Tag Archives: privacy

$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis

How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices. Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action … Continue Reading

Practice Fusion Settles With FTC for Deceptive Practices in Posting Consumer-Generated PHI

“I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012 The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to … Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program

The health system needs to understand its IT capabilities and operating competencies and develop the required infrastructure to support clinical integration of the physician practices The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for … Continue Reading

OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact … Continue Reading

Don’t Get Phished! Hackers Pose as CEOs to Steal Tax Information from HR and Payroll Professionals at Healthcare Organizations

Every tax season is plagued with scams to defraud individuals and companies for money from tax returns. However, this year has started off with a bang and this means that the healthcare industry has another reason to worry. On March 1, 2016, the IRS issued an alert warning “payroll and human resources professionals to beware of an … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory … Continue Reading

SAMHSA Proposes Updates to Substance Abuse Records Security and Confidentiality Regulation

The U.S. Department of Health and Human Services’ (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) has released proposed changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 C.F.R. Part 2) for the first time since 1987. The proposed changes address challenges that 42 C.F.R. Part 2 programs have faced … Continue Reading

HHS Removes Barriers to Reporting Federal Mental Health Prohibitor Status for Gun Background Checks

On January 6, 2016, the U.S. Department of Health and Human Services (HHS) released amodification to the Health Insurance Portability and Accountability Act (HIPAA) removing barriers to reporting federal mental health prohibitor status for gun background check purposes. The new section, 45 C.F.R. § 164.512(k)(7), allows a covered entity to use or disclose protected health information … Continue Reading

Alan L. Friel Details “9 tips for contracting” in Healthcare IT

Partner Alan L. Friel authored an article published in the June 23, 2015, issue of FierceHealthIT. The article, headlined, “Healthcare IT: 9 tips for contracting,” outlines key legal and business issues that healthcare organizations should consider during the RFP and contracting process to reduce risks and help minimize expensive change orders. Read the article. A … Continue Reading

FAQs by Employers Regarding the Anthem Breach

Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan … Continue Reading

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 … Continue Reading

Managing Your Health Information Risks Should Not Begin After a Breach Is Reported

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services. Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies in emergency situations. The guidance attempts to strike a balance between preserving patients’ privacy rights and the need to disseminate information to … Continue Reading

Ebola Information Quarantine: Balancing Patient Privacy With Public Health

Of all the complex legal issues raised by the recent cases of Ebola in the U.S., those concerning the delicate balance between preserving patients’ privacy rights and the need to disseminate information to protect public health may be overlooked by providers. First, the laws may seem complex, consisting of a patchwork of state-level privacy and … Continue Reading

Medical Information More Valuable to Hackers Than Credit Card Numbers

In light of the recently reported large healthcare data breaches that have resulted in the potential theft of the personal information of millions of patients, the FBI warned healthcare providers yet again of the dangers of cyber attacks. Healthcare providers, already sensitive to the need for increased patient data protection in response to the 2013 … Continue Reading

Selby and Sessions Offer Advice for Building a Breach Response Team Before a Breach in an Article for CSO.com and CIO.com

Partners Judy Selby and Lynn Sessions co-authored an article entitled, “Building a Data Breach Response Team, Before You Have a Breach,” which was published by CSO.com and CIO.com on October 3, 2014. They advised companies to address the issue before they have a breach in order to assemble the best team for the company’s need. … Continue Reading

Florida Gives Breach Notification Statute More Teeth

Editor’s note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (FIPA), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On May 7, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million—the highest data breach settlement amount to … Continue Reading

ONC’s Security Risk Assessment Tool Is Useful But Could Be Improved

Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered … Continue Reading

OCR Settles Potential HIPAA Violations With County Government

To start 2014, HHS OCR issued its first resolution agreement of the year and its first settlement with a county government—signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient information in compliance with HIPAA. Skagit County, Washington (County), located in northwest Washington with approximately 118,000 residents, … Continue Reading
LexBlog