Tag Archives: HIPAA

DSIR Deeper Dive: Regulatory Investigation Landscape

Lynn SessionsPatrick H. HaggertyKimberly GordyBy Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on Posted in Data Security Incident Response
HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties. State attorneys general have … Continue Reading

CARES Act Significantly Revises Part 2 Rules to Better Align with HIPAA

Kyle GregoryVimala DevassyBy Kyle Gregory and Vimala Devassy on Posted in Healthcare, HIPAA/HITECH
On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. While the focus of the CARES Act has been on direct financial aid to Americans, the Act also contains a number of material revisions to the Federal privacy provisions that govern the confidentiality of substance-use … Continue Reading

HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency

Vimala DevassyBy Vimala Devassy on Posted in HHS
The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family … Continue Reading

Federal Court Invalidates 2013 HIPAA Omnibus Rule Regulations and HHS Guidance on Fees for Copies of Medical Records

Sara GoldsteinAleksandra VoldAlexandra RoyalBy Sara Goldstein, Aleksandra Vold and Alexandra Royal on Posted in HHS, HIPAA/HITECH
In what is being seen as a strong rebuke to years of regulatory overreach, the United States District Court for the District of Columbia entered an order on January 23, 2020 that invalidates provisions of the 2013 Omnibus Rule to the Health Insurance Portability and Accountability Act (“HIPAA”) and 2016 guidance issued by United States … Continue Reading

Departments of Education and HHS Release Joint Guidance on the Relationship Between FERPA and HIPAA

Kathryn CareyBenjamin WellsBy Kathryn Carey and Benjamin Wells on Posted in HIPAA/HITECH
At the end of 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and U.S. Department of Education Student Privacy Policy Office (ED) issued an update to their joint guidance on the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability … Continue Reading

‘Apparent Inconsistency’ in HITECH Language Leads HHS OCR to Significantly Decrease Yearly Fines

Aleksandra VoldBy Aleksandra Vold on Posted in HIPAA/HITECH, Medical Privacy
On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical … Continue Reading

Deter Workforce Snooping in Electronic Medical Records Through Education and Training

By Paulette Thomas on Posted in HIPAA/HITECH
On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) … Continue Reading

Trojan Malware Reclaims the Top Spot as the Greatest Cyber Threat to the Healthcare Sector

Alexandra RoyalBy Alexandra Royal on Posted in Cybersecurity, HIPAA/HITECH
Cybersecurity threats continued to plague the healthcare sector in 2018. Healthcare organizations notified twice as many individuals under HIPAA and other notification statutes in 2018 as compared with 2017. According to a new report from Malwarebytes Labs, 2019 State of Malware Report, trojan malware was the greatest threat to the healthcare sector in 2018.[1] Specifically, … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Insider-Caused Data Loss

Aleksandra VoldKathryn CareyBy Aleksandra Vold and Kathryn Carey on Posted in HHS, HIPAA/HITECH, Medical Privacy
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. While any security incident may cause an entity heartburn, when the incident is traced back to an … Continue Reading

Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation

By Paulette Thomas on Posted in HIPAA/HITECH, Privacy Litigation
Recently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which  had affirmed the Unemployment Compensation Referee’s decision that Jami M. Dantry (Dantry) was ineligible for unemployment compensation benefits because Dantry’ s conduct … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices

Aleksandra VoldKathryn CareyBy Aleksandra Vold and Kathryn Carey on Posted in HHS, HIPAA/HITECH
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) weighs in on one of the issues many entities find … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Ransomware Prevention

Aleksandra VoldKathryn CareyBy Aleksandra Vold and Kathryn Carey on Posted in HHS, HIPAA/HITECH, Phishing, Ransomware
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) is not the first time HHS has discussed the prevalent … Continue Reading

The Use of Smart Speakers in Healthcare

By Paulette Thomas on Posted in HIPAA/HITECH
Smart speakers are voice-activated, internet-connected devices with an integrated virtual assistant that can answer questions, follow instructions and control other smart devices. Nearly one in five U.S. adults has access to a smart speaker, and it has been estimated that in 2018, the number of smart speakers installed reached 100 million worldwide. Using voice recognition, … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Phishing Prevention

Kathryn CareyAleksandra VoldBy Kathryn Carey and Aleksandra Vold on Posted in Cybersecurity, HHS, HIPAA/HITECH
This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats … Continue Reading

Provisioning Workforce Access to Electronic Protected Health Information: It May Be ‘Common Sense,’ but Is It Easy to Implement?

By Paulette Thomas on Posted in HIPAA/HITECH
In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote … Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

Alan L. FrielCarolina AlonsoBy Alan L. Friel, John Busch and Carolina Alonso on Posted in Federal Legislation, GDPR, Online Privacy
This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on Posted in Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy
On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

The Weekly Privacy Rewind

By Aaron Lancaster on Posted in CCPA, Weekly Privacy Rewind
California Consumer Protection Act Privacy Groups Urge California Lawmakers Not to Weaken California Consumer Privacy Act • A variety of privacy groups, including the Electronic Frontier Foundation, the Digital Privacy Alliance and the Center for Digital Democracy, sent a letter to California lawmakers asking them not to “push[] California backward” when it comes to privacy … Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

Craig A. HoffmanBy Brian P. Bartish and Craig A. Hoffman on Posted in Data Breaches, State Legislation
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

Lynn SessionsKathryn CareyBy Lynn Sessions and Kathryn Carey on Posted in HIPAA/HITECH
The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability … Continue Reading

Connecting the Dots Between Security Practices and Legal Obligations: California’s Connected Devices Bill

Carolina AlonsoAlan L. FrielBy Carolina Alonso and Alan L. Friel on Posted in Internet of Things
Turning on the lights, hearing the weather forecast, learning fun facts, and playing your favorite song in the kitchen are simple when one can give short voice commands to a personal assistant device that is connected to the internet and to other devices in your home. Connected devices are increasingly being used in the home, … Continue Reading

SAMHSA Updates Privacy Regulations to Reflect Advancements in Healthcare

Lynn SessionsKathryn CareyBy Lynn Sessions and Kathryn Carey on Posted in HIPAA/HITECH, Privacy Litigation
On Jan. 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued its final rule regarding the Confidentiality of Substance Use Disorder Patient Records Part 2. These changes become effective Feb. 2, 2018. As background, the Confidentiality of Substance Use Discover Patient Records Part 2 protects patient records maintained in connection with any … Continue Reading

New Mexico passes data breach notification and protection bill

By Erich Falke on Posted in Breach Notification, Data Breach Notification Laws
Then there were two. On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states … Continue Reading

Looking back at the HIPAA resolution agreements in 2016

Eric A. PackelBy Eric A. Packel on Posted in HIPAA/HITECH
In 2016, Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA, continued robust enforcement efforts. There were 12 reported resolution agreements (RA) in 2016. An RA is a settlement agreement between HHS and a covered entity (or business associate) where the entity agrees to the payment of a resolution … Continue Reading
LexBlog