The Department of Health and Human Services announced on February 24 that it is seeking information about conducting a pre-audit survey. That is, it plans to conduct a “survey of up to 1200 [HIPAA] covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to… Continue Reading
Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying: We are sending a message that we are here to… Continue Reading
Written by Michael R. Bertoncini A report issued by the Department of Health and Human Services Office of Inspector General (“OIG”) concludes that the Office for Civil Rights (“OCR”) did not meet all of its federal requirements for oversight and enforcement of the HIPAA Security Rule. While the report noted OCR met some of these… Continue Reading
Model HIPAA Notices of Privacy Practices now available for September 23, 2013 compliance date.
Breach involving software upgrade to online application system leads to allegations of HIPAA privacy and security failures, and a $1.7 million settlement payment to HHS.
University’s $400,000 payment to HHS to settle HIPAA compliance allegations highlights critical role of risk assessments, and need for security policies and procedures.
Final HIPAA regulations are out…
Following the mass shootings in Newtown, CT, and Aurora, CO, Office for Civil Rights Director Leon Rodriguez issued a letter on January 15, 2013, reminding covered health care providers about disclosures of protected health information that may be made to avert threats to health and safety. The letter points out, for example, that mental health professionals… Continue Reading
The $50,000 in penalties that the Office for Civil Rights (OCR) recently imposed on a health care provider in Idaho was due in part to allegations that the HIPAA covered entity had not conducted a risk assessment as required under the HIPAA privacy and security regulations. Of course, HIPAA is not the only law that requires a risk assessment…. Continue Reading
HIPAA data breach affecting 441 patients leads to investigation resulting in $50K in penalties due to alleged lapses in security compliance.
On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009. HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks… Continue Reading
As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act. To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website. The HITECH Act requires HHS to provide for periodic audits to ensure covered… Continue Reading
Federal HIPAA enforcement agency adds new online tool to train State Attorneys General to enforce HIPAA.
Today, the Office for Civil Rights formally announced its HIPAA audit plan, with audits commencing in November 2011. A new page on OCR’s website answers some helpful questions for covered entities and business associates, which are summarized in this report.
Approximately 150 HIPAA on-site audits are scheduled to begin in early 2012. Covered entities and business associates should be aware of the nature and scope of these audits and what they should be doing to be prepare should they be selected.
While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, recent activities by HHS, including the recently announced nationwide enforcement training program for State Attorneys General should spur renewed efforts toward compliance.
On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website. The breach notification rule became effective on… Continue Reading