On January 18, 2017, the U.S. Department of Health and Human Services (HHS) published a final rule amending the Confidentiality of Substance Use Disorder Patient Records rule at 42 C.F.R. Part 2. Yesterday, HHS delayed the effective date of the rule from February 17 to March 21. While the rule adds some much needed flexibility that will improve the abilit… Continue Reading
On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of question… Continue Reading
March 1, 2017 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2016. A small breach involves fewer than 500 individuals.
HIPAA Notification Requirements. HIPAA re… Continue Reading
The Code of Federal Regulations has recently published the 2016 version of the HIPAA regulations. This is the most up-to-date “official” version of the HIPAA regulations. We have created a version that includes PDF bookmarks to allow users to more easily jump from section to section.
A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,… Continue Reading
On Jan. 9, 2017, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced the first HIPAA enforcement action for failure to timely report a breach. Often investigating and making formal determinations concerning a potential breach can be very time consuming, even when responding promptly and appropriately to the eve… Continue Reading
To start off the New Year, here are some potential health information privacy and security resolutions. You can use these Annual, Quarterly, and Monthly lists to map out your privacy and security tasks for the year, and then check them off as you complete them. We have included empty rows for you to add your own resolutions.
As with any New Year’s resolution… Continue Reading
What’s worse than receiving an email indicating that you have been selected for an audit by your favorite government regulator? Clicking on a link in the email and discovering that it is a phishing attack that has just compromised your computer and your network.
HIPAA covered entities and their business associates should beware of potential phishing at… Continue Reading
Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates. These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). For business associates, desk audits will target breac… Continue Reading
September can bring about lots of changes, especially for college students. The National Alliance on Mental Illness (NAMI) released a guide for departing college students and their families on mental illness, including navigating certain privacy laws.
Health privacy and confidentiality laws protect your health records, including mental health rec… Continue Reading
Covered entities and business associates can expect increased scrutiny for breaches of unsecured protected health information affecting fewer than 500 individuals. Starting August 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) began more widely investigating these small breaches under the Health Insurance … Continue Reading
Phase 2 of the HIPAA audits is fully underway, and covered entities now can take a breath if they have not received a desk audit request. But we still are at the beginning of Phase 2, with more to come.
Preparing for Audits. Some steps that covered entities and business associates can take to further prepare:
- Business associates should verify that risk analysi
Athletes at the Rio Olympics aren’t the only ones setting records this year. Hoping to send a “strong message” about the importance of safeguarding electronic protected health information (PHI) and conducting mandated risk analyses, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently reached the larges… Continue Reading
Pikachu, Alakazam, Bulbasaur, Charmander, and Squirtle can teach us a few things about HIPAA privacy. Pokémon GO is a recent craze encouraging people to try to catch’em all. As a result, employees, clients, and patients are scrambling around the halls of covered entities and business associates in search of elusive Pokémon, hoping to take a capt… Continue Reading
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) has entered into a Resolution Agreement with a business associate over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI).
On June 2… Continue Reading
Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). Should a HIPAA-subject entity ever fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office f… Continue Reading
The world of privacy grows every day as more data goes through the cloud. The new trends and weekly data breaches make conferences like the Global Privacy Summit all the more relevant.
Earlier this month we went to IAPP’s annual event and networked with many professionals in the privacy sphere. Here were some of our key takeaways:
1. Connect with your FBI … Continue Reading
The Phase 2 audit program for HIPAA compliance is under way. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had launched the Phase 2 audits to examine and assess how covered entities and their business associates are adhering to the HIPAA Privacy, Security, and Breach Notification Rules. OCR will survey … Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been highlighting the threat posed by “ransomware”—when an organization is locked out of its own systems and files by cyber criminals who then demand the organization pay a ransom to regain access. OCR launched its Cyber-Awareness initiative on Feb. 2 by emaili… Continue Reading
Feb. 29, 2016, a/k/a Leap Day, is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2015.
A small breach involves fewer than 500 individuals. While HIPAA requires cover… Continue Reading
On Feb. 9, 2016, the U.S. Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published in the Federal Register a proposed rule putting forth amendments to the Alcohol and Drug Abuse Treatment Confidentiality Rule at 42 C.F.R. Part 2 (the “Part 2 Rule”). A redline of the proposed changes to the … Continue Reading
Do You Know Where Your Data Is?
For only the second time in its history, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a civil money penalty (CMP) on a covered entity for allegedly violating the HIPAA Privacy Rule. The Administrative Law Judge’s (ALJ’s) decision upholding the $239,800 CMP against Lincare… Continue Reading
The FTC reached a $250,000 settlement with a 20-year consent order with Henry Schein Practice Solutions, Inc. over its use of allegedly subpar encryption technology in its offering to dental practices. This settlement is particularly noteworthy for a number of reasons:
- In addition to the typical 20-year consent order (in this case requiring Schein to ma
It may not be a big dollar amount ($15,000), but a recent New York Attorney General settlement represents a big issue—interpreting that HIPAA prohibits a health care professional who is changing practices from taking a patient list without the patients’ authorizations. Health care providers should review their procedures surrounding departing p… Continue Reading