Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA)… Continue Reading
Written by Jeffrey M. Schlossberg Employers faced with the inevitable task of terminating an employee’s employment often inquire whether to provide the employee with written reasons for the termination; or, if they are required to provide an explanation of the termination, they ask what should be included in the explanation. Except in a limited number… Continue Reading
The 11th Circuit Court of Appeals has rejected the appeal of a former City of Daytona Beach Fire Inspector who argued that the City improperly used her “personal health information” to defend itself against her lawsuit for interference under the Family Medical Leave Act. In Bailey v. City of Daytona Beach Shores, the City of… Continue Reading
Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday. OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply… Continue Reading
The Department of Health and Human Services announced on February 24 that it is seeking information about conducting a pre-audit survey. That is, it plans to conduct a “survey of up to 1200 [HIPAA] covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to… Continue Reading
Healthcare providers and their business associates frequently face difficult questions relating to when they are able to share protected health information with the family members and friends of the patients they serve. These questions often require consideration of a number of different laws and rules, such as HIPAA, Federal alcohol and drug abuse confidentiality regulations, state mental… Continue Reading
Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying: We are sending a message that we are here to… Continue Reading
A study (registration required) by two data security firms, Norse in Silicon Valley and SANS, discussed in a recent L.A. Times article, confirms the concerns raised by the FDA and others about increased use of internet-connected medical devices by healthcare providers and the corresponding increase in the information systems of those providers being attacked, and in some… Continue Reading
Written by Jeffrey M. Schlossberg When does a medical clinic’s employee’s unauthorized texting of patient confidential health information result in liability to the clinic? The answer; it depends. In Doe v. Guthrie Clinic, Ltd., the Second Circuit Court of Appeals dismissed a patient’s claim against a medical corporation for alleged breach of fiduciary duty based… Continue Reading
In honor of National Data Privacy Day, we provide the following “Top 14 for 2014.” While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2014. Location Based Tracking. As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with… Continue Reading
Written by Michael R. Bertoncini A report issued by the Department of Health and Human Services Office of Inspector General (“OIG”) concludes that the Office for Civil Rights (“OCR”) did not meet all of its federal requirements for oversight and enforcement of the HIPAA Security Rule. While the report noted OCR met some of these… Continue Reading
A familiar story – small health care provider suffers a data breach affecting patient data, reports incident to the federal Office for Civil Rights (OCR) and winds up becoming subject to an OCR investigation that goes well beyond the breach itself, resulting in a significant settlement payment and corrective action plan. In this case, a relatively… Continue Reading
WSJ reported on November 22, 2013, Google’s push to move Google Glass, a computerized device with an “optical head-mounted display,” into the mainstream by tapping the prescription eyewear market through VSP Global—a nationwide vision benefits provider and maker of frames and lenses. If the speed and immersion of technology over the past few years had… Continue Reading
If your cloud service provider sounds like your local weather reporter – partly cloudy with a chance of rain – you may be in for a data security storm. A USA Today guest essay by Rajiv Gupta highlights the need for a multi-layered approach for cloud providers to ensure data stored in the cloud is secure, something… Continue Reading
According to testimony before the House Committee on Science, Space, and Technology and warnings from IT security experts, individuals using the federal government’s website to obtain health coverage through the Exchange are likely putting the security of their sensitive personal information at significant risk. Reports about the cost of the federal website vary, but based on… Continue Reading
Model HIPAA Notices of Privacy Practices now available for September 23, 2013 compliance date.
Today, the Centers for Medicare and Medicaid Services (CMS) requested an "emergency review" of its recently proposed rule that "[Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach." We reported on the proposed… Continue Reading
Click on the link in this post for high-level compliance roadmap concerning the Omnibus Privacy Rule under HIPAA and HITECH for covered plans, providers and business associates.
It seems more companies are considering whether to purchase or enhance their cyber or data breach insurance coverage. In recent years, these offerings have expanded giving businesses more choice, and perhaps so has the need for such coverage given the explosion of access to and transmission of confidential data. What is interesting about this development is the different… Continue Reading
Breach involving software upgrade to online application system leads to allegations of HIPAA privacy and security failures, and a $1.7 million settlement payment to HHS.
Hospital employee’s discrimination claims were unsuccessful where termination resulted from HIPAA breach
Are you a “non-Exchange entity” with respect to the healthcare exchanges coming later this year? If so you may become subject to a one-hour breach notification mandate.
Big Data’s impact on medical devices pushes FDA to propose draft guidelines for cybersecurity.
University’s $400,000 payment to HHS to settle HIPAA compliance allegations highlights critical role of risk assessments, and need for security policies and procedures.