Tag Archives: PHI

What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

Photo of Aleksandra VoldBy Aleksandra Vold on Posted in Healthcare
After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is … Continue Reading

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

Photo of Sara GoldsteinPhoto of Jessica Captain NovickPhoto of Lynn SessionsBy Sara Goldstein, Jessica Captain Novick and Lynn Sessions on Posted in HHS, HIPAA/HITECH
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

Deter Workforce Snooping in Electronic Medical Records Through Education and Training

By Paulette Thomas on Posted in HIPAA/HITECH
On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Insider-Caused Data Loss

Photo of Aleksandra VoldPhoto of BakerHostetlerBy Aleksandra Vold and BakerHostetler on Posted in HHS, HIPAA/HITECH, Medical Privacy
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. While any security incident may cause an entity heartburn, when the incident is traced back to an … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices

Photo of Aleksandra VoldPhoto of BakerHostetlerBy Aleksandra Vold and BakerHostetler on Posted in HHS, HIPAA/HITECH
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) weighs in on one of the issues many entities find … Continue Reading

What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

Photo of Eric A. PackelBy Eric A. Packel on Posted in HHS, HIPAA/HITECH
In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights. But the pain doesn’t end there. … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on Posted in Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy
On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

Recent OCR Newsletter Highlights Growing Cyber Extortion Threat for Healthcare Organizations

Photo of Lynn SessionsPhoto of BakerHostetlerBy Lynn Sessions and BakerHostetler on Posted in Cybersecurity
The OCR’s January 2018 newsletter details specific types of cyber extortion that healthcare organizations are currently encountering, including ransomware, denial of service attacks, distributed denial of service attacks and theft of protected health information (PHI). Each type of attack poses unique challenges that may affect an organization in different ways. However, all cyber extortion disrupts … Continue Reading

Cloud Service Providers Beware, You May Be Subject to HIPAA Without Knowing It

Photo of M. Scott KollerBy M. Scott Koller on Posted in Cloud Computing, HIPAA/HITECH
The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

Photo of M. Scott KollerBy M. Scott Koller on Posted in HIPAA/HITECH, Medical Privacy
The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in HIPAA/HITECH, Medical Privacy
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Medical Privacy
On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides … Continue Reading

Another Day, Another OCR Resolution Agreement – Numerous Repeated Breaches Lead to $3.5 Million Settlement

By Suchismita Pahi on Posted in HIPAA/HITECH, Medical Privacy
On the heels of the Lahey Hospital and Medical Center resolution agreement, OCR announced a resolution agreement with Triple-S Management Corporation and its subsidiaries, Triple-S Salud Inc. and Triple-C Inc. (collectively “Triple-S”). As part of the announcement, Office for Civil Rights (OCR) Director Jocelyn Samuels flagged two specific areas for covered entities to focus their … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

Photo of Theodore J. Kobus IIIBy Theodore J. Kobus III on Posted in HIPAA/HITECH, Medical Privacy
The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

OCR HIPAA Phase 2 Audits Coming Soon. Be Prepared.

By Paulette Thomas on Posted in HIPAA/HITECH, Medical Privacy
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that the agency expects to begin Phase 2 Audits in early 2016. OCR intends to conduct desk audits and on-site audits of covered entities (CEs) and business associates (BAs), and has contracted with FCi Federal, Inc., to conduct the data … Continue Reading

Legal Issues to Consider Before Starting Big Data Projects

By Judy Selby and Benjamin Barnes on Posted in Big Data
We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory … Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

By Kimberly M. Wong on Posted in Enforcement, HIPAA/HITECH, Medical Privacy
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Photo of Lynn SessionsBy Lynn Sessions and Kimberly M. Wong on Posted in Data Breaches, HIPAA/HITECH, International Privacy Law, Medical Privacy
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Can Covered Entities Utilize Text Messaging and Text Paging Without Violating HIPAA?

Photo of Lynn SessionsBy Lynn Sessions on Posted in HIPAA/HITECH, Medical Privacy
Co-authored by: Cory Fox Text messaging allows healthcare providers to deliver simple, relevant, and customizable health information instantaneously to their patients, like reminders to obtain a vaccine, take a medication or come to an important follow-up appointment. Text paging, a form of text messaging frequently used by healthcare professionals, can help ensure patient safety by … Continue Reading

HIPAA Audits ARRA Coming! Is your PHI Secure?

Photo of John MulhollanBy John Mulhollan on Posted in Breach Notification, Data Breach Notification Laws, HIPAA/HITECH, Medical Privacy
In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of … Continue Reading

HIPAA Bombshells — Major Civil Monetary Penalties Imposed Against Covered Entities for Privacy Violations

Photo of John MulhollanBy John Mulhollan on Posted in Enforcement, HIPAA/HITECH, Medical Privacy
The last week of February 2011 will likely be remembered as a noteworthy milestone in the history of HIPAA privacy enforcement by the Department of Health and Human Services (“HHS”).  Showing that HHS intends to vigorously exercise the expanded civil monetary penalty enforcement provisions enacted in 2009 under the Health Information Technology for Economic and … Continue Reading

HHS Withdraws Draft Of Final HIPAA Breach Nofitifcation Rule

Photo of John MulhollanBy John Mulhollan on Posted in Federal Legislation, HIPAA/HITECH, Medical Privacy
On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review. The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect. All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.… Continue Reading
LexBlog