Tag Archives: HIPAA

Vermont Court Finds Patient Can Sue Hospital and an Employee for Breach of Confidentiality

In a landmark ruling, the Vermont Supreme Court recently held that a patient had standing to sue both the hospital at which she was a patient and the employee who attended to her, for negligent disclosure of her personal health information to a third-party. Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Vermont … Continue Reading

EMR Provider Settles OCR Allegations for $100,000; Is Your EMR provider HIPAA compliant?

Many health care providers, including small and medium-sized physician practices, rely on a number of third party service providers to serve their patients and run their businesses. Perhaps the most important of these is a practice’s electronic medical record (EMR) provider, which manages and stores patient protected health information. EMR providers generally are business associates … Continue Reading

HIPAA Penalties Change Under HHS Notice of Enforcement Discretion

When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, … Continue Reading

Small Michigan Medical Practice To Close Following Ransomware Attack

Small and midsized enterprises (SMEs) continue to be targeted by ransomware, phishing and other cyberattacks; the consequences of which could be devastating. Those consequences include putting SMEs out of business, which is unfortunately the case for one small medical practice in Battle Creek, Michigan, as reported by HIPAAJournal. The reality is that the effects of these attacks … Continue Reading

NIST Publishes Guide to Secure an Organization’s Mobile Devices

Just last month, the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), published guidance for public and private companies to protect mobile devices and help prevent data breaches. The publication, titled “Mobile Device Security: Cloud and Hybrid Build,” is a how to guide for companies to … Continue Reading

A Trio of OCR HIPAA Breach Resolutions: Is Your Organization HIPAA Compliant?

Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response. On November 26th, the OCR announced a settlement with Allergy Associations of Hartford, … Continue Reading

ONC and OCR Update HIPAA Security Risk Assessment Tool for National Cyber Security Awareness Month

October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with … Continue Reading

California Consumer Privacy Act Amendment Signed Into Law

On September 23, 2018, Governor Jerry Brown signed into law SB-1121 amending certain provisions of the California Consumer Privacy Act of 2018 (CCPA) which was enacted in June of this year. As we reported previously, CCPA will apply to any entity that does business in the State of California and satisfies one or more of … Continue Reading

Health Apps: Convenience vs. Security Risks

The pace of innovation in healthcare today has produced an amazing increase in the number of available mobile apps for health-related information. More than 300,000 healthcare apps are available online. These apps are developed and designed to fit within the “connected health model” which attempts to provide flexible and efficient healthcare services by using connected … Continue Reading

Massachusetts Enacts Law Providing Greater Privacy of Health Insurance Information

Health insurance carriers often provide explanation of benefits (EOB) summaries to the policyholder specifying the type and cost of health care services received by dependents covered by the policy. EOBs often disclose sensitive information regarding the mental or physical health condition of adult dependents. Massachusetts has now enacted a law, an act to protect access … Continue Reading

Cost-Benefit Analysis 101 for Healthcare Providers

Nary a week goes by without news of a data breach by a healthcare provider…while there are certainly a good number of breaches resulting from a breach of cybersecurity defenses or from the wrongful exploitation of system security weaknesses, there is still a risk to healthcare providers resulting from the internal operations of the healthcare … Continue Reading

Connecticut Supreme Court: Health Care Providers Can Be Sued for Unauthorized Disclosures of Confidential Information

Physician practices and other health care providers respond to numerous requests for confidential patient information from patients and others. Mistakes made by employees fulfilling such requests for medical records or making similar disclosures can expose the practice to civil litigation. A recent decision by the Connecticut Supreme Court (Byrne v. Avery Center for Obstetrics and … Continue Reading

Lessons To Be Learned From The Breach Of Nearly 500,000 Individual Health Records Reported In September 2017

A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017.  Healthcare providers suffered the most breaches with … Continue Reading

New York AG Announces SHIELD Act

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information. “It’s clear that New York’s … Continue Reading

Enhanced HHS HIPAA Breach Reporting Tool May Aid Health Care Industry Data Security Efforts

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool … Continue Reading

An Ounce of Data Breach Prevention…Address Attorney-Client Privilege in Your Breach Planning

Data breach “horror” stories have become a new staple in today’s business environment. The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases — in the health care space alone (which holds the dubious honor of Most Likely To Be Attacked), a FBI and HHS’ Office for … Continue Reading

Public-Private Partnerships Could Bolster Healthcare Cybersecurity Efforts

Protecting data in the healthcare industry continues to be an area of focus for regulators and lawmakers. HIPAA Journal noted that in 2016 more HIPAA covered entities reported breaches than in any other year since the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights started publishing breach summaries on its “Wall … Continue Reading

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000. OCR recently announced a resolution agreement (pdf) with … Continue Reading

$3.2M Fine for Failure to Protect Electronic Records

The Department of Health and Human Services Office of Civil Rights (“OCR”) fined a Texas hospital $3.2 million for its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. Children’s Medical Center of Dallas filed breach reports with OCR in 2010 and … Continue Reading

Smaller HIPAA Breaches To Get More Attention by Office for Civil Rights

The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But … Continue Reading

HIPAA and $15 Million in 2016

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months … Continue Reading

The Inexplicit Requirement and Definitive Necessity for Employers to Implement Privacy Policies

In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on … Continue Reading

Top 10 for 2016 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2016.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2016. EU/U.S. Data Transfer (status of Safe Harbor).  On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled … Continue Reading
LexBlog