Tag Archives: PHI

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on Posted in Medical Privacy
On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

FTC Issues Compliance Guidance for Organizations that Share and Collect PHI

By Paulette Thomas on Posted in Uncategorized
The Federal Trade Commission (FTC) recently issued Guidance to remind HIPAA compliant organizations that share and collect protected health information (PHI) for commercial activities that they must also comply with FTC Act disclosure requirements. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. The Guidance cautions that organizations should consider all disclosure … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

Photo of M. Scott KollerBy M. Scott Koller on Posted in Uncategorized
The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

Practice Fusion Settles With FTC for Deceptive Practices in Posting Consumer-Generated PHI

By Suchismita Pahi on Posted in Uncategorized
“I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012 The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to … Continue Reading

OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

By Paulette Thomas on Posted in Uncategorized
The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact … Continue Reading

One Week, $5.45 Million in Resolution Agreements for HIPAA Violations

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and theFeinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory … Continue Reading

HHS Removes Barriers to Reporting Federal Mental Health Prohibitor Status for Gun Background Checks

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
On January 6, 2016, the U.S. Department of Health and Human Services (HHS) released amodification to the Health Insurance Portability and Accountability Act (HIPAA) removing barriers to reporting federal mental health prohibitor status for gun background check purposes. The new section, 45 C.F.R. § 164.512(k)(7), allows a covered entity to use or disclose protected health information … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

By Suchismita Pahi on Posted in Uncategorized
On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading

FAQs by Employers Regarding the Anthem Breach

Photo of Theodore J. Kobus IIIPhoto of Lynn SessionsBy Theodore J. Kobus III and Lynn Sessions on Posted in Uncategorized
Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

Photo of Lynn SessionsPhoto of M. Scott KollerBy Lynn Sessions and M. Scott Koller on Posted in Uncategorized
In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies in emergency situations. The guidance attempts to strike a balance between preserving patients’ privacy rights and the need to disseminate information to … Continue Reading

Ebola Information Quarantine: Balancing Patient Privacy With Public Health

Photo of Lynn SessionsBy Lynn Sessions and Cory J. Fox on Posted in Uncategorized
Of all the complex legal issues raised by the recent cases of Ebola in the U.S., those concerning the delicate balance between preserving patients’ privacy rights and the need to disseminate information to protect public health may be overlooked by providers. First, the laws may seem complex, consisting of a patchwork of state-level privacy and … Continue Reading

Medical Information More Valuable to Hackers Than Credit Card Numbers

Photo of Lynn SessionsBy Lynn Sessions and Nita Garg on Posted in Uncategorized
In light of the recently reported large healthcare data breaches that have resulted in the potential theft of the personal information of millions of patients, the FBI warned healthcare providers yet again of the dangers of cyber attacks. Healthcare providers, already sensitive to the need for increased patient data protection in response to the 2013 … Continue Reading

Health System Pays $800,000 Fine for Leaving PHI in Doctor’s Driveway

Photo of Lynn SessionsBy Lynn Sessions and Kimberly M. Wong on Posted in Uncategorized
While enforcement activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has focused primarily on a covered entity’s safeguard of electronic protected health information (ePHI), organizations cannot forget about PHI in nonelectronic form.  In 2009, a retiring physician filed a complaint with HHS against Parkview Health System, Inc. … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

By Kimberly M. Wong on Posted in Uncategorized
Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On May 7, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million—the highest data breach settlement amount to … Continue Reading

ONC’s Security Risk Assessment Tool Is Useful But Could Be Improved

By Randal L. Gainer on Posted in Uncategorized
Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

Photo of Lynn SessionsBy Lynn Sessions and Kimberly M. Wong on Posted in Uncategorized
To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered … Continue Reading

OCR Settles Potential HIPAA Violations With County Government

Photo of Lynn SessionsBy Lynn Sessions and Kimberly M. Wong on Posted in Uncategorized
To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA. Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Photo of Lynn SessionsBy Lynn Sessions and Kimberly M. Wong on Posted in Uncategorized
Triple-S Salud, Inc. (Triple-S), a Puerto Rico Health Insurance Administration (PRHIA) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty (CMP) of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 dual eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Some Things Better Left Unshared: Social Media and Medical Identity Theft

Photo of Lynn SessionsBy Lynn Sessions and Anne Foster on Posted in Uncategorized
The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.” Quoting Jennifer Trussell, who investigates medical identity theft on behalf of … Continue Reading

HHS Rule Grants Patients Direct Access to Lab Test Results

Photo of Lynn SessionsBy Lynn Sessions and Cory J. Fox on Posted in Uncategorized
The U.S. Department of Health and Human Services (HHS) recently published a Final Rule granting patients and their personal representatives access to the patient’s completed laboratory test reports directly from the lab maintaining the information. The Final Rule, published jointly by the Office for Civil Rights (OCR), the Centers for Medicare & Medicaid Services (CMS) … Continue Reading
LexBlog