Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Category Archives: Privacy & Security

Subscribe to Privacy & Security RSS Feed

The Parade of Major Reported PHI Breaches Surges to 885 – Theft and Loss Dominate the Numbers

Posted in Privacy & Security, Security Breach Notification

The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this… Continue Reading

Hobby Lobby, HIPAA and Happy Independence Day

Posted in Health Reform, Privacy & Security

The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations). … Continue Reading

Paper Records HIPAA Violation Results in $800,000 Payment under HHS Resolution Agreement

Posted in HIPAA Enforcement, Privacy & Security

My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.”  While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article.  (Elizabeth herself has… Continue Reading

PHI Data Breaches just went from Bad Dream to Nightmare in West Virginia

Posted in Privacy & Security

Michael Coco writes: The dreaded PHI data breach is every covered entity’s bad dream, but the West Virginia Supreme Court just turned that bad dream into a nightmare. The court decided a case, Tabata v. Charleston Area Medical Center, Inc., brought on behalf of thousands of patients requesting class certification to sue the medical center for… Continue Reading

Risky (Health Care) Business: Disclosure of FTC Data Security Enforcement Potential to Investors and Other Third Parties

Posted in Privacy & Security

Readers of this blog know that we have been tracking the FTC’s recent data security enforcement activities with a particular focus on the FTC v. LabMD case.  As reported by Cause of Action, a nonprofit organization involved in the defense of LabMD, the LabMD trial was put on hold on May 30, 2014 until June… Continue Reading

Will Unearthing the FTC’s Data Security Standards Help the Health Care Industry?

Posted in Privacy & Security

As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario.  So when an agency crafting guidance for a regulated industry has advisors on hand… Continue Reading

OCR Gets Coal in its Stocking from OIG

Posted in Articles, HIPAA Enforcement, HIPTT/HITECH Audits, HITECH Act, Privacy & Security

Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading

Embarrassing Fact: Few Seem to Understand HIPAA or the ACA (at least when it comes to individual health coverage to be purchased on an Exchange)

Posted in Health IT, Privacy & Security

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay… Continue Reading

Lost in the Shuffle: The September 23 HIPAA Notice Requirements

Posted in HIPAA Business Associates, HIPAA Enforcement, HITECH Act, Omnibus Rule, Privacy & Security, Uncategorized

Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog.  It is reproduced below: Lost in the Shuffle: The September 23 HIPAA Notice Requirements By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans… Continue Reading

PRISM, Surveillance and PHI: What the NSA’s data collection means for HIPAA privacy and security compliance concerns.

Posted in Privacy & Security

Tamarra Holmes writes: In recent weeks, people all around the world were made aware of a secret U.S. government surveillance program that essentially collects massive amounts of data from the general public through electronic communication providers, such as Facebook, Skype, and Google. The existence of the program, known as PRISM, was leaked by a former National… Continue Reading

PHI Breach Involving Health Plan Leads to Lawsuit by Identity Theft Victims Who Were Plan Members

Posted in Lawsuits, Privacy & Security

The principle that individuals whose protected health information is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11th Circuit.

Employers: Beware of PHI “Minimum Necessary” Standards Lurking Under Statutes Other Than HIPAA and State PHI Statutes

Posted in Privacy & Security

Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.

Where is your data safer – your own server or the cloud?

Posted in Privacy & Security

As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach.  Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems. In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that… Continue Reading