Tag Archives: privacy

Provisioning Workforce Access to Electronic Protected Health Information: It May Be ‘Common Sense,’ but Is It Easy to Implement?

By Paulette Thomas on Posted in HIPAA
In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote … Continue Reading

$2.75 Million OCR Settlement Underscores the Importance of Risk Management and Analysis

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
How the theft of a single password-protected laptop turned into an enterprise-wide review of an organization’s data protection practices. Following the announcement of a recent settlement between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Catholic Health Care Services, OCR has announced another significant settlement agreement and corrective action … Continue Reading

Practice Fusion Settles With FTC for Deceptive Practices in Posting Consumer-Generated PHI

By Suchismita Pahi on Posted in Uncategorized
“I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012 The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to … Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program

By Paulette Thomas on Posted in Uncategorized
The health system needs to understand its IT capabilities and operating competencies and develop the required infrastructure to support clinical integration of the physician practices The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for … Continue Reading

OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

By Paulette Thomas on Posted in Uncategorized
The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact … Continue Reading

Don’t Get Phished! Hackers Pose as CEOs to Steal Tax Information from HR and Payroll Professionals at Healthcare Organizations

Photo of Melinda L. McLellanPhoto of Lynn SessionsBy Melinda L. McLellan and Lynn Sessions on Posted in Uncategorized
Every tax season is plagued with scams to defraud individuals and companies for money from tax returns. However, this year has started off with a bang and this means that the healthcare industry has another reason to worry. On March 1, 2016, the IRS issued an alert warning “payroll and human resources professionals to beware of an … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

By Suchismita Pahi on Posted in Uncategorized
Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory … Continue Reading

SAMHSA Proposes Updates to Substance Abuse Records Security and Confidentiality Regulation

By Suchismita Pahi on Posted in Uncategorized
The U.S. Department of Health and Human Services’ (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) has released proposed changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 C.F.R. Part 2) for the first time since 1987. The proposed changes address challenges that 42 C.F.R. Part 2 programs have faced … Continue Reading

HHS Removes Barriers to Reporting Federal Mental Health Prohibitor Status for Gun Background Checks

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Uncategorized
On January 6, 2016, the U.S. Department of Health and Human Services (HHS) released amodification to the Health Insurance Portability and Accountability Act (HIPAA) removing barriers to reporting federal mental health prohibitor status for gun background check purposes. The new section, 45 C.F.R. § 164.512(k)(7), allows a covered entity to use or disclose protected health information … Continue Reading

Alan L. Friel Details “9 tips for contracting” in Healthcare IT

By Alan L. Friel on Posted in Uncategorized
Partner Alan L. Friel authored an article published in the June 23, 2015, issue of FierceHealthIT. The article, headlined, “Healthcare IT: 9 tips for contracting,” outlines key legal and business issues that healthcare organizations should consider during the RFP and contracting process to reduce risks and help minimize expensive change orders. Read the article. A … Continue Reading

FAQs by Employers Regarding the Anthem Breach

Photo of Theodore J. Kobus IIIPhoto of Lynn SessionsBy Theodore J. Kobus III and Lynn Sessions on Posted in Uncategorized
Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan … Continue Reading

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

Photo of Lynn SessionsBy Lynn Sessions and Cory J. Fox on Posted in Uncategorized
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 … Continue Reading

Managing Your Health Information Risks Should Not Begin After a Breach Is Reported

Photo of Lynn SessionsBy Lynn Sessions on Posted in Uncategorized
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services. Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

Photo of Lynn SessionsPhoto of M. Scott KollerBy Lynn Sessions and M. Scott Koller on Posted in Uncategorized
In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies in emergency situations. The guidance attempts to strike a balance between preserving patients’ privacy rights and the need to disseminate information to … Continue Reading

Ebola Information Quarantine: Balancing Patient Privacy With Public Health

Photo of Lynn SessionsBy Lynn Sessions and Cory J. Fox on Posted in Uncategorized
Of all the complex legal issues raised by the recent cases of Ebola in the U.S., those concerning the delicate balance between preserving patients’ privacy rights and the need to disseminate information to protect public health may be overlooked by providers. First, the laws may seem complex, consisting of a patchwork of state-level privacy and … Continue Reading

Medical Information More Valuable to Hackers Than Credit Card Numbers

Photo of Lynn SessionsBy Lynn Sessions and Nita Garg on Posted in Uncategorized
In light of the recently reported large healthcare data breaches that have resulted in the potential theft of the personal information of millions of patients, the FBI warned healthcare providers yet again of the dangers of cyber attacks. Healthcare providers, already sensitive to the need for increased patient data protection in response to the 2013 … Continue Reading

Selby and Sessions Offer Advice for Building a Breach Response Team Before a Breach in an Article for CSO.com and CIO.com

Photo of BakerHostetlerBy BakerHostetler on Posted in Uncategorized
Partners Judy Selby and Lynn Sessions co-authored an article entitled, “Building a Data Breach Response Team, Before You Have a Breach,” which was published by CSO.com and CIO.com on October 3, 2014. They advised companies to address the issue before they have a breach in order to assemble the best team for the company’s need. … Continue Reading

Florida Gives Breach Notification Statute More Teeth

By Cory J. Fox on Posted in Uncategorized
Editor’s note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (FIPA), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

By Kimberly M. Wong on Posted in Uncategorized
Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. On May 7, 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million—the highest data breach settlement amount to … Continue Reading

ONC’s Security Risk Assessment Tool Is Useful But Could Be Improved

By Randal L. Gainer on Posted in Uncategorized
Editor’s Note:  This post originally appeared on BakerHostetler’s Data Privacy Monitor blog. The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

Photo of Lynn SessionsBy Lynn Sessions and Kimberly M. Wong on Posted in Uncategorized
To combat new risks associated with rapidly evolving health information technology, HIPAA and HITECH provide standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI) and breach notification to individuals. HITECH also requires the U.S. Department of Health and Human Services (HHS) to perform periodic audits of covered … Continue Reading
LexBlog