Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Tag Archives: HHS

Changes in Breach Notification Risk Assessments Under HIPAA

Posted By Cynthia Larose on Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

Reposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013.   The examples analyzed… Continue Reading

HITECH Omnibus Rule Basics

Posted By Cynthia Larose on Posted in HIPAA/HITECH, Privacy Regulation, Security

As we pore through the 562-page HITECH Omnibus Rule released by the Department of Health and Services late yesterday afternoon, here are some top line bullet points: Effective Date:  Rule becomes effective on March 26, 2013.  Covered entities and business associates must comply by September 23, 2013. Business Associates are now front and center – During… Continue Reading

Words of Warning: “No breach too small”

Posted By Cynthia Larose on Posted in Data Breach, Privacy Regulation

As originally posted in Mintz Levin’s Health Law & Policy Matters blog Written by: Stephanie D. WillisThe Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals.  Under the December 2012 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that… Continue Reading

Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement

Posted By Cynthia Larose on Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

Originally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog As the old saying goes, “no good deed goes unpunished….”    The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.   Massachusetts Eye and Ear… Continue Reading

HITECH: Business Associates Beware – New Rules, Audits and Enforcement on the Horizon!

Posted By Cynthia Larose on Posted in Data Compliance & Security, HIPAA/HITECH

The upcoming HIPAA Omnibus Rule is poised to transform an already challenging privacy and security landscape for business associates or those who provide services to HIPAA “covered entities.” The HITECH Act has already imposed greater compliance responsibility on business associates and their subcontractors. The rules are set to change further and failure to comply can result in… Continue Reading

OCR Shares Preliminary HITECH Audit Results; What’s Next??

Posted By Cynthia Larose on Posted in HIPAA/HITECH, Privacy Regulation

Written by Dianne J. Bourque Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings,  what regulated entities can expect next and suggestions for covered entities concerned about being audited.  Mintz Levin attended… Continue Reading

HHS Office of Civil Rights Director Speaks

Posted By Cynthia Larose on Posted in HIPAA/HITECH, Privacy Regulation

Our colleagues over at the Mintz Health Law & Policy Matters blog have been attending this week’s HIPAA Security Conference and have posted an update here. Two big takeaways — Office of Civil Rights (the agency that enforces the HIPAA privacy and security standards) Director Leon Rodriguez says that HIPAA compliance expectations are higher than ever… Continue Reading

The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group

Posted By Cynthia Larose on Posted in Data Compliance & Security, HIPAA/HITECH, Security

Written by Kimberly Gold If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike.   Phoenix Cardiac… Continue Reading

HIPAA Audits Begin; Huge Medical Data Theft from California Provider

Posted By Cynthia Larose on Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

Our sister blog, Health Law & Policy Matters, includes a detailed discussion (warning?) relating to the commencement of HIPAA audits by the Office of Civil Rights.   That post can be found here, and it and the embedded links should be required reading for anyone involved with protected health information. Yesterday, we learned of a major… Continue Reading

The HIPAA Auditors Are Coming! The HIPAA Auditors Are Coming!

Posted By Cynthia Larose on Posted in Uncategorized

It is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance.   GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit… Continue Reading

Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule

Posted By Cynthia Larose on Posted in Data Breach

The Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule. The Foundation called the withdrawal a “huge step in the right direction” and reiterated its disappointment with the ‘harm threshold’ provision, which allows health care providers to… Continue Reading

HHS (Finally!) Issues Proposed HIPAA Privacy & Security Rule Changes

Posted By Cynthia Larose on Posted in Legislation

The long-awaited proposed changes to the HIPAA Privacy Rules have finally been released by the Department of Health and Human Services (HHS). A joint statement issued today by the HHS and the Office of Civil Rights (OCR) says that the proposed regulations “would expand individuals’ rights to access their information and restrict certain disclosures of… Continue Reading

Proposed HITECH Regulations Out in May?

Posted By Cynthia Larose on Posted in Legislation

Buried in a part of today’s Federal Register was the publication of the Department of Health and Human Services’ regulatory agenda. The agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue the long-awaited proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules… Continue Reading

Check your employee handbook – what you might think is fraud and abuse may not be a federal case….

Posted By Cynthia Larose on Posted in Data Compliance & Security

My colleagues over at the Employment Matters blog report on an interesting decision drawing attention to the need for clear and explicit policies regarding “acceptable use” of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated. Particularly in light of the upcoming Massachusetts data security regulations,… Continue Reading

Federal Breach Notification Rules — NEXT WEEK. Are you ready?

Posted By Cynthia Larose on Posted in Data Breach

Written by Cynthia and Dianne New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records. Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new… Continue Reading