Security Rule

The Hidden Legal Minefield: Compliance Concerns with AI Smart Glasses, Part 4: Data Security, Breach Notification, and Third-Party AI Processing Risks

By Joseph J. Lazzarotti on January 16, 2026

Posted in Artificial Intelligence, Data Breach Notification, Governance, Risk, and Compliance, HIPAA, Incident Response Planning, Written Information Security Program

In Part 1, we addressed compliance issues that arise when these wearables collect biometric information.
In Part 2,

…

Health Fitness, OCR’s Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers

By Joseph J. Lazzarotti on March 24, 2025

Posted in Cybersecurity, Employee Benefit Plans, HIPAA, Third Party Service Providers

On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health Fitness Corporation (Health Fitness), a wellness vendor providing services to employer-sponsored group health plans.

This announcement is interesting for several…

Industry Groups Urge Rescission of Proposed HIPAA Security Rule Updates

By Joseph J. Lazzarotti & Cecilie E. Read on March 6, 2025

Posted in Health Information Technology, HIPAA

In February, a coalition of healthcare organizations sent a letter to President Donald J. Trump and the U.S. Department of Health and Human Services (HHS) (the Letter), urging the immediate rescission of a proposed update to the Security Rule under HIPAA. The update is aimed at strengthening safeguards for securing electronic protected health information.…

OCR Proposed Tighter Security Rules for HIPAA Regulated Entities, including Business Associates and Group Health Plans

By Joseph J. Lazzarotti on January 2, 2025

Posted in Health Information Technology, HIPAA

As the healthcare sector continues to be a top target for cyber criminals, the Office for Civil Rights (OCR) issued proposed updates to the HIPAA Security Rule (scheduled to be published in the Federal Register January 6). It looks like substantial changes are in store for covered entities and business associates alike, including healthcare providers…

Florida Healthcare Provider Faces $1.19M HIPAA Penalty Following Independent Contractor Breach

By Joseph J. Lazzarotti on December 5, 2024

Posted in Data Security, Health Information Technology, HIPAA, Third Party Service Providers

A healthcare provider delivering pain management services in Florida and other states faces a $1.19 million civil monetary penalty from the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The OCR investigation stems from a data breach, but not the type of breach we are used to seeing in…

OCR Reminds Healthcare Providers and Their Business Associates – You Need an Incident Response Plan!

By Joseph J. Lazzarotti on October 31, 2022

Posted in Data Breach Notification, HIPAA, Incident Response Planning

We have been quite busy this October, which happens to be National Cybersecurity Awareness Month. But, we did not want to let the month go by without some recognition; and we are grateful to the HHS Office for Civil Rights (OCR) for this always timely reminder for HIPAA covered entities and business associates – have…

ONC and OCR Update HIPAA Security Risk Assessment Tool for National Cyber Security Awareness Month

By Valerie K. Jackson, Joseph J. Lazzarotti & Jason C. Gavejian on October 30, 2018

Posted in Data Security, Health Information Technology, HIPAA, Information Risk, Uncategorized

October 2018 marks the 15^th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates…

Workplace Privacy, Data Management & Security Report