Tag Archives: PHI

Recent OCR Newsletter Highlights Growing Cyber Extortion Threat for Healthcare Organizations

The OCR’s January 2018 newsletter details specific types of cyber extortion that healthcare organizations are currently encountering, including ransomware, denial of service attacks, distributed denial of service attacks and theft of protected health information (PHI). Each type of attack poses unique challenges that may affect an organization in different ways. However, all cyber extortion disrupts … Continue Reading

Cloud Service Providers Beware, You May Be Subject to HIPAA Without Knowing It

The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

Legal Issues to Consider Before Starting Big Data Projects

We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory … Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Can Covered Entities Utilize Text Messaging and Text Paging Without Violating HIPAA?

Co-authored by: Cory Fox Text messaging allows healthcare providers to deliver simple, relevant, and customizable health information instantaneously to their patients, like reminders to obtain a vaccine, take a medication or come to an important follow-up appointment. Text paging, a form of text messaging frequently used by healthcare professionals, can help ensure patient safety by … Continue Reading

HIPAA Audits ARRA Coming! Is your PHI Secure?

In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of … Continue Reading

HIPAA Bombshells — Major Civil Monetary Penalties Imposed Against Covered Entities for Privacy Violations

The last week of February 2011 will likely be remembered as a noteworthy milestone in the history of HIPAA privacy enforcement by the Department of Health and Human Services (“HHS”).  Showing that HHS intends to vigorously exercise the expanded civil monetary penalty enforcement provisions enacted in 2009 under the Health Information Technology for Economic and … Continue Reading

HHS Withdraws Draft Of Final HIPAA Breach Nofitifcation Rule

On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review. The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect. All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.… Continue Reading