Tag Archives: Protected Health Information (PHI)

OCR Clarifies Direct Liability of Business Associates Under HIPAA

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form … Continue Reading

Health Apps and HIPAA – Recent FAQs Highlight Importance of Covered Entities and Business Associates Scrutinizing their Relationships with App Developers

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a … Continue Reading

Mobile App Compliance for Dummies: New Tool Helps Developers Understand Their Legal Compliance Requirements

In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading

After a Strong Enforcement Presence in 2015, OCR Starts 2016 with a $239,000 Civil Money Penalty Judgment

It has been a busy winter for the US Department of Health and Human Service, Office for Civil Rights (“OCR”).  Since November 2015, the agency has announced three settlements and one civil money penalty judgment amounting to over $5 million in fines and settlements.  Most recently, on February 3, 2016, a U.S. Department of Health … Continue Reading

HHS’ Selection of Contractor Provides Latest Update on Impending Second Round of HIPAA Audits

On October 27, 2015, a U.S. Department of Health and Human Services (“HHS”) official stated that the agency has hired FCi Federal, a provider of management and professional services to government agencies in Ashburn, VA, to conduct the second round of Health Insurance Portability and Accountability Act (“HIPAA”) data security audits.  Similar to the Phase … Continue Reading

Preparing for a HIPAA Data Breach: Easy Steps to Ensure “Breach Readiness”

The 2013 changes to HIPAA’s privacy and security regulations in combination with the government’s bolstered approach to compliance and enforcement reinforces the need for health care providers to remain focused on preparing for the inevitable likelihood that privacy or security issues will occur. With the number of significant data breaches expected to rise, it is … Continue Reading

Cure of Security Rule Violations Following Breach of EPHI Cannot Save Covered Entities from $750,000 Settlement; Non-Breach Related Security Complaint Leads to $218,000 HIPAA Settlement

More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading

OCR Announces Settlement and Corrective Action Plan with Pharmacy Stemming from Alleged Violations

The HHS Office for Civil Rights recently announced a settlement and corrective action plan with Cornell Prescription Pharmacy (CPP), a small for-profit, single location, compounding pharmacy located in Denver, CO. CPP has agreed to pay $125,000 and enter into a corrective action plan to settle potential violations of the HIPAA Privacy Rule. This outcome is indicative of OCR's unwillingness to demonstrate wide variance in its enforcement response based on the size of an affected covered entity or the number of patients involved in a potential HIPAA violation.… Continue Reading

First Steps for GCs in Assessing a Data Breach

When a data breach is discovered by a company, it is often the responsibility of the company’s in-house counsel to swiftly assess the breach and provide an initial report to company management. There are several steps that in-house counsel should follow if faced with a breach to allow for an adequate assessment that company management can use. As noted … Continue Reading

Amidst Increasing Security Concerns, Medicare to Drop Social Security Numbers from Cards

Last week, President Obama signed into law a bill that will eradicate Social Security Numbers (SSNs) from all Medicare beneficiary cards over the next eight years. Medicare has four years to begin issuing cards with new identifiers, and four years after that to reissue cards to current beneficiaries. The removal of SSNs from the cards is not only expected to decrease the risks associated with identity theft for Medicare beneficiaries, but also Medicare's risk of exposure associated with breaches of protected health and personal information under HIPAA and state privacy laws.… Continue Reading

New Jersey Enacts Data Privacy Law for Health Insurance Carriers

New Jersey Governor Chris Christie has signed a law requiring health insurance carriers in that state to encrypt individuals' personal information. This new law will be enforced in conjunction with the New Jersey Consumer Fraud Act (NJCFA), and failure to obey the law will be classified as a violation of the NJCFA, which could result in financial penalties for the carriers. The new legislation may also affect business associates through the contractual terms of business associate agreements.… Continue Reading

OCR Releases Ebola Bulletin

The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights ("OCR"), the agency responsible for enforcing the Health Insurance Portability and Accountability Act ("HIPAA"), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled "HIPAA Privacy In Emergency Situations," provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.… Continue Reading

Insights About Future Use of Protected Health Information Under HIPAA

In "HIPAA Enforcement: The Next Step," an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th, Reed Smith partner Brad Rostolsky details the HIPAA-related trends that he expects to see within the next several years. Among these predicted trends is an increase in the number of investigations by the Department of Health and Human Services' Office for Civil Rights regarding the illegal use and distribution of Protected Health Information without the permission of patients, a result of tightened regulations introduced in last year's HIPAA Omnibus Rule. Brad also discusses how companies should prepare for HIPAA compliance audits, the use of health information on social media, and potential privacy issues surrounding wearable consumer health devices.… Continue Reading

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

On February 6, 2014, the U.S. Department of Health & Human Services' (HHS) Centers for Medicare & Medicaid Services, Centers for Disease Control and Prevention, and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 regulations to provide patients with direct access to laboratory test reports. HHS believes that patients should have the right to access these test reports in order to gain vital information, allowing them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply by October 6, 2014.… Continue Reading

ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

The Privacy and Security Tiger Team, a subcommittee of the Office of the National Coordinator for Health IT's HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information contained in an electronic designated record set, concluding that the rule is overbroad and lacks value.… Continue Reading

HHS Seeks to Reduce Gun Violence Via Modifications to the HIPAA Privacy Rule

After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System ("NICS") the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the "mental health prohibitor"). OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.… Continue Reading

OCR OUT OF COMPLIANCE? OIG Report Concludes OCR Slow To Enforce HIPAA Security Rule and To Comply with Federal Cybersecurity Requirements

According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. The OIG's report concluded that OCR failed to provide for periodic audits to ensure that covered entities were in compliance with the Security Rule, and failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule.… Continue Reading

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass., to pay $150,000 to the Department of Health and Human Services' Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009.… Continue Reading

OCR Releases HIPAA Guide for Law Enforcement

On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading

OCR Announces Enforcement Delay for CLIA Labs

Recent posts on www.lifescienceslegalupdate.com include: "OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners. View the entire entry: https://www.lifescienceslegalupdate.com/2013/09/articles/data-privacy/ocr-releases-hipaa-guide-for-law-enforcement/ ...and "OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading

France: All Bodies Hosting Personal Medical Data Must Apply for Official Accreditation or Work With An Officially Accredited Data Host

This post was written by Daniel Kadar. As a champion for the protection of personally identifiable information and with broad definitions for the concepts of personal and medical data, France has established a very specific set of policies requiring that all bodies hosting medical data must apply for official accreditation or work with an accredited … Continue Reading

HHS Considers Amending the HIPAA Privacy Rule to Encourage Reporting of Mental Health Information to the National Instant Criminal Background Check System

The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers. … Continue Reading

The Scope of HIPAA Preemption in Florida: More Questions than Answers

This post was also written by Zachary A. Portin. On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them.  In Opis Management Resources LLC v. Secretary Florida Agency for … Continue Reading

Loose Lips Sink… Providers?

This post was also written by Zachary A. Portin. Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is … Continue Reading
LexBlog