Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: HIPAA/HITECH

Subscribe to HIPAA/HITECH RSS Feed

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

Posted in Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Information Security, Medical Privacy, Privacy
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief … Continue Reading

FTC Workshop Addresses New Data Privacy Issues Concerning Consumer Generated Health Data

Posted in HIPAA/HITECH, Privacy
On May 7, 2014, the FTC hosted the latest seminar in their Spring Privacy Series to address the status of Consumer Generated and Controlled Health Data and relate results of recent FTC studies on the topic.  Consumers are embracing new technologies, particularly in the fitness domain and are generating vast amounts of “health data” both … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date.  These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA … Continue Reading

ONC’s Security Risk Assessment Tool Is Useful but Could Be Improved

Posted in HIPAA/HITECH, Privacy
The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare practices “evaluate risks, vulnerabilities, and adherence to the HIPAA Security Rule.”  User … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals.   HITECH … Continue Reading

Governing Big Data

Posted in Cybersecurity, HIPAA/HITECH, Information Governance, Information Security, Privacy, Uncategorized
Sources and volumes of data are growing exponentially.  Website clicks, social media, sensors, and card swipers are generating massive amounts of data every second.  More and more enterprises are beginning to collect and utilize this Big Data for all kinds of purposes, including improved business intelligence, targeted marketing and fraud detection.  With so much attention … Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Posted in Data Breaches, HIPAA/HITECH, International Privacy Law
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Some Things Better Left Unshared: Social Media and Medical Identity Theft

Posted in Data Breaches, HIPAA/HITECH, Identity Theft, Medical Privacy, Social Media
The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.”  Quoting Jennifer Trussell, who investigates medical identity theft on behalf of … Continue Reading

NICS and HIPAA: Where Mental Health Privacy and Gun Control Overlap; HHS Releases Notice of Proposed Rulemaking

Posted in Federal Legislation, HIPAA/HITECH, Medical Privacy
On January 7, 2014, the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) for the purpose of modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities … Continue Reading

Court Overturns Presuit Patient Authorization Requirement Under Florida Medical Malpractice Statute

Posted in HIPAA/HITECH, Medical Privacy
On September 25, 2013, the Northern District Court of Florida, Tallahassee Division, ruled that Florida Statute § 766.1065 violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by requiring a plaintiff in a medical malpractice action to deliver a presuit authorization which allows the defending medical professionals to conduct ex parte interviews of … Continue Reading

North Dakota Breach Notification Law – Personal Information Includes Health Information

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy, Privacy
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of  “personal information” to include “medical information” and health insurance information.”  Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

Posted in Enforcement, HIPAA/HITECH
The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013.  Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.  The resolution agreement relates … Continue Reading

HHS OCR Sends Message to CEs and their BAs: Protect ePHI Accessible Over the Internet

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.  The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online … Continue Reading

Vermont and North Dakota Amend Breach-Notice Laws

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Financial Privacy, HIPAA/HITECH, Medical Privacy
On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law … Continue Reading

HIPAA, Business Associates, and the Cloud

Posted in Cloud Computing, HIPAA/HITECH, Medical Privacy
Under the Final Rule, as previously discussed, business associates must comply with the technical, administrative, and physical safeguard requirements under the Security Rule.  Liable for violations under the Security Rule, a business associate must comply with use or disclosure limitations in its contract, as well as limitations expressed in the Privacy Rule.  A business associate … Continue Reading

HHS Office of Civil Rights Hosts Webinar on Final Rule

Posted in HIPAA/HITECH, Information Security, Medical Privacy, Mobile Privacy, Online Privacy
Today, the Department of Health and Human Services, Office of Civil Rights (OCR), joined with the Workgroup for Electronic Data Interchange and hosted an online seminar discussing HITECH requirements in the new Final Rule. The presentations covered many points about the Final Rule previously outlined on this blog (see here, here, and here). Rachel Seeger, … Continue Reading

HHS OCR Director Leon Rodriguez’s Dialogue on HIPAA/HITECH Compliance

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6th Annual Conference on Safeguarding Health Information:  Building Assurance through HIPAA Security.  Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance … Continue Reading

HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections

Posted in HIPAA/HITECH
The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of … Continue Reading

HHS Considers Amending HIPAA Privacy Rule to Permit Disclosure of Mental Health Information for Firearm Background Checks

Posted in HIPAA/HITECH
Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal … Continue Reading

Can Covered Entities Utilize Text Messaging and Text Paging Without Violating HIPAA?

Posted in HIPAA/HITECH
Co-authored by: Cory Fox Text messaging allows healthcare providers to deliver simple, relevant, and customizable health information instantaneously to their patients, like reminders to obtain a vaccine, take a medication or come to an important follow-up appointment. Text paging, a form of text messaging frequently used by healthcare professionals, can help ensure patient safety by … Continue Reading