At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin… Continue Reading
HIPAA/HITECH
Subscribe to HIPAA/HITECH RSS FeedPhase 2 HIPAA Audits Coming to You: Check Your Spam Filter!
Posted in HIPAA/HITECH, SecurityThe HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process. Why Audits?… Continue Reading
Pay Attention to Business Associate Agreements!
Posted in Data Breach, Data Compliance & Security, HIPAA/HITECH, SecurityFor our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA? It’s all getting real – read on.
Not again …. yet another health care data breach
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, Security21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago. Read on for the gory details…..
Ransomware Strikes California Hospital – Could You Be Next?
Posted in Cybersecurity, Data Compliance & Security, HIPAA/HITECH, Identity Theft, Privacy Regulation, Security, UncategorizedIn a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack… Continue Reading
Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI
Posted in HIPAA/HITECHWritten by Kate Stewart Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home… Continue Reading
Privacy Monday – August 17, 2015: Three Bytes for End of Summer
Posted in Cybersecurity, Data Breach, EU Data Protection Regulation, Events and Webinars, Federal Trade Commission, HIPAA/HITECHIt’s Privacy Monday again – and summer is winding down. Here are three bytes of privacy/security information to start your week: 1. House Committee Releases HHS Breach Investigation If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction. A report… Continue Reading
Data Breach = Class Action Suit. Again.
Posted in Class Action Litigation, Data Breach, Data Breach Notification, HIPAA/HITECHOriginally posted in Mintz Levin’s Health Law & Policy Matters Blog Written by Jordan Cohen In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record… Continue Reading
Privacy Monday – July 20, 2015: Hack Attack on Adultery Site Ashley Madison
Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy MondayIt’s Monday! Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week. 1. The Site that Promises “Discreet Encounters” Hacked — Karma? If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise… Continue Reading
Save the Date: June 24, 2015 — All You Need to Know About Risk Assessments
Posted in Cybersecurity, Events and Webinars, HIPAA/HITECH, SecurityRegister now for our June Wednesday Webinar. This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and… Continue Reading
Could the Anthem Hack Happen in NY? New Report Highlights Risk for NY Insurers
Posted in Cybersecurity, Data Breach, HIPAA/HITECH, SecurityThe New York State Department of Financial Services (the “Department”) recently released a “Report on Cyber Security in the Insurance Sector” (the “Report”). The Report was released on February 8, 2015, just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the… Continue Reading
Register for our next Wednesday Webinar — February 25
Posted in Employee Privacy, Events and Webinars, HIPAA/HITECH, Identity Theft, Mobile Privacy, Privacy Litigation, Security, Social MediaRegistration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series — This webinar, scheduled for Wednesday, February 25, will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss… Continue Reading
The Anthem Data Breach: The Fallout and What’s Next
Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Identity TheftBy now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc. Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next.
WEBINAR RESCHEDULED – FEBRUARY 4
Posted in HIPAA/HITECHBlizzards can affect even “virtual” events — tomorrow’s “How to Survive a HIPAA Audit” webinar has been rescheduled to February 4th. You can still register here.
Privacy Monday – January 26, 2015
Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Legislation, Privacy Monday, Privacy Regulation, UncategorizedGood Monday – The East Coast prepares for Apocalypse (Sn)ow. In the meantime, here are three privacy-related tidbits for your day. Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data. … Continue Reading
You’re Invited: Tips for Surviving a HIPAA Audit
Posted in HIPAA/HITECHCelebrate Data Privacy Day! On Wednesday January 28th, Mintz Levin’s Dianne Bourque, will be presenting a webinar on how to survive a HIPAA audit. With the New Year in full swing, the HHS Office of Civil Rights (“OCR”) is resuming its random audit program to assess compliance with HIPAA privacy, security and breach notification rules. … Continue Reading
Save the Date — HIPAA Audit Preparedness Webinar January 28, 2015
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation, SecurityThe First Rule of How to Survive a HIPAA Audit: Be Prepared 2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. It is anticipated that 300-400 business associates will be the subject of a… Continue Reading
On the Tenth Day of Privacy, OCR Gave to Me…..
Posted in 12 Days of Privacy, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation……………..a cumbersome C-A-P Written by Dianne Bourque The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations. Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA… Continue Reading
On The Eighth Day of Privacy, Health Care Systems (Over)Shared Data
Posted in 12 Days of Privacy, HIPAA/HITECH, Privacy RegulationWhen is “sharing” too much of a good thing? And will it get worse for health care systems in 2015? Read on….. Written by Stephanie D. Willis Data sharing has become a point of sharp focus in the efforts to improve the quality and efficiency of health services in the United States. Given all that has… Continue Reading
OCR Issues New Bulletin on Ensuring Privacy in Public Health Emergencies
Posted in HIPAA/HITECHWritten by Stephanie Willis This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.” The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake… Continue Reading
Notes from the Joint OCR/NIST HIPAA Security Conference
Posted in Cybersecurity, HIPAA/HITECH, Privacy Regulation, SecurityWritten by: Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis (original post in Mintz Levin’s Health Law & Policy Matters blog) As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases: (i) risk assessment, (ii)… Continue Reading
Privacy Monday – September 22, 2014
Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Privacy MondayHappy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/ Home Depot Breach – By the Numbers 56 million cards at risk (compare to Target = 40 million) $62 million in estimated costs (compare to Target =$146 million and counting) $27 million insurance coverage (compare to Target = $100 million in cover) Lawsuits filed – at least 1 in US and… Continue Reading
Massive Data Breach Affects 4.5 Million Patients in 29 States
Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECHWritten by Julia Siripurapu, CIPP/US and Dianne J. Bourque Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data… Continue Reading
Changes in Breach Notification Risk Assessments Under HIPAA
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationReposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed… Continue Reading
