Join us for a complimentary webinar to further discuss the release of the final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules. Tuesday, May 21, 2013 Noon – 12:30 p.m. (Eastern Time) Analysis of unauthorized access, use, or… Continue Reading
Tag Archives: HIPAA
EMR Privacy Issues Unique to Children
Posted in Behavioral Health, Children, Electronic Health RecordMany thanks to our colleague, Robin Canowitz, for submitting the following guest post. Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution. These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges. Questions often arise regarding who should have access to records, how to limit access… Continue Reading
HIPAA Webinar: Updates to The Privacy Rule
Posted in Rulemaking, WebinarPlease join us this Tuesday, March 19, 2013 for a complimentary webinar to further discuss the release of the Final Omnibus HIPAA Rule by the U.S. Department of Health and Human Services. This is the first in a three-part miniseries following last month’s webinar, where we focused generally on the sweeping changes to the HIPAA Privacy… Continue Reading
Who Are My Business Associates, and Why the HIPAA Should I Care?
Posted in RulemakingMuch has been made about business associates in HITECH and the HIPAA Final Omnibus Rule. In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates. Indeed, not only do… Continue Reading
The Final Omnibus HIPAA Rule: Are You Ready?
Posted in Enforcement, RulemakingAs we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules. For those entities that have already taken steps following the release of the HITECH interim rules, the… Continue Reading
HIPAA Final Rule Clarifies Business Associate Obligations
Posted in RulemakingBusiness Associates: You’re on notice. When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent. Historically, business associates have been required to comply with… Continue Reading
OCR Settles with Hospice of Northern Idaho for $50,000.00
Posted in EnforcementOCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance. On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule. This is the… Continue Reading
Additional Costs of Breach: Identity Theft Class Action Moves Forward
Posted in Litigation, UncategorizedThe costs of HIPAA breaches are well-documented. Thefts of laptops containing sensitive health information of patients impose significant costs on providers and their business associates, ranging from preliminary investigations to mail notification of all patients impacted, to say nothing of the reputational harm inflicted by the mandatory self-reporting to CMS’s public wall of shame. If these costs… Continue Reading
Final Omnibus HIPAA Rule Delayed
Posted in RulemakingStill waiting. The White House Ofice of Management and Budget (“OMB”) has extended its review of the final omnibus HIPAA rule, validating recent comments indicating that further delay was likely. As we reported back in March, the Department of Health and Human Services Office for Civil Rigths submitted the final omnibus rule for review by OMB,… Continue Reading
Alaska Medicaid Pays $1.7 Million to Settle HIPAA Violations
Posted in EnforcementLast week, the Alaska Department of Health and Human Services (“Alaska DHHS”), the state’s Medicaid agency, agreed to pay U.S. Health and Human Services $1.7 million to settle alleged violations of the HIPAA Security Rule. The HIPAA Security Rule protects health information in electronic form by requiring covered entities to use physical, technical, and administrative… Continue Reading
OCR Presents Preliminary HIPAA Audit Findings
Posted in EnforcementOCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews. OCR has repeatedly stated that… Continue Reading
HIPAA Final Rule Status Update
Posted in RulemakingWe reported a few months back that the end of June was the anticipated timeframe for the issuance of the final HIPAA rule. Recent comments from federal officials indicate that this might be a bit optimistic. At the annual Safeguarding Health Information: Building Assurance through HIPAA Security conference, the Department of Health and Human Services Office for… Continue Reading
OCR RELEASES STATE ATTORNEYS GENERAL HIPAA TRAINING MATERIALS
Posted in EnforcementWith the enactment of HITECH in 2009, State Attorneys General became a player in the HIPAA enforcement game. Section 13410(e) of HITECH permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. In 2011, the Office for Civil Rights (OCR) developed… Continue Reading
OCR EDUCATES CONSUMERS REGARDING HIPAA RIGHT OF ACCESS
Posted in EnforcementHealth care providers and health plans should expect an increase in patient requests for their own health care information as OCR continues to emphasize the HIPAA right of access. On May 31, 2012, Leon Rodriguez, Director of OCR, issued a memorandum regarding patients’ fundamental right to access their own health care information. See hhs.gov/ocr/privacy/hipaa/understanding/consumers/righttoaccessmemo.pdf. Director Rodriguez,… Continue Reading
HIPAA Criminal Liability May Be Significant
Posted in EnforcementA recent decision serves as a reminder that violations of HIPAA may trigger criminal liability. The Ninth Circuit Court of Appeals held that a former hospital employee is subject to HIPAA’s criminal penalties for the unauthorized access to patient records after he was terminated. The former employee was sentenced to four months in prison, followed… Continue Reading
HIPAA Enforcement Targets Small Physician Practice
Posted in EnforcementA 5-physician practice in Phoenix was the target of HHS Office of Civil Right’s (“OCR”) most recent enforcement action. The practice agreed to pay HHS a resolution amount of $100,000, as well as enter into a Corrective Action Plan, for its fialure to comply the most fundamental of HIPAA requirements. As I discussed at the… Continue Reading
HIPAA/HITECH Final Rules Received by OMB
Posted in RulemakingFinally. The Office of Management and Budget (“OMB”) has received the long-awaited Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. The estimated timeframe is approximately 90 days for OMB to undertake its review. We hope to have the final rules by the end of June.
Blue Cross Blue Shield Settles HIPAA Violation With HHS for $1.5 Million
Posted in EnforcementOn March 13, 2012, HHS announced that Blue Cross Blue Shield of Tennessee (“BCBST”) has agreed to pay it $1.5 million to settle potential HIPAA violations arising from the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee. This settlement is significant because it is OCR’s first enforcement action arising out… Continue Reading
Additional Liabilities From Breach May Be Significant
Posted in LitigationLiability from a breach of health information may be much more significant than the costs of notifying the affected individuals. Although there is no private right of action under HIPAA, private litigants have been attempting to devise theories which would support recovery of damages for violations of HIPAA. A recently amended complaint alleges that victims… Continue Reading
HIPAA Business Associate Becomes Target of State AG Enforcement
Posted in Business Associate, EnforcementA recent complaint filed by the Minnesota State Attorney General against a HIPAA business associate seeks to recover statutory damages for multiple alleged violations of the HIPAA Security Rule. Following last year’s HHS OCR enforcement targeting HIPAA covered entities, this latest HIPAA enforcement should place all business associates on notice that enforcement authorities have them… Continue Reading
Proposed 2013 Budget Will Decrease Funding for OCR HIPAA Enforcement
Posted in EnforcementThe President’s fiscal year 2013 budget proposes to decrease funding for the Department of Health and Human Services Office of Civil Rights (“OCR”) by $2 million. The estimated budget allocates $39 million to the agency charged with HIPAA enforcement, down from an estimated $41 million in fiscal 2012. In light of OCR’s enhanced enforcement capabilities… Continue Reading
FINAL HITECH RULES IMMINENT: ARE YOU READY?
Posted in RulemakingThe Office of Civil Rights has set a March 2012 target date for release of the long-awaited final HITECH rules. These rules amend HIPAA’s privacy and security regulations, and put real teeth into the government’s HIPAA enforcement efforts as they relate to non-compliance by health care providers (as well as other covered entities) and their… Continue Reading