Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation. Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the… Continue Reading
Tag Archives: HIPAA
The Anthem Data Breach: The Fallout and What’s Next
Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Identity TheftBy now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc. Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next.
Notes from the Joint OCR/NIST HIPAA Security Conference
Posted in Cybersecurity, HIPAA/HITECH, Privacy Regulation, SecurityWritten by: Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis (original post in Mintz Levin’s Health Law & Policy Matters blog) As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases: (i) risk assessment, (ii)… Continue Reading
NIST Issues Draft Report Enumerating Risks and Protections to Consider When Evaluating Mobile Apps for Your Enterprise
Posted in Cybersecurity, Data Compliance & Security, Mobile PrivacyWritten by: Stephanie D. Willis As the world recovers from the excitement leading up to Tuesday’s Apple Live Event announcement of the new iPhone 6 and Apple Watch, mobile app developers are chomping at the bit to create software that leverages the new operating system and Apple’s widely-anticipated “HealthKit,” a purportedly secure platform that allows… Continue Reading
Record $4.8 Million HIPAA Fine Assessed
Posted in Data Breach Notification, HIPAA/HITECHIn the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network. Our sister blog, Health Law Policy Matters, provides an analysis of the incidents and… Continue Reading
Coming Next Week: The 12 Days of Privacy
Posted in UncategorizedHaul out the holly, fill up the stockings, even though it’s just one week past Thanksgiving day….. Rather than look back at 2013, next week the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2014. The editor’s muse for this series… Continue Reading
Business Associates Beware
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECHIf you haven’t yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that….), you can take a listen to our recent webinar highlighting the most important changes and issues. A recent… Continue Reading
Words of Warning: “No breach too small”
Posted in Data Breach, Privacy RegulationAs originally posted in Mintz Levin’s Health Law & Policy Matters blog Written by: Stephanie D. Willis The Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals. Under the December 2012 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that… Continue Reading
HHS Office of Civil Rights Director Speaks
Posted in HIPAA/HITECH, Privacy RegulationOur colleagues over at the Mintz Health Law & Policy Matters blog have been attending this week’s HIPAA Security Conference and have posted an update here. Two big takeaways — Office of Civil Rights (the agency that enforces the HIPAA privacy and security standards) Director Leon Rodriguez says that HIPAA compliance expectations are higher than ever… Continue Reading
Ignorance of HIPAA Provisions No Excuse
Posted in HIPAA/HITECHAs the old canard goes: “Ignorance of the law is no excuse.” The Ninth Circuit agrees, particularly when it comes to misdemeanor charges under HIPAA for “wrongful disclosure.” Our colleagues at the Mintz Health Law & Policy Matters blog tell the story here.
New Texas Electronic Health Record Law Exceeds HIPAA Requirements
Posted in UncategorizedWritten by Dianne Bourque Texas covered entities (health care providers, health insurers and clearinghouses) and other entities that use and disclose PHI of Texas residents using electronic health records (EHRs) face new risks and stringent requirements under HB300, a new Texas privacy law. The new law, which is effective September 1, 2012, is more stringent… Continue Reading
How Accountable Care Organizations (ACOs) Will Use and Disclose Protected Health Information While Complying with HIPAA
Posted in UncategorizedWritten by Dianne Bourque The Centers for Medicare & Medicaid Services (CMS) has released proposed regulations establishing Accountable Care Organizations (ACOs) and creating the Medicare Shared Savings Program (the Program). The Program will permit health care providers and suppliers to form ACOs and to reward those that lower health care costs for Medicare fee-for-service beneficiaries,… Continue Reading
Office of Civil Rights Speaks at HIMSS – on the heels of a $4.3 million fine to Cignet Health
Posted in UncategorizedThis week, we heard about the first civil money penalty under the HIPAA Privacy Rule for failure to provide access to medical records and willful neglect — and it was a whopper. The appearance of Adam Greene, Senior Health IT and Privacy Advisor to the Office of Civil Rights — the enforcement arm of the… Continue Reading
Arizona Hospital Workers Fired for Inappropriately Accessing Shooting Victim Records
Posted in UncategorizedWritten by Dianne Bourque Once again, a public event has piqued the “curiosity” of hospital employees in violation of HIPAA. The University Medical Center (UMC) at Tucson has fired three administrative staff and a contracted nurse for wrongfully accessing medical records related to the shooting rampage that killed six people and seriously injured Congresswoman Gabrielle Giffords. … Continue Reading
Improper Disposal Costs Rite Aid $1 Million
Posted in Data BreachWritten by Dianne Bourque Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies… Continue Reading
First Ever State-initiated HIPAA Enforcement Action Settled
Posted in LegislationWritten by Dianne Bourque Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net’s agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring… Continue Reading
Proposed HITECH Regulations Out in May?
Posted in LegislationBuried in a part of today’s Federal Register was the publication of the Department of Health and Human Services’ regulatory agenda. The agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue the long-awaited proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules… Continue Reading
HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates
Posted in LegislationAs we have discussed before, HHS’s Office of Civil Rights has let it be known that a proposed rule implementing the HITECH Act’s privacy and security provisions as they apply to business associate liability is in the works. The proposed rule will also deal with new limitations on the sale of protected health information, marketing,… Continue Reading
Quick Compliance Survey
Posted in Data BreachNo, we’re not “taking names” here. This is just a 10-question survey to gauge some basic compliance metrics. Please participate! Click here to take survey
Today’s compliance deadline – Enforcement of the HITECH/HIPAA data breach notification rule
Posted in Data BreachFebruary and March are just full of significant deadlines for privacy/security reporting and compliance. Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To “celebrate” the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more… Continue Reading
HITECH Act Compliance Date Arrived — Without the Promised Regulatory Guidance
Posted in LegislationWe have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th…. Continue Reading
Data Privacy Day – Tip #4 – Transactional Best Practices for Lawyers
Posted in Employee PrivacyWritten by Michael Arnold and Jennifer Rubin Even though lawyers working on both sides of an M&A transaction during the due diligence phase might immerse themselves in a “confidentiality bubble”, they still must be careful not to disclose or access confidential employee information in the course of that transaction. Attorneys evaluating potential transactions might be… Continue Reading
Data Privacy Day Tip #2 – HITECH Act
Posted in LegislationWritten by Dianne Bourque Effective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”). Business associates (or organizations that use or disclose protected health information on behalf of covered entities subject to HIPAA) will be directly liable… Continue Reading
Connecticut Attorney General Brings Charges Against Health Net for HIPAA Violations
Posted in Data BreachWritten by Dianne Bourque On January 13, Connecticut Attorney General Richard Blumenthal filed charges against Health Net of Connecticut, Inc., for violating federal privacy law. Blumenthal is the first state attorney general to file such a suit using HIPAA enforcement authority granted to states under the HITECH provisions of the American Recovery and Reinvestment… Continue Reading