: The Changing Landscape of Healthcare Data Breaches

By Lynn Sessions on April 13, 2016 Posted in Uncategorized

We are seeing more healthcare data breaches occur, and our experience shows that the causes and severity of these breaches are changing, as well. For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. … Continue Reading

OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

By Paulette Thomas on April 7, 2016 Posted in Uncategorized

The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact … Continue Reading

One Week, $5.45 Million in Resolution Agreements for HIPAA Violations

By Lynn Sessions and Suchismita Pahi on April 5, 2016 Posted in Uncategorized

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and theFeinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

By Suchismita Pahi on March 3, 2016 Posted in Uncategorized

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

By Lynn Sessions and Suchismita Pahi on February 16, 2016 Posted in Uncategorized

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory … Continue Reading

HHS Removes Barriers to Reporting Federal Mental Health Prohibitor Status for Gun Background Checks

By Lynn Sessions and Suchismita Pahi on January 21, 2016 Posted in Uncategorized

On January 6, 2016, the U.S. Department of Health and Human Services (HHS) released amodification to the Health Insurance Portability and Accountability Act (HIPAA) removing barriers to reporting federal mental health prohibitor status for gun background check purposes. The new section, 45 C.F.R. § 164.512(k)(7), allows a covered entity to use or disclose protected health information … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

By Suchismita Pahi on December 8, 2015 Posted in Uncategorized

On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

By Theodore J. Kobus III on December 7, 2015 Posted in Uncategorized

The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

OCR HIPAA Phase 2 Audits Coming Soon. Be Prepared.

By Paulette Thomas on November 24, 2015 Posted in Uncategorized

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that the agency expects to begin Phase 2 Audits in early 2016. OCR intends to conduct desk audits and on-site audits of covered entities (CEs) and business associates (BAs), and has contracted with FCi Federal, Inc., to conduct the data … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

By Lynn Sessions and Suchismita Pahi on November 16, 2015 Posted in Uncategorized

The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading