Header graphic for print
HealtHITechLaw HIPAA, HITECH and Beyond

Tag Archives: HIPAA

Largest HIPAA Settlement Announced by HHS

Posted in Breach, Enforcement

Many thanks once again to our colleague, Robin Canowitz, for authoring this post. In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients.  New York Presbyterian Hospital (NYP) and… Continue Reading

HHS HIPAA Security Risk Assessment Tool Now Available

Posted in Security

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post. The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), recently released a security risk asessment tool (SRA Tool) to assist entities… Continue Reading

OCR TO BEGIN SECOND ROUND OF HIPAA AUDITS

Posted in Enforcement, OCR Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year.  The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security,… Continue Reading

New HHS Guidance on HIPAA Privacy Rule and Sharing Mental Health Information

Posted in Access Rights, Behavioral Health

Many thanks to our colleague Robin Canowitz for assisting us in drafting this post. The U.S. Department of Health & Human Services (“HHS”) issued new guidance regarding the HIPAA Privacy Rule and its relationship to mental health information disclosures (“Guidance”).  The Guidance addresses when providers may appropriately share the protected health information (“PHI”) of their mental health… Continue Reading

New Access Rights to Lab Test Reports

Posted in Access Rights, Rulemaking

In an effort to further eliminate barriers to the exchange of health information and encourage a more active patient role in personal health care decisions, federal regulators have once again expanded HIPAA patient rights provisions.  Last week, the U.S. Department of Health & Human Services Centers for Medicare & Medicaid Services (“CMS”), Centers for Disease Control and Prevention… Continue Reading

Dermatology Practice Hit With $150,000 HIPAA Penalty

Posted in Breach, Enforcement

2013 ended like it started – with OCR actively monitoring and enforcing health care provider HIPAA compliance.  On December 26, 2013, OCR imposed a $150,000 penalty and a corrective action plan upon a Massachusetts dermatology physician practice arising out of a self-reported HIPAA breach.   See Resolution Agreement. In October 2011, Adult & Pediatric Dermatology, P.C. of… Continue Reading

OIG Report Criticizes HIPAA Oversight

Posted in OCR Audits, Security

The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement… Continue Reading

Employee Sentenced to 3 Years for Violating HIPAA

Posted in Enforcement

A nursing assistant at a Florida assisted living facility was sentenced last week to 37 months in prison for violating HIPAA’s prohibition on the wrongful disclosure of patient health information.  The employee negotiated the sale of Social Security numbers with an undercover Tampa police detective.  According to the criminal complaint, the employee obtained information from the assisted… Continue Reading

HIPAA Security Risk Analysis: Fact or Fiction?

Posted in Meaningful Use, Security

Leading up to the recent compliance date for the Final HIPAA Rule, much was made about the need for providers to perform a security risk analysis.  Quite a bit of dialogue around the increased security compliance obligations centered on the security risk analysis as a foundational requirement of HIPAA.   Although this is not a new requirement, heightened… Continue Reading

EMR Privacy Issues Unique to Children

Posted in Behavioral Health, Children, Electronic Health Record

Many thanks to our colleague, Robin Canowitz, for submitting the following guest post. Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution.  These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges.  Questions often arise regarding who should have access to records, how to limit access… Continue Reading

HIPAA Webinar: Updates to The Privacy Rule

Posted in Rulemaking, Webinar

Please join us this Tuesday, March 19, 2013 for a complimentary webinar to further discuss the release of the Final Omnibus HIPAA Rule by the U.S. Department of Health and Human Services.  This is the first in a three-part miniseries following last month’s webinar, where we focused generally on the sweeping changes to the HIPAA Privacy… Continue Reading

The Final Omnibus HIPAA Rule: Are You Ready?

Posted in Enforcement, Rulemaking

As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules.  For those entities that have already taken steps following the release of the HITECH interim rules, the… Continue Reading

HIPAA Final Rule Clarifies Business Associate Obligations

Posted in Rulemaking

Business Associates:  You’re on notice. When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent.  Historically, business associates have been required to comply with… Continue Reading

OCR Settles with Hospice of Northern Idaho for $50,000.00

Posted in Enforcement

OCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance.  On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule.  This is the… Continue Reading

Additional Costs of Breach: Identity Theft Class Action Moves Forward

Posted in Litigation, Uncategorized

The costs of HIPAA breaches are well-documented.  Thefts of laptops containing sensitive health information of patients impose significant costs on providers and their business associates, ranging from preliminary investigations to mail notification of all patients impacted, to say nothing of the reputational harm inflicted by the mandatory self-reporting to CMS’s public wall of shame.  If these costs… Continue Reading

Final Omnibus HIPAA Rule Delayed

Posted in Rulemaking

Still waiting. The White House Ofice of Management and Budget (“OMB”) has extended its review of the final omnibus HIPAA rule, validating recent comments indicating that further delay was likely.  As we reported back in March, the Department of Health and Human Services Office for Civil Rigths submitted the final omnibus rule for review by OMB,… Continue Reading

Alaska Medicaid Pays $1.7 Million to Settle HIPAA Violations

Posted in Enforcement

Last week, the Alaska Department of Health and Human Services (“Alaska DHHS”), the state’s Medicaid agency, agreed to pay U.S. Health and Human Services $1.7 million to settle alleged violations of the HIPAA Security Rule.  The HIPAA Security Rule protects health information in electronic form by requiring covered entities to use physical, technical, and administrative… Continue Reading

OCR Presents Preliminary HIPAA Audit Findings

Posted in Enforcement

OCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews. OCR has repeatedly stated that… Continue Reading

HIPAA Final Rule Status Update

Posted in Rulemaking

We reported a few months back that the end of June was the anticipated timeframe for the issuance of the final HIPAA rule.  Recent comments from federal officials indicate that this might be a bit optimistic. At the annual Safeguarding Health Information:  Building Assurance through HIPAA Security conference, the Department of Health and Human Services Office for… Continue Reading