Tag Archives: OCR

Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation

By Paulette Thomas on February 19, 2019 Posted in HIPAA, Medical Privacy

Recently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which had affirmed the Unemployment Compensation Referee’s decision that Jami M. Dantry (Dantry) was ineligible for unemployment compensation benefits because Dantry’ s conduct … Continue Reading

Provisioning Workforce Access to Electronic Protected Health Information: It May Be ‘Common Sense,’ but Is It Easy to Implement?

By Paulette Thomas on January 22, 2019 Posted in HIPAA

In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on December 18, 2018 Posted in Medical Privacy

On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

OCR Issues Alerts Regarding Phishing Email Disguised as Official OCR Audit Communication

By Patrick H. Haggerty on December 2, 2016 Posted in Uncategorized

The OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates should alert … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

By M. Scott Koller on September 6, 2016 Posted in Uncategorized

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

By M. Scott Koller on September 6, 2016 Posted in Uncategorized

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis

By Lynn Sessions and Suchismita Pahi on August 18, 2016 Posted in Uncategorized

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices. Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action … Continue Reading

OCR Clarifies “Reasonable, Cost-Based” Fee Calculations for Access to Medical Records

By Lynn Sessions and Suchismita Pahi on June 30, 2016 Posted in Uncategorized

The HHS Office for Civil Rights (OCR) recently issued guidance that clarifies open questions for covered entities on how to charge for copies of personal health information requested by patients and members, regardless of state laws. Read more >>… Continue Reading

Deeper Dive: The Changing Landscape of Healthcare Data Breaches

By Lynn Sessions on April 13, 2016 Posted in Uncategorized

We are seeing more healthcare data breaches occur, and our experience shows that the causes and severity of these breaches are changing, as well. For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. … Continue Reading

OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

By Paulette Thomas on April 7, 2016 Posted in Uncategorized

The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact … Continue Reading

One Week, $5.45 Million in Resolution Agreements for HIPAA Violations

By Lynn Sessions and Suchismita Pahi on April 5, 2016 Posted in Uncategorized

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and theFeinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

By Suchismita Pahi on March 3, 2016 Posted in Uncategorized

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

By Suchismita Pahi on December 8, 2015 Posted in Uncategorized

On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

By Lynn Sessions and Suchismita Pahi on November 16, 2015 Posted in Uncategorized

The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading

HIPAA Fine Underscores OCR’s Focus on Physician Group Compliance

By Lynn Sessions and Suchismita Pahi on October 15, 2015 Posted in Uncategorized

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced a $750,000 fine and resolution agreement, including a Corrective Action Plan (CAP), for Cancer Care Group, P.C. (CCG), a private organization made up of 18 physicians. The CCG investigation and resolution demonstrates that OCR does not exempt even modest-size physician … Continue Reading

Health System Pays $800,000 Fine for Leaving PHI in Doctor’s Driveway

By Lynn Sessions and Kimberly M. Wong on July 7, 2014 Posted in Uncategorized

While enforcement activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has focused primarily on a covered entity’s safeguard of electronic protected health information (ePHI), organizations cannot forget about PHI in nonelectronic form. In 2009, a retiring physician filed a complaint with HHS against Parkview Health System, Inc. … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

By Kimberly M. Wong on May 29, 2014 Posted in Uncategorized

Editor’s Note: This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On May 7, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million—the highest data breach settlement amount to … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

By Lynn Sessions and Kimberly M. Wong on April 1, 2014 Posted in Uncategorized

To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered … Continue Reading

OCR Settles Potential HIPAA Violations With County Government

By Lynn Sessions and Kimberly M. Wong on March 28, 2014 Posted in Uncategorized

To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA. Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

By Lynn Sessions and Kimberly M. Wong on March 19, 2014 Posted in Uncategorized

Triple-S Salud, Inc. (Triple-S), a Puerto Rico Health Insurance Administration (PRHIA) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty (CMP) of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 dual eligible Medicare beneficiaries. The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Healthcare Privacy – 2013 Year in Review

By Lynn Sessions, Kimberly M. Wong, Cory J. Fox and Anne Foster on January 2, 2014 Posted in Uncategorized

Editor’s Note: This post is a joint submission with BakerHostetler’s Data Privacy Monitor blog. On January 25, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. … Continue Reading