Header graphic for print
HealtHITechLaw HIPAA, HITECH and Beyond

Tag Archives: HITECH

Largest HIPAA Settlement Announced by HHS

Posted in Breach, Enforcement

Many thanks once again to our colleague, Robin Canowitz, for authoring this post. In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients.  New York Presbyterian Hospital (NYP) and… Continue Reading

OIG Report Criticizes HIPAA Oversight

Posted in OCR Audits, Security

The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement… Continue Reading

Employee Sentenced to 3 Years for Violating HIPAA

Posted in Enforcement

A nursing assistant at a Florida assisted living facility was sentenced last week to 37 months in prison for violating HIPAA’s prohibition on the wrongful disclosure of patient health information.  The employee negotiated the sale of Social Security numbers with an undercover Tampa police detective.  According to the criminal complaint, the employee obtained information from the assisted… Continue Reading

HIPAA Security Risk Analysis: Fact or Fiction?

Posted in Meaningful Use, Security

Leading up to the recent compliance date for the Final HIPAA Rule, much was made about the need for providers to perform a security risk analysis.  Quite a bit of dialogue around the increased security compliance obligations centered on the security risk analysis as a foundational requirement of HIPAA.   Although this is not a new requirement, heightened… Continue Reading

The Photocopier: A Vulnerability Hidden in Plain Sight

Posted in Breach, Enforcement

The U.S. Department of Health and Human Services (“HHS”) announced last week that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for more than $1.2 Million because it failed to wipe the hard drives when it returned leased photocopiers. This settlement is the most recent in a long… Continue Reading

Who Are My Business Associates, and Why the HIPAA Should I Care?

Posted in Rulemaking

Much has been made about business associates in HITECH and the HIPAA Final Omnibus Rule.  In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates.  Indeed, not only do… Continue Reading

The Final Omnibus HIPAA Rule: Are You Ready?

Posted in Enforcement, Rulemaking

As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules.  For those entities that have already taken steps following the release of the HITECH interim rules, the… Continue Reading

HIPAA Final Rule Clarifies Business Associate Obligations

Posted in Rulemaking

Business Associates:  You’re on notice. When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent.  Historically, business associates have been required to comply with… Continue Reading

HHS Previews Long-Awaited Final Omnibus HIPAA Rule

Posted in Rulemaking

On January 17, 2013, HHS announced the release of the long-awaited final omnibus HIPAA rule.  According to HHS Office for Civil Rights Director Leon Rodriguez, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.  These changes not only greatly enhance a patient’s privacy… Continue Reading

OCR Settles with Hospice of Northern Idaho for $50,000.00

Posted in Enforcement

OCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance.  On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule.  This is the… Continue Reading

Additional Costs of Breach: Identity Theft Class Action Moves Forward

Posted in Litigation, Uncategorized

The costs of HIPAA breaches are well-documented.  Thefts of laptops containing sensitive health information of patients impose significant costs on providers and their business associates, ranging from preliminary investigations to mail notification of all patients impacted, to say nothing of the reputational harm inflicted by the mandatory self-reporting to CMS’s public wall of shame.  If these costs… Continue Reading

HITECH Meaningful Use: Optimization and Expansion

Posted in Behavioral Health, Legislation, Meaningful Use

The Health Information Technology for Economic and Clinical Health Act (“HITECH”) made available an estimated $27 billion in federal incentive payments to medical professionals and hospitals when they adopt certified Electronic Health Records (“EHRs”) and demonstrate meaningful use of the EHRs.  Eligible Professionals (“EPs”) can receive as much as $44,000 through Medicare, or as much… Continue Reading

Alaska Medicaid Pays $1.7 Million to Settle HIPAA Violations

Posted in Enforcement

Last week, the Alaska Department of Health and Human Services (“Alaska DHHS”), the state’s Medicaid agency, agreed to pay U.S. Health and Human Services $1.7 million to settle alleged violations of the HIPAA Security Rule.  The HIPAA Security Rule protects health information in electronic form by requiring covered entities to use physical, technical, and administrative… Continue Reading

OCR Presents Preliminary HIPAA Audit Findings

Posted in Enforcement

OCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews. OCR has repeatedly stated that… Continue Reading

OCR EDUCATES CONSUMERS REGARDING HIPAA RIGHT OF ACCESS

Posted in Enforcement

Health care providers and health plans should expect an increase in patient requests for their own health care information as OCR continues to emphasize the HIPAA right of access. On May 31, 2012, Leon Rodriguez, Director of OCR, issued a memorandum regarding patients’ fundamental right to access their own health care information.  See  hhs.gov/ocr/privacy/hipaa/understanding/consumers/righttoaccessmemo.pdf.  Director Rodriguez,… Continue Reading

HIPAA/HITECH Final Rules Received by OMB

Posted in Rulemaking

Finally.  The Office of Management and Budget (“OMB”) has received the long-awaited Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.  The estimated timeframe is approximately 90 days for OMB to undertake its review.  We hope to have the final rules by the end of June.

Blue Cross Blue Shield Settles HIPAA Violation With HHS for $1.5 Million

Posted in Enforcement

On March 13, 2012, HHS announced that Blue Cross Blue Shield of Tennessee (“BCBST”) has agreed to pay it $1.5 million to settle  potential HIPAA violations arising from the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee.  This settlement is significant because it is OCR’s first enforcement action arising out… Continue Reading

CMS Announces Proposed Stage 2 Meaningful Use Requirements

Posted in Rulemaking

On Thursday, February 23, 2012, CMS announced the proposed Stage 2 requirements for the Medicare and Medicaid Electronic Health Record (“HER”) Incentive Programs.  See Notice of Proposed Rulemaking, Federal Register.  Under HITECH, eligible health care professionals (“EPs”), eligible hospitals and Critical Access Hospitals (collectively “hospitals”) can qualify for Medicare and Medicaid incentive payments when they… Continue Reading

Proposed 2013 Budget Will Decrease Funding for OCR HIPAA Enforcement

Posted in Enforcement

The President’s fiscal year 2013 budget proposes to decrease funding for the Department of Health and Human Services Office of Civil Rights (“OCR”) by $2 million.  The estimated budget allocates $39 million to the agency charged with HIPAA enforcement, down from an estimated $41 million in fiscal 2012.  In light of OCR’s enhanced enforcement capabilities… Continue Reading

FINAL HITECH RULES IMMINENT: ARE YOU READY?

Posted in Rulemaking

The Office of Civil Rights has set a March 2012 target date for release of the long-awaited final HITECH rules.  These rules amend HIPAA’s privacy and security regulations, and put real teeth into the government’s HIPAA enforcement efforts as they relate to non-compliance by health care providers (as well as other covered entities) and their… Continue Reading