Tag Archives: HIPAA

OCR Issues Alerts Regarding Phishing Email Disguised as Official OCR Audit Communication

The OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates should alert … Continue Reading

FTC Issues Compliance Guidance for Organizations that Share and Collect PHI

The Federal Trade Commission (FTC) recently issued Guidance to remind HIPAA compliant organizations that share and collect protected health information (PHI) for commercial activities that they must also comply with FTC Act disclosure requirements. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. The Guidance cautions that organizations should consider all disclosure … Continue Reading

ONC Contracting Guide Aims to Restore Balanced Bargaining Between Providers and EHR Vendors

The HHS Office of the National Coordinator for Health Information Technology (ONC) recently published a contracting Guide to assist healthcare providers when entering into electronic health record (EHR) contracts with EHR vendors. Issued in response to provider complaints that EHR contracts often contain hidden fees and restrictions that prevent sharing of patient health records with other providers, … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices. Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

Practice Fusion Settles With FTC for Deceptive Practices in Posting Consumer-Generated PHI

“I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012 The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to … Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program

The health system needs to understand its IT capabilities and operating competencies and develop the required infrastructure to support clinical integration of the physician practices The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for … Continue Reading

OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact … Continue Reading

One Week, $5.45 Million in Resolution Agreements for HIPAA Violations

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and theFeinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory … Continue Reading

HHS Removes Barriers to Reporting Federal Mental Health Prohibitor Status for Gun Background Checks

On January 6, 2016, the U.S. Department of Health and Human Services (HHS) released amodification to the Health Insurance Portability and Accountability Act (HIPAA) removing barriers to reporting federal mental health prohibitor status for gun background check purposes. The new section, 45 C.F.R. § 164.512(k)(7), allows a covered entity to use or disclose protected health information … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

OCR HIPAA Phase 2 Audits Coming Soon. Be Prepared.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that the agency expects to begin Phase 2 Audits in early 2016. OCR intends to conduct desk audits and on-site audits of covered entities (CEs) and business associates (BAs), and has contracted with FCi Federal, Inc., to conduct the data … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading

Meaningful Use Stage 3 Final Rule Reduces Provider Burdens

CMS and the Office of the National Coordinator for Health Information (ONC) recently released the 752-page final rule for Meaningful Use Stages 2 (MU2) and 3 (MU3). The final rule provides a flexible timeline for providers and reduces the number of objectives and accompanying clinical quality measures required for reporting. The rule further provides that: … Continue Reading

HIPAA Fine Underscores OCR’s Focus on Physician Group Compliance

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C. (CCG), a private organization made up of 18 physicians. The CCG investigation and resolution demonstrates that OCR does not exempt even modest-size physician … Continue Reading

FAQs by Employers Regarding the Anthem Breach

Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan … Continue Reading

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 … Continue Reading
LexBlog