Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Category Archives: HIPAA Enforcement

Subscribe to HIPAA Enforcement RSS Feed

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District… Continue Reading

HHS Enforces Against County Government in Washington State

Posted in HIPAA Enforcement, Security Breach Notification

Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with… Continue Reading

Puerto Rico Raises a High Bar for Fines Levied for PHI Breaches

Posted in HIPAA Enforcement

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it… Continue Reading

HIPAA Compliance Trends for 2014

Posted in HIPAA Enforcement

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her Medical Practice Compliance Alert article “HIPAA, ICD-10 Among 6 Compliance Trends That Will Affect You in 2014.” While the full text can be found in the January 6, 2014 issue of Medical Practice Compliance Alert, a synopsis is noted below. As we… Continue Reading

HIPAA Failure Results In Penalties: Lack of Compliance the Key

Posted in Articles, HIPAA Enforcement, Uncategorized

Our partner Keith McMurdy posted this analysis of a recent HIPAA settlement involving a physician practice on our Employee Benefits Legal Blog: HIPAA Failure Results In Penalties: Lack of Compliance the Key By Keith R. McMurdy on January 1, 2014Posted in Plan Administration, Welfare Plans Often, when I am discussing HIPAA privacy compliance, I am… Continue Reading

OCR Gets Coal in its Stocking from OIG

Posted in Articles, HIPAA Enforcement, HIPTT/HITECH Audits, HITECH Act, Privacy & Security

Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance #2

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements.  In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading

Lost in the Shuffle: The September 23 HIPAA Notice Requirements

Posted in HIPAA Business Associates, HIPAA Enforcement, HITECH Act, Omnibus Rule, Privacy & Security, Uncategorized

Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog.  It is reproduced below: Lost in the Shuffle: The September 23 HIPAA Notice Requirements By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans… Continue Reading

This Just In: Guidance for Health Care Providers, and the Omnibus Rule

Posted in HIPAA Enforcement

With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others.   The long-awaited HIPAA… Continue Reading

Another Case of Snooping Prosecuted

Posted in HIPAA Enforcement

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the… Continue Reading

Business Associate Breach Leads to $2.5M Settlement by Accretive: But Who is the Covered Entity or Business Associate Here, and Do We Care?

Posted in HIPAA Enforcement

The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.

A Peek Behind the OCR Wall of Shame

Posted in HIPAA Enforcement

  Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided… Continue Reading

The Breach Parade: OCR’s Reviewing Stand Lashes Out and Takes $1.7 million from Alaska Medicaid – Who is Really Being Penalized?

Posted in HIPAA Enforcement

The recent Department of Health and Human Services (“HHS”) resolution with Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), which includes the payment by Alaska Medicaid to HHS of $1.7 million respecting possible violations of HIPAA, raises questions as to the exacting of payments by HHS from a state agency that funds medical care for the Alaska indigent from taxpayers.

Government HIPAA Enforcement Tools – Will These “Red Light Cameras” Deter Marchers From Joining the Breach Parade?

Posted in HIPAA Enforcement

To avoid becoming marchers in the Breach Parade, covered entities and business associates should be aware of tools being used by the federal Office of Civil Rights and State Attorneys General to deter and catch HIPAA privacy and security breaches that may be similar to the red light cameras designed to deter and catch traffic violations.

Video Interview: Discussing the Phoenix Cardiac Surgery HIPAA Violation Settlement with LXBN TV

Posted in HIPAA Enforcement

 Late last week I had the opportunity to speak with Colin O’Keefe of LXBN TV regarding Phoenix Cardiac Group, P.C.—a two-physician practice—joining the parade of practices being punished for PHI HIPAA security breaches. In the short interview, I explain the background of the case, why this is an unprecedented step for Health and Human Services… Continue Reading

UCLA Snooper’s Conviction Upheld; HHS Publishes Guidance

Posted in HIPAA Enforcement

Remember Huping Zhou, the UCLA researcher sentenced to prison for snooping through the health records of celebrities and co-workers? A federal appeals court has upheld his conviction and rejected his defense attorney’s position that the prosecution had not alleged that he had known he was violating HIPAA when he accessed the records. The court determined that the only… Continue Reading

First Small Physician Practice Joins The Parade of HIPAA PHI Security Breaches

Posted in HIPAA Enforcement

Do you think a two-physician cardiology group is too small for the feds to fine for  alleged HIPAA violations? Phoenix Cardiac Surgery, P.C.  (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice… Continue Reading