Tag Archives: OCR

OCR Releases Model Notices of Privacy Practices

Under the Privacy Rule,  an individual has the right to adequate notice of how a covered entity may use and disclose PHI about the individual, as well as his/her rights and the covered entity’s obligations with respect to that information.   Thus, a covered entity must develop and provide to individuals with a Notice of Privacy … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013.  Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.  The resolution agreement relates … Continue Reading

HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections

The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of … Continue Reading

OCR’s Breach Settlement the First Ever Involving Less than 500 Patients

OCR started 2013 with a bang by announcing that it had reached “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals” with the Hospice of North Idaho (“HONI”). Under the resolution agreement, HONI has agreed to pay $50,000 and enter a two-year Corrective Action Plan to … Continue Reading

Reminder Annual OCR Breach Reporting is Due March 1, 2013

The breach notification interim final rule requires covered entities to submit to the Office for Civil Rights (OCR) notice of breaches of unsecured protected health information (PHI) (45 C.F.R. 164.408) by March 1, 2013. For breaches affecting fewer than 500 individuals, a covered entity must submit to OCR its annual notification of all breaches occurring … Continue Reading

Update: Final HITECH Act Regulations Amending HIPAA Privacy And Security Will Be Published In 2012

During 2011, informal indications were given by the HHS Office of Civil Rights (OCR) and various industry experts that the final HITECH Act regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, as of January 6, 2012, the regulations continue to be delayed, due to the numerous … Continue Reading

Privacy and Data Breach Regulatory Activity–A Year in Review

While plaintiffs continue to face an uphill battle proving damages in privacy litigation – regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), … Continue Reading

OCR HIPAA Audit and Site Visit Pilot Program Implemented

In an effort to comply with Section 13411 of the HITECH Act, the Office for Civil Rights (“OCR”) recently announced the implementation of a pilot program to audit covered entities and business associates to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR anticipates performing up to 150 … Continue Reading

HIPAA Audits ARRA Coming! Is your PHI Secure?

In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of … Continue Reading

HHS Inspector General Reports Highlight IT Security Gaps in Health Care

On May 16, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports critical of the government’s efforts to build and enforce a federal information security framework for protecting individuals’ electronic protected health information (ePHI).  Of particular interest to health care providers and health plans, these reports … Continue Reading
LexBlog