Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: HIPAA/HITECH

Subscribe to HIPAA/HITECH RSS Feed

ONC’s Security Risk Assessment Tool Is Useful but Could Be Improved

Posted in HIPAA/HITECH, Privacy
The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare practices “evaluate risks, vulnerabilities, and adherence to the HIPAA Security Rule.”  User … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals.   HITECH … Continue Reading

Governing Big Data

Posted in Cybersecurity, HIPAA/HITECH, Information Governance, Information Security, Privacy, Uncategorized
Sources and volumes of data are growing exponentially.  Website clicks, social media, sensors, and card swipers are generating massive amounts of data every second.  More and more enterprises are beginning to collect and utilize this Big Data for all kinds of purposes, including improved business intelligence, targeted marketing and fraud detection.  With so much attention … Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Posted in Data Breaches, HIPAA/HITECH, International Privacy Law
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Some Things Better Left Unshared: Social Media and Medical Identity Theft

Posted in Data Breaches, HIPAA/HITECH, Identity Theft, Medical Privacy, Social Media
The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.”  Quoting Jennifer Trussell, who investigates medical identity theft on behalf of … Continue Reading

NICS and HIPAA: Where Mental Health Privacy and Gun Control Overlap; HHS Releases Notice of Proposed Rulemaking

Posted in Federal Legislation, HIPAA/HITECH, Medical Privacy
On January 7, 2014, the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) for the purpose of modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities … Continue Reading

Court Overturns Presuit Patient Authorization Requirement Under Florida Medical Malpractice Statute

Posted in HIPAA/HITECH, Medical Privacy
On September 25, 2013, the Northern District Court of Florida, Tallahassee Division, ruled that Florida Statute § 766.1065 violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by requiring a plaintiff in a medical malpractice action to deliver a presuit authorization which allows the defending medical professionals to conduct ex parte interviews of … Continue Reading

North Dakota Breach Notification Law – Personal Information Includes Health Information

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy, Privacy
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of  “personal information” to include “medical information” and health insurance information.”  Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

Posted in Enforcement, HIPAA/HITECH
The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013.  Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.  The resolution agreement relates … Continue Reading

HHS OCR Sends Message to CEs and their BAs: Protect ePHI Accessible Over the Internet

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.  The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online … Continue Reading

Vermont and North Dakota Amend Breach-Notice Laws

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Financial Privacy, HIPAA/HITECH, Medical Privacy
On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law … Continue Reading

HIPAA, Business Associates, and the Cloud

Posted in Cloud Computing, HIPAA/HITECH, Medical Privacy
Under the Final Rule, as previously discussed, business associates must comply with the technical, administrative, and physical safeguard requirements under the Security Rule.  Liable for violations under the Security Rule, a business associate must comply with use or disclosure limitations in its contract, as well as limitations expressed in the Privacy Rule.  A business associate … Continue Reading

HHS Office of Civil Rights Hosts Webinar on Final Rule

Posted in HIPAA/HITECH, Information Security, Medical Privacy, Mobile Privacy, Online Privacy
Today, the Department of Health and Human Services, Office of Civil Rights (OCR), joined with the Workgroup for Electronic Data Interchange and hosted an online seminar discussing HITECH requirements in the new Final Rule. The presentations covered many points about the Final Rule previously outlined on this blog (see here, here, and here). Rachel Seeger, … Continue Reading

HHS OCR Director Leon Rodriguez’s Dialogue on HIPAA/HITECH Compliance

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6th Annual Conference on Safeguarding Health Information:  Building Assurance through HIPAA Security.  Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance … Continue Reading

HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections

Posted in HIPAA/HITECH
The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of … Continue Reading

HHS Considers Amending HIPAA Privacy Rule to Permit Disclosure of Mental Health Information for Firearm Background Checks

Posted in HIPAA/HITECH
Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal … Continue Reading

Can Covered Entities Utilize Text Messaging and Text Paging Without Violating HIPAA?

Posted in HIPAA/HITECH
Co-authored by: Cory Fox Text messaging allows healthcare providers to deliver simple, relevant, and customizable health information instantaneously to their patients, like reminders to obtain a vaccine, take a medication or come to an important follow-up appointment. Text paging, a form of text messaging frequently used by healthcare professionals, can help ensure patient safety by … Continue Reading

HIPAA, Gun Control, and President Obama’s Executive Actions: What You Need to Know

Posted in HIPAA/HITECH
All of the excitement surrounding the publication of the HIPAA Omnibus Final Rule may have overshadowed another very important development in health information privacy.  On January 16, 2013, the Obama Administration released its comprehensive plan to reduce gun violence in America by banning military-style assault weapons and high capacity magazines, increasing access to mental health … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part II)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA … Continue Reading

Be Careful What You Wish For: The Final Rule Is Out

Posted in HIPAA/HITECH
The long awaited HIPAA/HITECH final rule is out. Data Privacy Monitor contributors Theodore J. Kobus III and Lynn Sessions held a webinar that covered what stands out as big changes and how healthcare organizations need to prepare. Have the standards just been juggled or will healthcare organizations need to change their approach? View Webinar Recording.  Ted and Lynn have helped … Continue Reading

Be Prepared: Redline Version of the HIPAA/HITECH Final Rule

Posted in HIPAA/HITECH, Medical Privacy
The final rule is significant for any organization that is considered to be a HIPAA covered entity (“CE”) (health systems, health care providers, health plans, etc.) or the more broadly defined business associate (“BA”).  During our initial analysis of the final rule, we note significant changes to the way a breach is defined and we … Continue Reading