Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: HIPAA/HITECH

Subscribe to HIPAA/HITECH RSS Feed

Clinically Integrated Networks: Privacy and Security Concerns with Sharing Data

Posted in HIPAA/HITECH, Medical Privacy
The Centers for Medicare & Medicaid Services (CMS) is changing reimbursement methodologies for healthcare providers from a fee-for-service model to a value-based model. Healthcare providers are responding to the changing environment with the development of clinically integrated networks (CINs) and accountable care organizations (ACOs). The primary purposes of CIN/ACOs are to collaborate with other healthcare… Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry
There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation… Continue Reading

Deeper Dive: Healthcare Incidents Involving More Than 500 Individuals Are Investigated 100 Percent of the Time

Posted in HIPAA/HITECH, Incident Response, Medical Privacy
We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act… Continue Reading

FAQs by Employers Regarding the Anthem Breach

Posted in Data Breaches, HIPAA/HITECH, Medical Privacy, Workplace Privacy
Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan… Continue Reading

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

Posted in HIPAA/HITECH, Medical Privacy
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014… Continue Reading

Malware Incident at Mental Health Nonprofit Leads to $150K Settlement with OCR

Posted in HIPAA/HITECH, Medical Privacy
As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving malware, highlighting the importance of reviewing systems for unpatched and unsupported software that can leave patient information susceptible to malware and other… Continue Reading

Pharmacists and Health Professionals Beware: Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Resulting From HIPAA Violation

Posted in HIPAA/HITECH, Medical Privacy
As previously reported, an Indiana jury awarded $1.44 million to a Walgreens customer based on allegations that the customer’s pharmacist accessed, reviewed and shared the customer’s prescription history with others who then used the information to intimidate and harass the customer. The facts of the case involved a love triangle between the pharmacist, her husband… Continue Reading

Connecticut Supreme Court Recognizes Right to Sue for Negligence Using HIPAA as Standard of Care

Posted in HIPAA/HITECH, Medical Privacy
In a decision released November 11, 2014, the Connecticut Supreme Court reversed the judgment of the trial court and held for the first time in Connecticut that (1) HIPAA does not preempt state common law claims for negligence or negligent infliction of emotional distress, and (2) HIPAA may provide the applicable standard of care. The… Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

Posted in Cybersecurity, HIPAA/HITECH, Medical Privacy
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act… Continue Reading

Company Claims “HIPAA Has No Teeth”, Will Start Notifying Affected Individuals of Security Breaches and Vulnerabilities that Have Not Been Disclosed by Organizations

Posted in Data Breaches, HIPAA/HITECH, Medical Privacy
A company named SLC Security, LLC (“SLC”), recently announced that it will begin notifying individuals if it believes it has identified a security breach or vulnerability of a company and it has not received a satisfactory response from the company to which it reported the issue. On SLC’s blog, it claims it is providing “awareness… Continue Reading

California Extends Deadline for Reporting Breaches to the CDPH from 5 to 15 Business Days

Posted in Data Breach Notification Laws, HIPAA/HITECH, Medical Privacy
On September 18, 2014, California Governor, Jerry Brown, signed Assembly Bill 1755 (“AB1755”) into law, amending breach notification provisions in the California Health and Safety Code applicable to licensed clinics, health facilities, home health agencies, and hospices. Under existing law, certain health care entities licensed by the California Department of Public Health (“CDPH”), including hospitals… Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution… Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Information Security, Medical Privacy
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief… Continue Reading

FTC Workshop Addresses New Data Privacy Issues Concerning Consumer Generated Health Data

Posted in HIPAA/HITECH, Medical Privacy
On May 7, 2014, the FTC hosted the latest seminar in their Spring Privacy Series to address the status of Consumer Generated and Controlled Health Data and relate results of recent FTC studies on the topic.  Consumers are embracing new technologies, particularly in the fitness domain and are generating vast amounts of “health data” both… Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date.  These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA… Continue Reading

ONC’s Security Risk Assessment Tool Is Useful but Could Be Improved

The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare practices “evaluate risks, vulnerabilities, and adherence to the HIPAA Security Rule.”  User… Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals.   HITECH… Continue Reading

Governing Big Data

Posted in Cybersecurity, HIPAA/HITECH, Information Governance, Information Security, Medical Privacy
Sources and volumes of data are growing exponentially.  Website clicks, social media, sensors, and card swipers are generating massive amounts of data every second.  More and more enterprises are beginning to collect and utilize this Big Data for all kinds of purposes, including improved business intelligence, targeted marketing and fraud detection.  With so much attention… Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient… Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Posted in Data Breaches, HIPAA/HITECH, International Privacy Law, Medical Privacy
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to… Continue Reading

Some Things Better Left Unshared: Social Media and Medical Identity Theft

Posted in Data Breaches, HIPAA/HITECH, Identity Theft, Medical Privacy, Social Media
The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.”  Quoting Jennifer Trussell, who investigates medical identity theft on behalf of… Continue Reading

NICS and HIPAA: Where Mental Health Privacy and Gun Control Overlap; HHS Releases Notice of Proposed Rulemaking

Posted in Federal Legislation, HIPAA/HITECH, Medical Privacy
On January 7, 2014, the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) for the purpose of modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities… Continue Reading