As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario. So when an agency crafting guidance for a regulated industry has advisors on hand… Continue Reading
Is the PHI on all your mobile devices encrypted? If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a… Continue Reading
LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading
If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!” Those involved with the new health insurance exchanges (or “Marketplaces”? The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are… Continue Reading
Under HIPAA, where do we draw the line between a run-of-the-mill, ordinary garden variety “security incident” and a “presumed breach” when it comes to reporting PHI events? How do we describe these types of reporting obligations in business associate agreements?
The first breach settlement announcement of the new year breaks new ground – a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It’s the first settlement of a breach involving fewer than 500 individuals. There was no indication that any PHI was improperly viewed or accessed. In a press release issued January 2,… Continue Reading
The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided… Continue Reading
Do you think a two-physician cardiology group is too small for the feds to fine for alleged HIPAA violations? Phoenix Cardiac Surgery, P.C. (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice… Continue Reading
A Wall Street-based medical collection service has been sued by the Minnesota Attorney General after losing a laptop containing sensitive information about 23,500 patients treated by two hospitals which contracted with the company. More significantly, the AG’s complaint alleges that the company, Accretive Health, Inc., was mining, analyzing and using the data for purposes that… Continue Reading
A nurse has been fired by a Texas hospital after accessing information on patients for whom she had no clinical responsibility, according to the Mt. Pleasant, TX Daily Tribune. The hospital, Titus Regional Medical Center, reportedly discovered the unauthorized access in the course of an audit in November. The nurse admitted to looking at the… Continue Reading
If your hospital is being raked over the coals in the media for alleged fraudulent billing, it’s understandable to want to set the record straight. However, releasing patient information without consent is not the wisest approach. California’s Shasta Regional Medical Center and its parent company Prime Healthcare Services have come under fire for aggressive Medicare billing practices, arising out… Continue Reading
As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach. Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems. In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that… Continue Reading
In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information. The AG had brought suit… Continue Reading
The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles, reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical… Continue Reading
While attention has been focused on the security risks posed by laptops, smartphones, flashdrives and more sophisticated electronic devices, humble office photocopiers have been quietly accumulating personal data on hard drives most of us didn’t know were there. A CBS News investigation reveals the ease with which clever identity thieves can access reams of data for the price of a used… Continue Reading
The scope of the October 2009 theft of Tennessee Blue Cross Blue Shield’s hard drives, initially estimated to involve 500,000 individuals, has grown to nearly a million subscribers, according to a updated notice posted on the insurance giant’s web site on April 6, 2010. The company has classified the risk level into three tiers, with the… Continue Reading
As required by Section 13402(e)(4) of the HITECH Act, The Office of Civil Rights of the Department of Health and Human Services has posted a list of PHI breaches affecting 500 or more individuals. Fifty-three covered entities appear, including hospitals, physician practices, dental practices, insurers, and several state agencies. The most common causes of the breaches reported are… Continue Reading
Ambulance-chasing meets the age of electronic records. The husband and wife team of Ruben E. Rodriguez and Maria Victoria Suarez have been charged with conspiring with an ambulance company worker to steal personal identification information of individuals transported by Randle Eastern Ambulance Service, Inc., d/b/a American Medical Response (“AMR”) and sell the information to various South… Continue Reading
With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information.