Tag Archives: HIPAA Enforcement

Insights About Future Use of Protected Health Information Under HIPAA

In "HIPAA Enforcement: The Next Step," an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th, Reed Smith partner Brad Rostolsky details the HIPAA-related trends that he expects to see within the next several years. Among these predicted trends is an increase in the number of investigations by the Department of Health and Human Services' Office for Civil Rights regarding the illegal use and distribution of Protected Health Information without the permission of patients, a result of tightened regulations introduced in last year's HIPAA Omnibus Rule. Brad also discusses how companies should prepare for HIPAA compliance audits, the use of health information on social media, and potential privacy issues surrounding wearable consumer health devices.… Continue Reading

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

Two separate instances of unencrypted laptop theft from different health care providers have resulted in two settlements for potential violations of the HIPAA Privacy and Security Rules. These alleged violations were uncovered following investigations by the Department of Health and Human Services, Office for Civil Rights (OCR). In the first instance, involving Concentra Health Services, OCR found that Concentra had previously recognized its need for increased encryption on its technological devices but had failed to fully address this issue before the breach. In the second instance, involving QCA Health Plan, Inc. of Arkansas, OCR found that QCA had failed to comply with multiple requirements set forth by the HIPAA Security Rule. Both instances resulted in settlements comprised of financial payments to OCR as well as agreement to Corrective Action Plans that will allow for continued oversight by OCR in regards to HIPAA compliance.… Continue Reading

County Governments Not Immune From HIPAA Enforcement: OCR Announces $215,000 Settlement with Skagit County, Washington

On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules. According to Susan McAndrew, deputy director of health … Continue Reading

OCR OUT OF COMPLIANCE? OIG Report Concludes OCR Slow To Enforce HIPAA Security Rule and To Comply with Federal Cybersecurity Requirements

According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. The OIG's report concluded that OCR failed to provide for periodic audits to ensure that covered entities were in compliance with the Security Rule, and failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule.… Continue Reading

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass., to pay $150,000 to the Department of Health and Human Services' Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009.… Continue Reading

HHS Considers Amending the HIPAA Privacy Rule to Encourage Reporting of Mental Health Information to the National Instant Criminal Background Check System

The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers. … Continue Reading

The Scope of HIPAA Preemption in Florida: More Questions than Answers

This post was also written by Zachary A. Portin. On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them.  In Opis Management Resources LLC v. Secretary Florida Agency for … Continue Reading

Loose Lips Sink… Providers?

This post was also written by Zachary A. Portin. Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is … Continue Reading

OCR Announces Expansion of its Health Information Privacy Enforcement Team

On February 27, 2013, the HHS Office for Civil Rights ("OCR") announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR's health information privacy enforcement team signals that OCR's increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH's Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary's $1.5 million settlement in September. OCR's 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency's focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.… Continue Reading