More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading
Reed Smith’s Information Technology Privacy & Data Security Group has been doing phenomenal work for years, linking experienced cybersecurity and privacy professionals with veteran intellectual property litigators, information governance advisors, technology contracting specialists and others with a similar data-oriented perspective. And now it has been recognized by The Legal 500 United States as its ‘Data Protection … Continue Reading
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced a $150,000 settlement of potential violations of the HIPAA Security Rule by Anchorage Community Mental Health Services (ACMHS). These potential violations were caused by a malware breach of ACMHS's information technology resources. OCR's subsequent investigation of the breach found that ACMHS's preventative security measures prior to the breach were insufficient, and the settlement includes a Resolution Agreement with a corrective action plan for ACMHS to improve its security measures.… Continue Reading
The social media phenomenon has radically transformed the ways in which commercial businesses promote their services and products. However, as a result, companies must consider potential legal risks from an entirely new angle. To become a successful user of social media, a company must draft, review, disseminate and enforce a social media policy that addresses potential legal issues while at the same time emphasizing positive exposure for the business.… Continue Reading
The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass., to pay $150,000 to the Department of Health and Human Services' Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009.… Continue Reading
By Brad Rostolsky and Jennifer Pike on Posted in Privacy & HIPAA
On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading
By Brad Rostolsky and Jennifer Pike on Posted in Privacy & HIPAA
Recent posts on www.lifescienceslegalupdate.com include:
"OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners.
View the entire entry:
https://www.lifescienceslegalupdate.com/2013/09/articles/data-privacy/ocr-releases-hipaa-guide-for-law-enforcement/
...and
"OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading
The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.
The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS' decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders.… Continue Reading
On September 5, 2013, Adheris, Inc. ("Adheris"), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services ("Secretary"), and the Department of Health & Human Services ("HHS"), challenging the constitutionality of the HITECH Final Rule's restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary's enforcement of these restrictions, which was set to begin on September 23, 2013.
In a joint motion filed by the parties today seeking to suspend the court's schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule's "reasonable in amount" restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.… Continue Reading
On February 27, 2013, the HHS Office for Civil Rights ("OCR") announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR's health information privacy enforcement team signals that OCR's increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH's Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary's $1.5 million settlement in September. OCR's 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency's focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.… Continue Reading
On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule's "harm" threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.… Continue Reading
The Office for Civil Rights ("OCR") of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Genetic Information Nondiscrimination Act ("GINA"), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the "HITECH Final Rule"). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.… Continue Reading
On January 2, 2013, the HHS Office for Civil Rights ("OCR") announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho ("HONI") has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information ("ePHI") for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.… Continue Reading
It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights ("OCR"), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget ("OMB") for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.… Continue Reading
The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule. This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.… Continue Reading
The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter of our Cloud Computing White Paper.… Continue Reading
Earlier today the Department of Health and Human Services’ (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty – which is $4.3 million – was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA … Continue Reading