Category Archives: HIPAA Privacy

Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights in 2015 & 2016

The last time this blog presented an overview of key HIPAA settlement agreements at the Office for Civil Rights in the U.S. Department of Health and Human Services was a review of 2014.  The number of complaints that year had spiked up compared to 2013: around a 25% increase.  This post will examine key cases from 2015 and 2016.  While the number of complaints in 2015 was relatively steady with 2014, it appears, based on preliminary numbers, that 2016 was the busiest year ever for the Office. HHS has data through November 2016 currently posted on its website, but no …

[ CONTINUE READING ]

Clearing Up Confusion Over the Modified HIPAA Privacy Rule

The Department of Health and Human Services issued a final rule under the Health Insurance Portability and Accountability Act of 1996, which will go into effect on February 5, 2016. HHS published the final rule in tandem with President Obama’s recently announced executive actions to reduce gun violence. The final rule expressly permits certain covered entities under HIPAA to disclose limited demographic and other information to the National Instant Criminal Background Check System (NICS), or to an entity that is designated by the State to report to the NICS (or which collects information for this reporting). The covered entities are …

[ CONTINUE READING ]

HIPAA and Text Messaging

Text messaging is pervasive.  Doctors and other health care providers, covered entities, and business associates currently use (and embrace) the technology.  Texting is easy, fast and efficient.  It doesn’t require a laptop and can operate even where wireless signals are low.  It doesn’t require you to scroll through your email inbox or retrieve your voicemail. All of this convenience is coupled with compromise, leading to security risks that can be difficult to manage. There is the obvious risk of unauthorized access to protected health information.  For example, unless preventive measures are employed: anyone with access to the mobile device will …

[ CONTINUE READING ]

Cloud Sharing Apps Scrutinized for ePHI

In a relatively short time period, the direct costs of document storage have dropped precipitously, and cloud-based document storage has become ubiquitous. Clearly, this is a wave of the future. But a recent settlement agreement between the Office of Civil Rights and a Boston area hospital should make it plain that, when it comes to electronic protected health information, mobile devices and cloud-based storage apps carry significant risk. On July 8, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights and St. Elizabeth’s Medical Center entered into a settlement agreement following an investigation into a complaint …

[ CONTINUE READING ]

A Year in Review: Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights

The U.S. Department of Health and Human Services Office for Civil Rights had another busy year in 2014. More resolution agreements were signed by HHS and Covered Entities than in the previous year, and several Covered Entities agreed to pay significant amounts to resolve investigations. Below is a brief summary of the most notable enforcement actions. In March 2014, OCR settled alleged HIPAA violations by Skagit County, Washington, home to approximately 118,000 residents. The County agreed, among other things, to pay a $215,000 monetary settlement. According to OCR, the electronic protected health information of 1,581 people was accessed by unknown …

[ CONTINUE READING ]

Looking at the Past to Predict the Future of HIPAA/HITECH Enforcement

2013 was a busy year for the Department of Health and Human Services. In January 2013, HHS issued its Final Omnibus Rule, substantially modifying both the Privacy, Security, and Enforcement Rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification Rule under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The Final Omnibus Rule gives HHS’s Office of Civil Rights even greater authority to police covered entities and to enforce HIPAA/HITECH Act privacy regulations. As expected, OCR was active in its enforcement of the Final Omnibus Rule in 2013. In …

[ CONTINUE READING ]

Copiers Don’t Easily Forget and HHS Doesn’t Easily Forgive

In 2010, Affinity Health Plan, Inc., a New York not-for-profit managed care plan, received some bad news after learning that it was an unwitting player in a CBS Evening News investigation on leased photocopiers. In its investigation, CBS went to a New Jersey warehouse and purchased several photocopiers, which included one previously leased by Affinity. With little effort, CBS was able to retrieve 300 pages of medical records from the Affinity photocopier’s hard drive, including patient test results, diagnostic assessments, and drug prescriptions. As a result, Affinity was required to file a breach report with the U.S. Department of Health …

[ CONTINUE READING ]

The Past, Present, and Future of Electronic Health Records Regulations

It’s an understatement to say that the invention of the Internet has been one of the most important developments in history. With the advent of this revolutionary technology, individuals are no longer limited in their citizenship – i.e., just members of a village, town, city, or country. Rather, they can choose to be a part of a worldwide cyber-community. This global interconnectivity allows us to communicate with our friends, family, and colleagues across the globe in milliseconds. It propels business growth and development throughout the world, and it has even served as the catalyst for sweeping political change. However, along …

[ CONTINUE READING ]