October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with … Continue Reading
The New Jersey State Bar Association recently met to discuss, among other things, our favorite topic: Cybersecurity. (Perhaps our esteemed Privacy, e-Communication and Data Security Practice Group chair was there….) We wanted to briefly mention two critical points discussed: Critical Point #1: The biggest risk out there is employees. We employees click on all … Continue Reading
The pace of innovation in healthcare today has produced an amazing increase in the number of available mobile apps for health-related information. More than 300,000 healthcare apps are available online. These apps are developed and designed to fit within the “connected health model” which attempts to provide flexible and efficient healthcare services by using connected … Continue Reading
Health insurance carriers often provide explanation of benefits (EOB) summaries to the policyholder specifying the type and cost of health care services received by dependents covered by the policy. EOBs often disclose sensitive information regarding the mental or physical health condition of adult dependents. Massachusetts has now enacted a law, an act to protect access … Continue Reading
Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (“Division”) announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more … Continue Reading
Nary a week goes by without news of a data breach by a healthcare provider…while there are certainly a good number of breaches resulting from a breach of cybersecurity defenses or from the wrongful exploitation of system security weaknesses, there is still a risk to healthcare providers resulting from the internal operations of the healthcare … Continue Reading
This Sunday, January 28, is Data Privacy Day, which Congress recognized on Jan. 27, 2014, when it adopted S. Res. 337, supporting the designation. As noted by the National Cyber Security Alliance, Data Privacy Day began in the United States and Canada in January 2008, an extension of the Data Protection Day celebration in Europe. Don’t … Continue Reading
Physician practices and other health care providers respond to numerous requests for confidential patient information from patients and others. Mistakes made by employees fulfilling such requests for medical records or making similar disclosures can expose the practice to civil litigation. A recent decision by the Connecticut Supreme Court (Byrne v. Avery Center for Obstetrics and … Continue Reading
In Minnesota, 97% of the 25,226 allegations of elder abuse (neglect, physical abuse, unexplained serious injuries and thefts) in state-licensed senior facilities in 2016 were never investigated. This prompted Minnesota Governor, Mark Dayton, to announce plans last week to form a task force to find out why. As one might expect, Minnesota is not … Continue Reading
A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Healthcare providers suffered the most breaches with … Continue Reading
We are proud to once again announce that the Workplace Privacy Report has been nominated for The Expert Institute’s Best Legal Blog Competition. From a field of thousands of nominees, the Workplace Privacy Report has received enough nominations to join one of the largest competitions for legal blog writing online today. If you enjoy the Workplace … Continue Reading
Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool … Continue Reading
The effects of hurricanes like Harvey and the approaching Irma should be a reminder to all businesses of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is how to protect its employees and physical property. However, we shouldn’t forget that a natural disaster can also destroy a business’s information and technology … Continue Reading
Data breach “horror” stories have become a new staple in today’s business environment. The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases — in the health care space alone (which holds the dubious honor of Most Likely To Be Attacked), a FBI and HHS’ Office for … Continue Reading
Protecting data in the healthcare industry continues to be an area of focus for regulators and lawmakers. HIPAA Journal noted that in 2016 more HIPAA covered entities reported breaches than in any other year since the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights started publishing breach summaries on its “Wall … Continue Reading
Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000. OCR recently announced a resolution agreement (pdf) with … Continue Reading
The Department of Health and Human Services Office of Civil Rights (“OCR”) fined a Texas hospital $3.2 million for its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. Children’s Medical Center of Dallas filed breach reports with OCR in 2010 and … Continue Reading
In honor of Data Privacy Day, we provide the following “Top 10 for 2017.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017. 1. Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal … Continue Reading
Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance … Continue Reading
Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services (“HHS”) in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of … Continue Reading
The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But … Continue Reading
For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months … Continue Reading
Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business … Continue Reading
In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on … Continue Reading
