Certain health care providers, health information technology (IT) developers, and health plans could see the way they share patient information transformed following the release of two new final rules issued by the U.S. Department of Health and Human Services. The rules address interoperability and information blocking. Reed Smith partner Nancy Bonifant Halstead and senior associate … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) recent imposition of a civil monetary penalty (CMP) against a Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entity demonstrates the need to ensure that HIPAA compliance programs are in place, are audited regularly, and emphasize the importance of promptly … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a … Continue Reading
By Jennifer Pike and Brad Rostolsky on Posted in Privacy & HIPAA
In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading
More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced a $150,000 settlement of potential violations of the HIPAA Security Rule by Anchorage Community Mental Health Services (ACMHS). These potential violations were caused by a malware breach of ACMHS's information technology resources. OCR's subsequent investigation of the breach found that ACMHS's preventative security measures prior to the breach were insufficient, and the settlement includes a Resolution Agreement with a corrective action plan for ACMHS to improve its security measures.… Continue Reading
Two separate instances of unencrypted laptop theft from different health care providers have resulted in two settlements for potential violations of the HIPAA Privacy and Security Rules. These alleged violations were uncovered following investigations by the Department of Health and Human Services, Office for Civil Rights (OCR). In the first instance, involving Concentra Health Services, OCR found that Concentra had previously recognized its need for increased encryption on its technological devices but had failed to fully address this issue before the breach. In the second instance, involving QCA Health Plan, Inc. of Arkansas, OCR found that QCA had failed to comply with multiple requirements set forth by the HIPAA Security Rule. Both instances resulted in settlements comprised of financial payments to OCR as well as agreement to Corrective Action Plans that will allow for continued oversight by OCR in regards to HIPAA compliance.… Continue Reading
On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading
On May 16, 2011, the Office of Inspector General ("OIG") published a report with the results from its nationwide review of the Centers for Medicare and Medicaid Services ("CMS'") oversight of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In its review, the OIG sought to determine the sufficiency of CMS' oversight and enforcement actions pertaining to hospitals' implementation of the HIPAA Security Rule. Pursuant to the Security Rule, covered entities, such as hospitals, must implement technical, physical, and administrative safeguards for the protection of electronic protected health information ("ePHI"). According to the OIG, CMS' oversight and enforcement actions were "not sufficient," leaving limited assurance of the security of hospitals' ePHI.
The report details the results from the OIG's audits of seven hospitals. The audits disclosed "numerous internal control weaknesses." Specifically, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI. Of these vulnerabilities, 124 were categorized as "high impact." These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. The consequences of the high impact vulnerabilities is that it (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization's mission, reputation, or interest; or (3) may result in human death or serious injury.… Continue Reading