Tag Archives: electronic protected health information (ePHI)

OCR Clarifies Direct Liability of Business Associates Under HIPAA

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form … Continue Reading

Health Apps and HIPAA – Recent FAQs Highlight Importance of Covered Entities and Business Associates Scrutinizing their Relationships with App Developers

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a … Continue Reading

Mobile App Compliance for Dummies: New Tool Helps Developers Understand Their Legal Compliance Requirements

In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading

Cure of Security Rule Violations Following Breach of EPHI Cannot Save Covered Entities from $750,000 Settlement; Non-Breach Related Security Complaint Leads to $218,000 HIPAA Settlement

More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading

OCR Settlement Reflects Continued Emphasis on HIPAA Security Rule Safeguards

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced a $150,000 settlement of potential violations of the HIPAA Security Rule by Anchorage Community Mental Health Services (ACMHS). These potential violations were caused by a malware breach of ACMHS's information technology resources. OCR's subsequent investigation of the breach found that ACMHS's preventative security measures prior to the breach were insufficient, and the settlement includes a Resolution Agreement with a corrective action plan for ACMHS to improve its security measures.… Continue Reading

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

Two separate instances of unencrypted laptop theft from different health care providers have resulted in two settlements for potential violations of the HIPAA Privacy and Security Rules. These alleged violations were uncovered following investigations by the Department of Health and Human Services, Office for Civil Rights (OCR). In the first instance, involving Concentra Health Services, OCR found that Concentra had previously recognized its need for increased encryption on its technological devices but had failed to fully address this issue before the breach. In the second instance, involving QCA Health Plan, Inc. of Arkansas, OCR found that QCA had failed to comply with multiple requirements set forth by the HIPAA Security Rule. Both instances resulted in settlements comprised of financial payments to OCR as well as agreement to Corrective Action Plans that will allow for continued oversight by OCR in regards to HIPAA compliance.… Continue Reading

County Governments Not Immune From HIPAA Enforcement: OCR Announces $215,000 Settlement with Skagit County, Washington

On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading

CMS’ Oversight of Security Rule “Not Sufficient” According to the OIG

On May 16, 2011, the Office of Inspector General ("OIG") published a report with the results from its nationwide review of the Centers for Medicare and Medicaid Services ("CMS'") oversight of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In its review, the OIG sought to determine the sufficiency of CMS' oversight and enforcement actions pertaining to hospitals' implementation of the HIPAA Security Rule. Pursuant to the Security Rule, covered entities, such as hospitals, must implement technical, physical, and administrative safeguards for the protection of electronic protected health information ("ePHI"). According to the OIG, CMS' oversight and enforcement actions were "not sufficient," leaving limited assurance of the security of hospitals' ePHI. The report details the results from the OIG's audits of seven hospitals. The audits disclosed "numerous internal control weaknesses." Specifically, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI. Of these vulnerabilities, 124 were categorized as "high impact." These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. The consequences of the high impact vulnerabilities is that it (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization's mission, reputation, or interest; or (3) may result in human death or serious injury.… Continue Reading
LexBlog