While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form. To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR. But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief … Continue Reading
On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date. These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA … Continue Reading
To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals. HITECH … Continue Reading
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries. The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading
Throughout 2013, HHS OCR has stated that covered entities of all sizes need to give priority to securing ePHI. In addition, HHS OCR has recommended that covered entities identify and mitigate risks before an incident occurs. HHS OCR’s enforcement activity during 2013 has focused on covered entities large and small. To end 2013, HHS OCR … Continue Reading
Under the Privacy Rule, an individual has the right to adequate notice of how a covered entity may use and disclose PHI about the individual, as well as his/her rights and the covered entity’s obligations with respect to that information. Thus, a covered entity must develop and provide to individuals with a Notice of Privacy … Continue Reading
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of “personal information” to include “medical information” and health insurance information.” Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, … Continue Reading
The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013. Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. The resolution agreement relates … Continue Reading
In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company. The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online … Continue Reading
Under the Final Rule, as previously discussed, business associates must comply with the technical, administrative, and physical safeguard requirements under the Security Rule. Liable for violations under the Security Rule, a business associate must comply with use or disclosure limitations in its contract, as well as limitations expressed in the Privacy Rule. A business associate … Continue Reading
This post is co-authored by Kimberly M. Wong and Cory J. Fox. HHS OCR announced today its second resolution agreement of 2013. Shasta Regional Medical Center (SRMC) has agreed to pay $275,000 and enter into a comprehensive corrective action plan (CAP) to settle an investigation opened by HHS following a Los Angeles Times column identifying … Continue Reading
“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6th Annual Conference on Safeguarding Health Information: Building Assurance through HIPAA Security. Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance … Continue Reading
To date, the Department of Health and Human Services (“HHS”) has entered into ten resolution agreements and one civil monetary penalty related to its enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”). Four resolution agreements have been triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH … Continue Reading
Recently, the Alaska Department of Health and Social Services (“DHSS”) reached a $1,700,000 settlement with the U.S. Department of Health and Human Services (“HHS”) pertaining to the HHS Office for Civil Rights (“OCR”) investigation into possible violations of the HIPAA Security Rule. To date, this is the third settlement triggered by a covered entity’s report … Continue Reading
Connecticut has been in the forefront in protecting the personal information of its residents. In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May … Continue Reading
On May 8, 2012, the Vermont General Assembly approved changes to the state’s consumer protection law (Act 109, in effect on passage 5/8/12). The changes include substantial revisions to Vermont’s data protection and notification law. A summary of the changes are provided below. The term “personally identifiable information” (“PII”) has been adopted. “Security breach” is … Continue Reading
In privacy litigation, the majority of the federal courts have required demonstration of a certain tangible, provable harm before granting damage awards to plaintiffs claiming a violation of their privacy. The Supreme Court’s recent decision in Federal Aviation Administration et al. v. Stanmore Cawthon Cooper, case number 10-1024, is no different. In the Court’s March 28, … Continue Reading
The Third Circuit recently affirmed a district court’s decision refusing to enjoin an amendment to the New Jersey Unclaimed Property Act (the “Act”) which requires issuers of stored value cards (“SVCs”) to obtain the name and address of purchasers of SVCs and to maintain a record of the zip code of each purchases. New Jersey Retail … Continue Reading
