Tag Archives: HIPAA

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 … Continue Reading

Managing Your Health Information Risks Should Not Begin After a Breach Is Reported

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services. Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies in emergency situations. The guidance attempts to strike a balance between preserving patients’ privacy rights and the need to disseminate information to … Continue Reading

Ebola Information Quarantine: Balancing Patient Privacy With Public Health

Of all the complex legal issues raised by the recent cases of Ebola in the U.S., those concerning the delicate balance between preserving patients’ privacy rights and the need to disseminate information to protect public health may be overlooked by providers. First, the laws may seem complex, consisting of a patchwork of state-level privacy and … Continue Reading

Medical Information More Valuable to Hackers Than Credit Card Numbers

In light of the recently reported large healthcare data breaches that have resulted in the potential theft of the personal information of millions of patients, the FBI warned healthcare providers yet again of the dangers of cyber attacks. Healthcare providers, already sensitive to the need for increased patient data protection in response to the 2013 … Continue Reading

Health System Pays $800,000 Fine for Leaving PHI in Doctor’s Driveway

While enforcement activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has focused primarily on a covered entity’s safeguard of electronic protected health information (ePHI), organizations cannot forget about PHI in nonelectronic form.  In 2009, a retiring physician filed a complaint with HHS against Parkview Health System, Inc. … Continue Reading

Children’s Hospitals Today Publishes Article on Data Breach Prevention and Response by Partner Lynn Sessions

The Spring 2014 issue of Children’s Hospitals Today, published by the Children’s Hospital Association, features an article by BakerHostetler partner Lynn Sessions on preparing and responding to healthcare data breaches. In the article, “Breached: 10 Ways to Prepare and Respond,” Sessions discusses potential consequences of failing to adequately respond to a data breach, including “regulatory … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On May 7, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million—the highest data breach settlement amount to … Continue Reading

ONC’s Security Risk Assessment Tool Is Useful But Could Be Improved

Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered … Continue Reading

OCR Settles Potential HIPAA Violations With County Government

To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA. Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Triple-S Salud, Inc. (Triple-S), a Puerto Rico Health Insurance Administration (PRHIA) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty (CMP) of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 dual eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

FTC Settles Case With Medical Transcription Company

The Federal Trade Commission (FTC) recently announced that it had settled its data privacy case against medical transcription firm GMR Transcription Services, Inc. (GMR) following allegations that GMR had failed to adequately protect the personal information of its consumers.  The consent order signed by the parties is a particularly notable milestone in that it marks … Continue Reading

Some Things Better Left Unshared: Social Media and Medical Identity Theft

The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.” Quoting Jennifer Trussell, who investigates medical identity theft on behalf of … Continue Reading

HHS Rule Grants Patients Direct Access to Lab Test Results

The U.S. Department of Health and Human Services (HHS) recently published a Final Rule granting patients and their personal representatives access to the patient’s completed laboratory test reports directly from the lab maintaining the information. The Final Rule, published jointly by the Office for Civil Rights (OCR), the Centers for Medicare & Medicaid Services (CMS) … Continue Reading

A Look Back at 2013

In this posting: A Look Back at 2013 Antitrust and Competition Policy, Advocacy and Legislative Strategy Development FDA and Life Sciences Privacy and Data Protection Enforcement and Compliance Transactions and Finance Reimbursement, Licensing and Certification Fraud and Abuse Laws Tax-Exempt Organizations Honors and Recognition Was it the number 13? There’s an old superstition about the … Continue Reading

NICS and HIPAA: Where Mental Health Privacy and Gun Control Overlap

Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. HHS Releases Notice of Proposed Rulemaking On January 7, 2014, the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) for the purpose of modifying the Health Insurance Portability and Accountability Act (HIPAA) to expressly permit certain … Continue Reading

Healthcare Privacy – 2013 Year in Review

Editor’s Note: This post is a joint submission with BakerHostetler’s Data Privacy Monitor blog. On January 25, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. … Continue Reading
LexBlog