Tag Archives: HITECH

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

By Sara Goldstein, Jessica Captain Novick and Lynn Sessions on January 27, 2021 Posted in HHS, HIPAA/HITECH

The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

‘Apparent Inconsistency’ in HITECH Language Leads HHS OCR to Significantly Decrease Yearly Fines

By Aleksandra Vold on May 2, 2019 Posted in HIPAA/HITECH, Medical Privacy

On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical … Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

By Brian P. Bartish and Craig A. Hoffman on August 13, 2018 Posted in Data Breaches, State Legislation

Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

By Lynn Sessions and BakerHostetler on June 15, 2018 Posted in HIPAA/HITECH

The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability … Continue Reading

Illinois Enacts Sweeping Changes to the Illinois Personal Information Protection Act

By David M. Brown on May 23, 2016 Posted in Cybersecurity

On May 6, 2016, Illinois joined a growing number of states that have strengthened their data breach notification requirements and expanded the definition of protected personal information. Effective January 1, 2017, HB1260 amends the Illinois Personal Information Protection Act (PIPA) to broaden the definition of protected personal information, which will now include an individual’s first … Continue Reading

Deeper Dive: The Changing Landscape of Healthcare Data Breaches

By Lynn Sessions on April 4, 2016 Posted in HIPAA/HITECH, Incident Response, Medical Privacy

For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. This year’s Report provides insights generated from the review of more than 300 incidents that our attorneys advised on in 2015. The report confirms … Continue Reading

Use of File-Sharing Service Leads To $218,400 Fine For HIPAA Violations

By Eric A. Packel on July 14, 2015 Posted in HIPAA/HITECH, Medical Privacy

Internet-based file-sharing services such as Dropbox and Google Drive can be easy and convenient to use, whether via the touch of an app on a mobile device or by opening a browser on a PC. Healthcare professionals are often tempted to use such services to store or share documents, since the stored documents can be … Continue Reading

Deeper Dive: Healthcare Incidents Involving More Than 500 Individuals Are Investigated 100 Percent of the Time

By Lynn Sessions on June 12, 2015 Posted in HIPAA/HITECH, Incident Response, Medical Privacy

We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

By Kimberly M. Wong on March 16, 2014 Posted in Enforcement, HIPAA/HITECH, Medical Privacy

To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals. HITECH … Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

By Kimberly M. Wong on March 9, 2014 Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy

Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading

HHS Closes Out 2013 with 6th Resolution Agreement

By Kimberly M. Wong on December 30, 2013 Posted in HIPAA/HITECH, Medical Privacy

Throughout 2013, HHS OCR has stated that covered entities of all sizes need to give priority to securing ePHI. In addition, HHS OCR has recommended that covered entities identify and mitigate risks before an incident occurs. HHS OCR’s enforcement activity during 2013 has focused on covered entities large and small. To end 2013, HHS OCR … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

By Kimberly M. Wong on August 14, 2013 Posted in Enforcement, HIPAA/HITECH, Medical Privacy

The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013. Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. The resolution agreement relates … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part II)

By Theodore J. Kobus III on January 27, 2013 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy

There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH). In Part I, we discussed what HIPAA … Continue Reading

Be Careful What You Wish For: The Final Rule Is Out

By BakerHostetler on January 23, 2013 Posted in HIPAA/HITECH, Medical Privacy

The long awaited HIPAA/HITECH final rule is out. Data Privacy Monitor contributors Theodore J. Kobus III and Lynn Sessions held a webinar that covered what stands out as big changes and how healthcare organizations need to prepare. Have the standards just been juggled or will healthcare organizations need to change their approach? View Webinar Recording. Ted and Lynn have helped … Continue Reading

Be Prepared: Redline Version of the HIPAA/HITECH Final Rule

By Theodore J. Kobus III on January 22, 2013 Posted in HIPAA/HITECH, Medical Privacy

The final rule is significant for any organization that is considered to be a HIPAA covered entity (“CE”) (health systems, health care providers, health plans, etc.) or the more broadly defined business associate (“BA”). During our initial analysis of the final rule, we note significant changes to the way a breach is defined and we … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part I)

By Theodore J. Kobus III on January 21, 2013 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy

The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Our initial discussion can … Continue Reading

WEBINAR: The HIPAA/HITECH Final Rule is Out

By BakerHostetler on January 18, 2013 Posted in HIPAA/HITECH, Medical Privacy

The long awaited HIPAA/HITECH final rule is out. Please join Data Privacy Monitor contributors, Theodore J. Kobus III and Lynn Sessions for a webinar that will cover what stands out as big changes and how healthcare organizations need to prepare. Have the standards just been juggled or will healthcare organizations need to change their approach? A … Continue Reading

The HIPAA/HITECH Final Rule Has Been Released

By Theodore J. Kobus III on January 17, 2013 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, Federal Legislation, HIPAA/HITECH, Identity Theft, Medical Privacy

The long awaited HIPAA/HITECH Final Rule is out. The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far: … Continue Reading

OCR’s Breach Settlement the First Ever Involving Less than 500 Patients

By Cory J. Fox on January 4, 2013 Posted in HIPAA/HITECH, Medical Privacy

OCR started 2013 with a bang by announcing that it had reached “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals” with the Hospice of North Idaho (“HONI”). Under the resolution agreement, HONI has agreed to pay $50,000 and enter a two-year Corrective Action Plan to … Continue Reading

Reminder Annual OCR Breach Reporting is Due March 1, 2013

By Lynn Sessions on January 2, 2013 Posted in HIPAA/HITECH, Medical Privacy

The breach notification interim final rule requires covered entities to submit to the Office for Civil Rights (OCR) notice of breaches of unsecured protected health information (PHI) (45 C.F.R. 164.408) by March 1, 2013. For breaches affecting fewer than 500 individuals, a covered entity must submit to OCR its annual notification of all breaches occurring … Continue Reading

Healthcare Organizations are Suffering from Serious Data Security Ills

By Judy Selby on December 10, 2012 Posted in HIPAA/HITECH, Medical Privacy

The diagnosis is in, and its not good. Unless an aggressive treatment plan is put in place, the prognosis will be just as bleak. On December 6, 2012, the Ponemon Institute issued its Third Annual Benchmark Study on Patient Privacy & Data Security. The key findings were that a shocking 94 percent of healthcare organizations in the … Continue Reading

CMS’s Privacy Problem: Data Breaches, Medicare Numbers, and Inaction

By Lynn Sessions on November 30, 2012 Posted in HIPAA/HITECH, Medical Privacy

Co-authored by: Cory Fox The Department of Health and Human Services Office of Inspector General (“OIG”) recently published a report, CMS Response to Breaches and Medical Identity Theft (“Report”), which referenced 14 breaches of medical information by the Centers for Medicare and Medicaid Services (CMS), including Medicare numbers, affecting nearly 14,000 beneficiaries in the past … Continue Reading

Alaska DHSS Settles with HHS for $1.7 Million

By Kimberly M. Wong on July 20, 2012 Posted in HIPAA/HITECH, Mobile Privacy

Recently, the Alaska Department of Health and Social Services (“DHSS”) reached a $1,700,000 settlement with the U.S. Department of Health and Human Services (“HHS”) pertaining to the HHS Office for Civil Rights (“OCR”) investigation into possible violations of the HIPAA Security Rule. To date, this is the third settlement triggered by a covered entity’s report … Continue Reading