Header graphic for print
HealtHITech Law HIPAA, HITECH and Beyond

Tag Archives: HIPAA

Reminder: Report 2016 HIPAA Breaches By March 1, 2017

Posted in Breach

Covered entities which experienced a HIPAA breach in calendar year 2016 are required to report all such breaches affecting fewer than 500 individuals to OCR by Wednesday, March 1, 2017. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those… Continue Reading

OCR Guidance Clarifies Disclosures to Patient Spouses, Relatives, Friends

Posted in Permitted Disclosures, Personal Representative

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently provided guidance for healthcare professionals concerning disclosures of protected health information (PHI) under the HIPAA Privacy Rule (the Privacy Rule) to patient spouses, relatives, and friends. Under the Privacy Rule, a covered entity may “share [PHI] with an individual’s family member, other… Continue Reading

SAMHSA Finalizes Changes to Confidentiality of Substance Use Disorder Patient Records Rule

Posted in Behavioral Health

For the first time in nearly thirty years, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) has updated the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 C.F.R. Part 2). On January 18, 2017, SAMHSA published the Final Rule amending 42 C.F.R. Part 2. The changes were set to be effective February… Continue Reading

Untimely Breach Notification Leads to Significant HIPAA Settlement

Posted in Breach, Enforcement

The U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently announced its first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (“PHI”). Chicago-based Presence Health System (“Presence Health”) agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00 and implementing a… Continue Reading

HIPAA Disclosures for Public Health Activities

Posted in Public Health

Federal health information regulators recently clarified that HIPAA permits certain uses and disclosures for public health activities without patient authorization. A fact sheet released December 20 by the Health and Human Services Office for Civil Rights and the Office of the National Coordinator for Health Information Technology explains a number of hypothetical scenarios in which… Continue Reading

OCR Alert: Phishing Email Disguised as Official OCR Audit Communication

Posted in OCR Audits

On November 28, 2016, the Office for Civil Rights (OCR) issued an alert to providers and business associates monitoring their email for OCR audit communications. According to OCR, a phishing email disguised as an official communication from the Department of Health and Human Services (HHS) and claiming to be signed by OCR’s director Jocelyn Samuels… Continue Reading

HIPAA Breach Reports Trigger Investigations, Significant Settlements

Posted in Breach, Business Associate, Enforcement

The Office for Civil Rights (OCR) has announced two more significant HIPAA settlements involving covered entities. Both settlements were the result of investigations triggered by breach reports involving laptop thefts. And as is often the case, the investigations uncovered numerous HIPAA compliance issues above and beyond those which led to the breach. North Memorial Health Care… Continue Reading

Phase 2 of HIPAA Audits Set to Begin

Posted in OCR Audits

On Monday, the Office for Civil Rights (OCR) announced the long-awaited launch of Phase 2 of its HIPAA Audit Program.  OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to establish a permanent compliance audit program for HIPAA covered entities and their business associates. OCR completed the first phase of testing for the… Continue Reading

Reminder: Deadline for Reporting 2015 HIPAA Breaches Fast Approaching

Posted in Breach

Covered entities which experienced a HIPAA breach in calendar year 2015 are required to report all such breaches affecting fewer than 500 individuals to OCR by Monday, February 29, 2016. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those… Continue Reading

Software Vendor Misrepresented HIPAA Encryption Capabilities

Posted in Electronic Health Record, Enforcement, Software

The Federal Trade Commission (“FTC”) recently announced a settlement with Henry Schein Practice Solutions, Inc., a dental practice software provider, concluding an investigation into claims that Henry Schein misled customers about the encryption capabilities of its software. According to the FTC, Henry Schein advertised its Dentrix G5 software as meeting industry encryption standards despite the fact… Continue Reading

OCR Enforcement Results In Three HIPAA Settlements

Posted in Breach, Enforcement, OCR Audits

Many thanks to our colleagues Jonathan Ishee and Shannon Majoras for authoring this post. Recently the Department of Health and Human Services Office for Civil Rights (OCR) announced three settlements to resolve investigations into potential violations of the Health Insurance Portability and Accountability Act (HIPAA). OCR reached settlements with two academic medical centers, the Lahey… Continue Reading

Largest HIPAA Settlement Announced by HHS

Posted in Breach, Enforcement

Many thanks once again to our colleague, Robin Canowitz, for authoring this post. In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients.  New York Presbyterian Hospital (NYP) and… Continue Reading

HHS HIPAA Security Risk Assessment Tool Now Available

Posted in Security

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post. The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), recently released a security risk asessment tool (SRA Tool) to assist entities… Continue Reading

OCR TO BEGIN SECOND ROUND OF HIPAA AUDITS

Posted in Enforcement, OCR Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year.  The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security,… Continue Reading

New HHS Guidance on HIPAA Privacy Rule and Sharing Mental Health Information

Posted in Access Rights, Behavioral Health

Many thanks to our colleague Robin Canowitz for assisting us in drafting this post. The U.S. Department of Health & Human Services (“HHS”) issued new guidance regarding the HIPAA Privacy Rule and its relationship to mental health information disclosures (“Guidance”).  The Guidance addresses when providers may appropriately share the protected health information (“PHI”) of their mental health… Continue Reading

New Access Rights to Lab Test Reports

Posted in Access Rights, Rulemaking

In an effort to further eliminate barriers to the exchange of health information and encourage a more active patient role in personal health care decisions, federal regulators have once again expanded HIPAA patient rights provisions.  Last week, the U.S. Department of Health & Human Services Centers for Medicare & Medicaid Services (“CMS”), Centers for Disease Control and Prevention… Continue Reading

Dermatology Practice Hit With $150,000 HIPAA Penalty

Posted in Breach, Enforcement

2013 ended like it started – with OCR actively monitoring and enforcing health care provider HIPAA compliance.  On December 26, 2013, OCR imposed a $150,000 penalty and a corrective action plan upon a Massachusetts dermatology physician practice arising out of a self-reported HIPAA breach.   See Resolution Agreement. In October 2011, Adult & Pediatric Dermatology, P.C. of… Continue Reading

OIG Report Criticizes HIPAA Oversight

Posted in OCR Audits, Security

The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement… Continue Reading

Employee Sentenced to 3 Years for Violating HIPAA

Posted in Enforcement

A nursing assistant at a Florida assisted living facility was sentenced last week to 37 months in prison for violating HIPAA’s prohibition on the wrongful disclosure of patient health information.  The employee negotiated the sale of Social Security numbers with an undercover Tampa police detective.  According to the criminal complaint, the employee obtained information from the assisted… Continue Reading

HIPAA Security Risk Analysis: Fact or Fiction?

Posted in Meaningful Use, Security

Leading up to the recent compliance date for the Final HIPAA Rule, much was made about the need for providers to perform a security risk analysis.  Quite a bit of dialogue around the increased security compliance obligations centered on the security risk analysis as a foundational requirement of HIPAA.   Although this is not a new requirement, heightened… Continue Reading