Tag Archives: ePHI

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

Photo of Sara GoldsteinPhoto of Jessica Captain NovickPhoto of Lynn SessionsBy Sara Goldstein, Jessica Captain Novick and Lynn Sessions on Posted in HHS, HIPAA/HITECH
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

The Use of Smart Speakers in Healthcare

By Paulette Thomas on Posted in HIPAA/HITECH
Smart speakers are voice-activated, internet-connected devices with an integrated virtual assistant that can answer questions, follow instructions and control other smart devices. Nearly one in five U.S. adults has access to a smart speaker, and it has been estimated that in 2018, the number of smart speakers installed reached 100 million worldwide. Using voice recognition, … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Phishing Prevention

Photo of Aleksandra VoldPhoto of BakerHostetlerBy Aleksandra Vold and BakerHostetler on Posted in Cybersecurity, HHS, HIPAA/HITECH
This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats … Continue Reading

Provisioning Workforce Access to Electronic Protected Health Information: It May Be ‘Common Sense,’ but Is It Easy to Implement?

By Paulette Thomas on Posted in HIPAA/HITECH
In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

Photo of M. Scott KollerBy M. Scott Koller on Posted in HIPAA/HITECH, Medical Privacy
In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

Photo of Theodore J. Kobus IIIBy Theodore J. Kobus III on Posted in HIPAA/HITECH, Medical Privacy
The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

Malware Incident at Mental Health Nonprofit Leads to $150K Settlement with OCR

By Cory J. Fox on Posted in HIPAA/HITECH, Medical Privacy
As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving malware, highlighting the importance of reviewing systems for unpatched and unsupported software that can leave patient information susceptible to malware and other … Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

By Kimberly M. Wong on Posted in Enforcement, HIPAA/HITECH, Medical Privacy
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

ONC’s Security Risk Assessment Tool Is Useful but Could Be Improved

By Randal L. Gainer on Posted in HIPAA/HITECH
The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare practices “evaluate risks, vulnerabilities, and adherence to the HIPAA Security Rule.”  User … Continue Reading

HHS Inspector General Reports Highlight IT Security Gaps in Health Care

Photo of John MulhollanBy John Mulhollan on Posted in HIPAA/HITECH, Medical Privacy
On May 16, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports critical of the government’s efforts to build and enforce a federal information security framework for protecting individuals’ electronic protected health information (ePHI).  Of particular interest to health care providers and health plans, these reports … Continue Reading
LexBlog