Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Tag Archives: breach

Doctor is Arrested for Allegedly Stealing Thousands of Patient Records

Posted in Privacy & Security

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Doctor is Arrested for Stealing Thousands of Patient Records.”  While the full text can be found in the February 16, 2015 issue of Medical Practice Compliance Alert, the following considerations… Continue Reading


Posted in Articles, HIPAA Enforcement, Security Breach Notification

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy. The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under… Continue Reading

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

Posted in Privacy & Security

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance… Continue Reading

Celebrities’ Health Information Compromised by Sony Hacking

Posted in Privacy & Security, Sensitive Health Information

Fox Rothschild partner Scott Vernick recently appeared as a guest on the Willis Report to discuss the fallout of the hacking of Sony Pictures Entertainment.  Click here to view the segment.  Celebrities’ individually identifiable health information, some of which appears to be protected health information (“PHI”) under HIPAA, was among the sensitive personal data hacked… Continue Reading

Will Unearthing the FTC’s Data Security Standards Help the Health Care Industry?

Posted in Privacy & Security

As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario.  So when an agency crafting guidance for a regulated industry has advisors on hand… Continue Reading

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance #2

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading

Sixty Days or Sixty Minutes – What is Your Breach Reporting Deadline?

Posted in Health Reform, Security Breach Notification

If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!”  Those involved with the new health insurance exchanges (or “Marketplaces”?  The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are… Continue Reading

Business Associate Breach Leads to $2.5M Settlement by Accretive: But Who is the Covered Entity or Business Associate Here, and Do We Care?

Posted in HIPAA Enforcement

The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.

A Peek Behind the OCR Wall of Shame

Posted in HIPAA Enforcement

  Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided… Continue Reading

First Small Physician Practice Joins The Parade of HIPAA PHI Security Breaches

Posted in HIPAA Enforcement

Do you think a two-physician cardiology group is too small for the feds to fine for  alleged HIPAA violations? Phoenix Cardiac Surgery, P.C.  (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice… Continue Reading

The Hazards of Data Mining: Minnesota AG Sues Collection Agency for Breach, Improper Use of PHI

Posted in Lawsuits

A Wall Street-based medical collection service has been sued by the Minnesota Attorney General after losing a laptop containing sensitive information about 23,500 patients treated by two hospitals which contracted with the company. More significantly, the AG’s complaint alleges that the company, Accretive Health, Inc., was mining, analyzing and using the data for purposes that… Continue Reading

Two Wrongs Don’t Make a Right: How Not to Defend Against Fraud Allegations

Posted in Health IT

If your hospital is being raked over the coals in the media for alleged fraudulent billing, it’s understandable to want to set the record straight. However, releasing patient information without consent is not the wisest approach.  California’s Shasta Regional Medical Center and its parent company Prime Healthcare Services have come under fire for aggressive Medicare billing practices, arising out… Continue Reading

Where is your data safer – your own server or the cloud?

Posted in Privacy & Security

As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach.  Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems. In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that… Continue Reading

California Hospitals Fined for Employees’ Unauthorized Access of Patient Records

Posted in Privacy & Security

The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical… Continue Reading

Is PHI Lurking In Your Photocopier?

Posted in Articles

While attention has been focused on the security risks posed by laptops, smartphones, flashdrives and more sophisticated electronic devices, humble office photocopiers have been quietly accumulating personal data on hard drives most of us didn’t know were there.  A CBS News investigation reveals the ease with which clever identity thieves can access reams of data for the price of a used… Continue Reading

Tennessee Blues’ Data Breach Approaches 1 Million Affected Individuals

Posted in Security Breach Notification

The scope of the October 2009 theft of Tennessee Blue Cross Blue Shield’s hard drives,  initially estimated to involve 500,000 individuals, has grown to nearly a million subscribers, according to a updated notice posted on the insurance giant’s web site on April 6, 2010. The company has classified the risk level into three tiers, with the… Continue Reading

OCR Releases List of Breaches Affecting 500 or More Individuals

Posted in Security Breach Notification

As required by Section 13402(e)(4) of the HITECH Act, The Office of Civil Rights of the Department of Health and Human Services has posted a list of PHI breaches affecting 500 or more individuals.  Fifty-three covered entities appear, including hospitals, physician practices, dental practices, insurers, and several state agencies.  The most common causes of the breaches reported are… Continue Reading