As drug and device manufacturers continue to await final regulations and subsequent implementation of the federal Physician Payment Sunshine Act, passed as part of the Affordable Care Act, Massachusetts has relaxed its similar state law banning the provision by manufacturers of gifts to health care practitioners (“HCPs”) and requiring disclosure of payments and transfers of … Continue Reading
On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals. The settlement resulted from the hospital’s data breach report to the Attorney General in July … Continue Reading
The New Hampshire State Senate held a hearing on April 19, 2012 regarding HB 1725, a new measure that would prohibit all health care practitioners from prescribing or referring any U.S. Food and Drug Administration class II or class III implantable medical device if the practitioner stands to "profit indirectly or directly from the sale of [the] medical device by any supplier in which the health care practitioner has a direct or indirect ownership interest."… Continue Reading
On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.… Continue Reading
On March 29, 2012, the New Hampshire House of Representatives recommended for passage HB 1725. If passed, HB 1725 would prohibit all health care practitioners from prescribing or referring any U.S. Food and Drug Administration class II or class III implantable medical device if the practitioner stands to profit, directly or indirectly, from the sale of the device, or from performing any procedure involving the device.… Continue Reading
On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH's Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.
The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR's investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.
According to OCR's investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.
In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.
Additional information about OCR's enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.… Continue Reading
To implement the HITECH Act's mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.… Continue Reading