Tag Archives: HIPAA

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability … Continue Reading

Connecting the Dots Between Security Practices and Legal Obligations: California’s Connected Devices Bill

Turning on the lights, hearing the weather forecast, learning fun facts, and playing your favorite song in the kitchen are simple when one can give short voice commands to a personal assistant device that is connected to the internet and to other devices in your home. Connected devices are increasingly being used in the home, … Continue Reading

SAMHSA Updates Privacy Regulations to Reflect Advancements in Healthcare

On Jan. 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued its final rule regarding the Confidentiality of Substance Use Disorder Patient Records Part 2. These changes become effective Feb. 2, 2018. As background, the Confidentiality of Substance Use Discover Patient Records Part 2 protects patient records maintained in connection with any … Continue Reading

New Mexico passes data breach notification and protection bill

Then there were two. On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states … Continue Reading

Looking back at the HIPAA resolution agreements in 2016

In 2016, Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA, continued robust enforcement efforts. There were 12 reported resolution agreements (RA) in 2016. An RA is a settlement agreement between HHS and a covered entity (or business associate) where the entity agrees to the payment of a resolution … Continue Reading

OCR Issues Alert Regarding Phishing Email Disguised as Official OCR Audit Communication

11/30/2016 Update: Today OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates … Continue Reading

Cloud Service Providers Beware, You May Be Subject to HIPAA Without Knowing It

The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program

The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for health care services. Prior to implementation of the Affordable Care Act, physicians more often were independent practitioners who held medical staff privileges to care for … Continue Reading

Deeper Dive: The Changing Landscape of Healthcare Data Breaches

For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. This year’s Report provides insights generated from the review of more than 300 incidents that our attorneys advised on in 2015. The report confirms … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides … Continue Reading

LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach

Both the administrative law judge’s decision in LabMD and the Third Circuit’s recent decision in Wyndham, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach, allegedly inadequate data security will necessarily constitute an unfair practice under Section 5 of the FTC Act. Further, … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

Clinically Integrated Networks: Privacy and Security Concerns with Sharing Data

The Centers for Medicare & Medicaid Services (CMS) is changing reimbursement methodologies for healthcare providers from a fee-for-service model to a value-based model. Healthcare providers are responding to the changing environment with the development of clinically integrated networks (CINs) and accountable care organizations (ACOs). The primary purposes of CIN/ACOs are to collaborate with other healthcare … Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation … Continue Reading

Deeper Dive: Healthcare Incidents Involving More Than 500 Individuals Are Investigated 100 Percent of the Time

We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act … Continue Reading

Legal Issues to Consider Before Starting Big Data Projects

We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory … Continue Reading

Recorded Webinar: The Anthem Data Breach: What Employers Need to Know

Lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, hosted an informative webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” included: Legal Obligations Under HIPAA The Duty to Notify … Continue Reading
LexBlog