Archives: HIPAA

Subscribe to HIPAA RSS Feed

Enhanced HHS HIPAA Breach Reporting Tool May Aid Health Care Industry Data Security Efforts

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool … Continue Reading

Harvey and Irma – Reminders to Adopt/Reevaluate Your Disaster Recovery Plan

The effects of hurricanes like Harvey and the approaching Irma should be a reminder to all businesses of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is how to protect its employees and physical property. However, we shouldn’t forget that a natural disaster can also destroy a business’s information and technology … Continue Reading

An Ounce of Data Breach Prevention…Address Attorney-Client Privilege in Your Breach Planning

Data breach “horror” stories have become a new staple in today’s business environment. The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases — in the health care space alone (which holds the dubious honor of Most Likely To Be Attacked), a FBI and HHS’ Office for … Continue Reading

Public-Private Partnerships Could Bolster Healthcare Cybersecurity Efforts

Protecting data in the healthcare industry continues to be an area of focus for regulators and lawmakers. HIPAA Journal noted that in 2016 more HIPAA covered entities reported breaches than in any other year since the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights started publishing breach summaries on its “Wall … Continue Reading

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000. OCR recently announced a resolution agreement (pdf) with … Continue Reading

$3.2M Fine for Failure to Protect Electronic Records

The Department of Health and Human Services Office of Civil Rights (“OCR”) fined a Texas hospital $3.2 million for its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. Children’s Medical Center of Dallas filed breach reports with OCR in 2010 and … Continue Reading

Top 10 for 2017 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017. 1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal … Continue Reading

HHS Issues Cloud Computing Guidance Which Is Helpful To All Users of Cloud Services

Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance … Continue Reading

3 Essential Steps For Responding To Ransomware Attacks

Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services (“HHS”) in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of … Continue Reading

Smaller HIPAA Breaches To Get More Attention by Office for Civil Rights

The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But … Continue Reading

HIPAA and $15 Million in 2016

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months … Continue Reading

Check Your Spam Filter, You Might Have Been Selected for a HIPAA Audit!

Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business … Continue Reading

The Inexplicit Requirement and Definitive Necessity for Employers to Implement Privacy Policies

In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on … Continue Reading

HIPAA Covered Entities Not Responsible For Intercepted Transmission of PHI When Individual Requested Unsecured Transmission, Office for Civil Rights Concludes

Earlier this month, the Office for Civil Rights (OCR) issued guidance on an individual’s right to access the individual’s health information. That an individual has a broad right to access has been recognized in the HIPAA privacy regulations since they became effective in 2003. OCR has found, however, that individuals are facing obstacles to accessing their … Continue Reading

Top 10 for 2016 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2016.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2016. EU/U.S. Data Transfer (status of Safe Harbor).  On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled … Continue Reading

Million Dollar HIPAA Settlements Are About Compliance, Not Harm to Individuals

In the last two weeks, the Office for Civil Rights (OCR) announced two substantial settlements under HIPAA that together totaled $4.35 million. These large amounts seem to be driven not by actual harm to individuals, but in significant part by alleged HIPAA compliance failures identified by OCR following investigations commenced in response to receipt of data … Continue Reading

Healthcare Worker Gives New Employer Patient Records, Old Employer Pays $15,000 to NY Attorney General For HIPAA Violation

One of your employees discloses your organization’s patient information to a soon-to-be new employer for use in generating business at the new employer’s competing business, and your company has to settle with the New York State Attorney General for HIPAA violations. Make sense? This is what happened according to a published settlement agreement (pdf) that was … Continue Reading

HIPAA Phase 2 Audits to Start in Early 2016, OCR States In Response to OIG Recommendations

Responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, the Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach … Continue Reading

Wearables, Wellness and Privacy

Bloomberg BNA (subscription) recently reported that this fall the Center for Democracy & Technology (CDT) will be issuing a report on Fitbit Inc.’s privacy practices. Avid runners, walkers or those up on the latest gadgets likely know about Fitbit, and its line of wearable fitness devices. Others may know about Fitbit due to the need … Continue Reading

HIPAA Audits Maybe, But Audit Preparedness Definitely!

According to a Bloomberg article, the second phase of HIPAA audits by the Office for Civil Rights (OCR), originally set to commence in 2014, may be coming soon. This update came at a HIPAA conference co-hosted by OCR during which OCR Director Jocelyn Samuels said the agency was in the process of confirming contact information of … Continue Reading

Cancer Care Group to Pay $750,000 to Settle HIPAA Breach, as KPMG Finds 81 Percent of Hospitals and Health Insurance Companies had a Breach in the Past Two Years

On September 2, the Office for Civil Rights (OCR) reported that it agreed to settle potential violations of the HIPAA privacy and security regulations with Cancer Care Group, Inc. The dollar amount of the settlement, $750,000, is significant, and the agreement to adopt a robust, multi-year corrective action plan under the watchful eye of the … Continue Reading

Connecticut State Contractors, Health Insurance Industry Businesses Subject to Enhanced Significant Data Security Mandates

In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill … Continue Reading

State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification Laws!

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years … Continue Reading

Will Your Cyber/Breach Insurance Be There When You Need It?

The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part … Continue Reading
LexBlog