Reposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed… Continue Reading
Tag Archives: HHS
HITECH Omnibus Rule Basics
Posted in HIPAA/HITECH, Privacy Regulation, SecurityAs we pore through the 562-page HITECH Omnibus Rule released by the Department of Health and Services late yesterday afternoon, here are some top line bullet points: Effective Date: Rule becomes effective on March 26, 2013. Covered entities and business associates must comply by September 23, 2013. Business Associates are now front and center – During… Continue Reading
Words of Warning: “No breach too small”
Posted in Data Breach, Privacy RegulationAs originally posted in Mintz Levin’s Health Law & Policy Matters blog Written by: Stephanie D. WillisThe Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals. Under the December 2012 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that… Continue Reading
Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOriginally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog As the old saying goes, “no good deed goes unpunished….” The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement. Massachusetts Eye and Ear… Continue Reading
HITECH: Business Associates Beware – New Rules, Audits and Enforcement on the Horizon!
Posted in Data Compliance & Security, HIPAA/HITECHThe upcoming HIPAA Omnibus Rule is poised to transform an already challenging privacy and security landscape for business associates or those who provide services to HIPAA “covered entities.” The HITECH Act has already imposed greater compliance responsibility on business associates and their subcontractors. The rules are set to change further and failure to comply can result in… Continue Reading
OCR Shares Preliminary HITECH Audit Results; What’s Next??
Posted in HIPAA/HITECH, Privacy RegulationWritten by Dianne J. Bourque Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings, what regulated entities can expect next and suggestions for covered entities concerned about being audited. Mintz Levin attended… Continue Reading
HHS Office of Civil Rights Director Speaks
Posted in HIPAA/HITECH, Privacy RegulationOur colleagues over at the Mintz Health Law & Policy Matters blog have been attending this week’s HIPAA Security Conference and have posted an update here. Two big takeaways — Office of Civil Rights (the agency that enforces the HIPAA privacy and security standards) Director Leon Rodriguez says that HIPAA compliance expectations are higher than ever… Continue Reading
The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group
Posted in Data Compliance & Security, HIPAA/HITECH, SecurityWritten by Kimberly Gold If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike. Phoenix Cardiac… Continue Reading
HIPAA Audits Begin; Huge Medical Data Theft from California Provider
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOur sister blog, Health Law & Policy Matters, includes a detailed discussion (warning?) relating to the commencement of HIPAA audits by the Office of Civil Rights. That post can be found here, and it and the embedded links should be required reading for anyone involved with protected health information. Yesterday, we learned of a major… Continue Reading
The HIPAA Auditors Are Coming! The HIPAA Auditors Are Coming!
Posted in UncategorizedIt is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance. GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit… Continue Reading
HIPAA Enforcement on the Rise: Do You Know Who Your Business Associates Are??
Posted in UncategorizedWritten by Stephen Bentfield In the two-plus years since the enactment of the HITECH Act, the health care industry has seen a dramatic shift in federal and state HIPAA enforcement posture. Just within the last month, HHS announced a $4.3 million civil fine imposed on Cignet Health for failing to provide patients with copies of… Continue Reading
Office of Civil Rights Speaks at HIMSS – on the heels of a $4.3 million fine to Cignet Health
Posted in UncategorizedThis week, we heard about the first civil money penalty under the HIPAA Privacy Rule for failure to provide access to medical records and willful neglect — and it was a whopper. The appearance of Adam Greene, Senior Health IT and Privacy Advisor to the Office of Civil Rights – the enforcement arm of the… Continue Reading
Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule
Posted in Data BreachThe Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule. The Foundation called the withdrawal a “huge step in the right direction” and reiterated its disappointment with the ‘harm threshold’ provision, which allows health care providers to… Continue Reading
HHS Withdraws Breach Notification Final Rule (but breach notification still effective)
Posted in Data BreachInteresting press release from the Department of Health and Human Services (HHS) relating to the HITECH Breach Notification Final Rule. The Interim Final Rule is still effective, but one can’t help but wonder what HHS may be reconsidering given the numbers of breaches reported since September 2009.
HHS (Finally!) Issues Proposed HIPAA Privacy & Security Rule Changes
Posted in LegislationThe long-awaited proposed changes to the HIPAA Privacy Rules have finally been released by the Department of Health and Human Services (HHS). A joint statement issued today by the HHS and the Office of Civil Rights (OCR) says that the proposed regulations “would expand individuals’ rights to access their information and restrict certain disclosures of… Continue Reading
Proposed HITECH Regulations Out in May?
Posted in LegislationBuried in a part of today’s Federal Register was the publication of the Department of Health and Human Services’ regulatory agenda. The agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue the long-awaited proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules… Continue Reading
Check your employee handbook – what you might think is fraud and abuse may not be a federal case….
Posted in Data Compliance & SecurityMy colleagues over at the Employment Matters blog report on an interesting decision drawing attention to the need for clear and explicit policies regarding “acceptable use” of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated. Particularly in light of the upcoming Massachusetts data security regulations,… Continue Reading
Federal Breach Notification Rules — NEXT WEEK. Are you ready?
Posted in Data BreachWritten by Cynthia and Dianne New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records. Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new… Continue Reading