Tag Archives: OCR

HHS Announces New Divisions to Address Weighty Case Load

By Aleksandra Vold on March 3, 2023 Posted in HHS

Medical symbol image on high tech blue background

On February 27, 2023, the U.S. Department of Health and Human Services (HHS) announced that its law enforcement agency – the Office for Civil Rights (OCR) – will reorganize, adding new divisions to better address the rapid increase in cases it is charged with handling. Tellingly, the title of HHS’s announcement focuses on the need to … Continue Reading

OCR Guidance on Use of Tracking Technologies Warrants Review of Website Tech

By Aleksandra Vold, Lynn Sessions and Stefanie Ferrari on December 13, 2022 Posted in Information Governance, Information Security

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance regarding covered entities’ and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail below, the Guidance reveals OCR’s position that an IP address is not just an identifier but is itself individually identifiable health information (IIHI) … Continue Reading

OCR releases YouTube Video Addressing “Recognized Security Practices” in HIPAA Enforcement Context

By Kimberly Gordy, Adam Cohen and Craig Robinson on November 14, 2022 Posted in HIPAA/HITECH, Marketing

As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR cybersecurity advisor Nick Heesters addresses recognized security practices, or RSPs. In this video, Heesters answers a handful of questions … Continue Reading

2022 DSIR Report Deeper Dive: OCR’s Right of Access Initiative

By Courtney Litchfield on October 7, 2022 Posted in Data Breaches

In 2019, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced its Right of Access Initiative, promising to prioritize patients’ rights to receive timely copies of their medical records without being overcharged. In the three years since, which saw the transition to a new administration in Washington, OCR has publicized … Continue Reading

What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

By Aleksandra Vold on September 13, 2022 Posted in Healthcare

After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is … Continue Reading

HHS OCR Guidance to 60,000 Retail Pharmacies: Refusal to Fill Rx Based on Potential Pregnancy Termination Concerns Is a Civil Rights Violation, Will Be Investigated

By Kimberly Gordy and Aleksandra Vold on July 18, 2022 Posted in HHS

On July 13, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued guidance to retail pharmacies that refusing to dispense a prescribed medication or making a determination on the suitability of that medication on the basis of the patient’s sex, pregnancy, or pregnancy-related conditions is discriminatory conduct in violation of … Continue Reading

OCR Provides Guidance on the Privacy of Data Stored on Health Apps and Mobile Devices

By Robyn M. Feldstein and Courtney Litchfield on July 15, 2022 Posted in HIPAA/HITECH, Privacy

In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers.[1] As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance … Continue Reading

OCR Announces Four Enforcement Actions

By Aleksandra Vold and Courtney Litchfield on April 20, 2022 Posted in Healthcare

On March 28, 2022, Health and Human Services, Office for Civil Rights (OCR) announced the resolution of four enforcement actions, three resolved in 2021 and one resolved in 2022. There are some interesting aspects of this group of covered entities. Three of the actions pertained to dental practices. One of those dental practices took the … Continue Reading

HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency

By Vimala Devassy on March 18, 2020 Posted in HHS

The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family … Continue Reading

‘Apparent Inconsistency’ in HITECH Language Leads HHS OCR to Significantly Decrease Yearly Fines

By Aleksandra Vold on May 2, 2019 Posted in HIPAA/HITECH, Medical Privacy

On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical … Continue Reading

Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation

By Paulette Thomas on February 19, 2019 Posted in HIPAA/HITECH, Privacy Litigation

Recently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which had affirmed the Unemployment Compensation Referee’s decision that Jami M. Dantry (Dantry) was ineligible for unemployment compensation benefits because Dantry’ s conduct … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on December 18, 2018 Posted in Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy

On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

By Lynn Sessions and BakerHostetler on June 15, 2018 Posted in HIPAA/HITECH

The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability … Continue Reading

OCR Issues Alert Regarding Phishing Email Disguised as Official OCR Audit Communication

By Patrick H. Haggerty on November 29, 2016 Posted in HIPAA/HITECH, Medical Privacy

11/30/2016 Update: Today OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates … Continue Reading

Cloud Service Providers Beware, You May Be Subject to HIPAA Without Knowing It

By M. Scott Koller on November 9, 2016 Posted in Cloud Computing, HIPAA/HITECH

The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

By M. Scott Koller on August 22, 2016 Posted in HIPAA/HITECH, Medical Privacy

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

By M. Scott Koller on August 19, 2016 Posted in HIPAA/HITECH, Medical Privacy

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

By Theodore J. Kobus III on November 30, 2015 Posted in HIPAA/HITECH, Medical Privacy

The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

By Lynn Sessions and Suchismita Pahi on November 11, 2015 Posted in HIPAA/HITECH

The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading

Use of File-Sharing Service Leads To $218,400 Fine For HIPAA Violations

By Eric A. Packel on July 14, 2015 Posted in HIPAA/HITECH, Medical Privacy

Internet-based file-sharing services such as Dropbox and Google Drive can be easy and convenient to use, whether via the touch of an app on a mobile device or by opening a browser on a PC. Healthcare professionals are often tempted to use such services to store or share documents, since the stored documents can be … Continue Reading

Deeper Dive: Healthcare Incidents Involving More Than 500 Individuals Are Investigated 100 Percent of the Time

By Lynn Sessions on June 12, 2015 Posted in HIPAA/HITECH, Incident Response, Medical Privacy

We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act … Continue Reading

Malware Incident at Mental Health Nonprofit Leads to $150K Settlement with OCR

By Cory J. Fox on December 12, 2014 Posted in HIPAA/HITECH, Medical Privacy

As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving malware, highlighting the importance of reviewing systems for unpatched and unsupported software that can leave patient information susceptible to malware and other … Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

By Kimberly M. Wong on June 25, 2014 Posted in Enforcement, HIPAA/HITECH, Medical Privacy

While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form. To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

By Kimberly M. Wong on March 16, 2014 Posted in Enforcement, HIPAA/HITECH, Medical Privacy

To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals. HITECH … Continue Reading