Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Category Archives: Privacy & Security

Subscribe to Privacy & Security RSS Feed

OCR Gets Coal in its Stocking from OIG

Posted in Articles, HIPAA Enforcement, HIPTT/HITECH Audits, HITECH Act, Privacy & Security

Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading

Embarrassing Fact: Few Seem to Understand HIPAA or the ACA (at least when it comes to individual health coverage to be purchased on an Exchange)

Posted in Health IT, Privacy & Security

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay… Continue Reading

Lost in the Shuffle: The September 23 HIPAA Notice Requirements

Posted in HIPAA Business Associates, HIPAA Enforcement, HITECH Act, Omnibus Rule, Privacy & Security, Uncategorized

Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog.  It is reproduced below: Lost in the Shuffle: The September 23 HIPAA Notice Requirements By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans… Continue Reading

PRISM, Surveillance and PHI: What the NSA’s data collection means for HIPAA privacy and security compliance concerns.

Posted in Privacy & Security

Tamarra Holmes writes: In recent weeks, people all around the world were made aware of a secret U.S. government surveillance program that essentially collects massive amounts of data from the general public through electronic communication providers, such as Facebook, Skype, and Google. The existence of the program, known as PRISM, was leaked by a former National… Continue Reading

PHI Breach Involving Health Plan Leads to Lawsuit by Identity Theft Victims Who Were Plan Members

Posted in Lawsuits, Privacy & Security

The principle that individuals whose protected health information is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11th Circuit.

Employers: Beware of PHI “Minimum Necessary” Standards Lurking Under Statutes Other Than HIPAA and State PHI Statutes

Posted in Privacy & Security

Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.

Where is your data safer – your own server or the cloud?

Posted in Privacy & Security

As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach.  Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems. In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that… Continue Reading

New Turn in the Parade of PHI Breaches: Office of Civil Rights Exacts Heavy Payments From Cignet Health and Massachusetts General Hospital

Posted in Privacy & Security

Last week for the first time, the Office for Civil Rights of HHS reported exacting heavy financial obligations from (i) Cignet Health on February 22, 2011, with a $4.3 million civil monetary penalty assessment for violations of the HIPAA Privacy Rule, and (ii) Massachusetts General Hospital on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 for potential violations of HIPAA.

PHI: The Parade of Security Breaches Continues to Lengthen with the Addition of Thomas Jefferson University Hospital

Posted in Privacy & Security

  The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light an increasing volume involving highly respected and sophisticated providers and insurers. It has often encouraged such providers and insurers to go well beyond the minimum legally required responses as a matter of… Continue Reading

California Hospitals Fined for Employees’ Unauthorized Access of Patient Records

Posted in Privacy & Security

The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical… Continue Reading

HHS Releases Excellent Compendium of Privacy and Security Resources

Posted in Privacy & Security, RHIO & HIE

The Secretary of Health and Human Services (HHS) released today a compendium of reports on state law, business practices, and policy variations to assist health information exchange efforts.  I reviewed some of the documents linked through HHS’s e-mail and find it extremely helpful that the government is aggregating resources on its website to be used by all in their HIE and… Continue Reading

Does Oklahoma’s New Abortion Law Violate HIPAA?

Posted in Privacy & Security, Sensitive Health Information

On November 1, 2009, the "Statistical Reporting of Abortion Law" was scheduled to go into effect in Oklahoma. A temporary restraining order issued on October 20, 2009, however, has blocked enforcement of the law until at least December 4, 2009.* (Davis v. Edmondson, Okla. Dist. Ct. No. CJ-2009-9154). The Statistical Reporting of Abortion Law is… Continue Reading

Dare to Take-a-Peek? Think Again.

Posted in HIPAA Enforcement, Privacy & Security

I have said it before, and I will say it again — employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient’s medical record for no legitimate purpose. This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock,… Continue Reading