Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below. For her article, Marla asked… Continue Reading
Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.” The three of us together were able to come up… Continue Reading
HIPAA has made an unlikely appearance twice already this month in news reports involving famous athletes. Between the Pierre-Paul medical record tweet by ESPN reporter Adam Schefter earlier this month (discussed by my partner and fellow blogger Bill Maruca here) and the ticker-tape parade featuring confetti made of shredded (but apparently legible) medical information raining… Continue Reading
Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared. Proposed rules published by… Continue Reading
The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year. The most common breach type is “theft” in this… Continue Reading
Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document? Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use… Continue Reading
The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations). … Continue Reading
My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.” While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article. (Elizabeth herself has… Continue Reading
Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human… Continue Reading
My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014. The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”). Bill’s quote sums it… Continue Reading
It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA. This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a… Continue Reading
A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP THREE” — TIP THREE: Covered Entities and Business Associates: make sure you know where your Protected… Continue Reading
This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and here… Continue Reading
Elizabeth Litten and Michael Kline write: For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”). If I’m a resident of Indiana and a client of… Continue Reading
Under HIPAA, where do we draw the line between a run-of-the-mill, ordinary garden variety “security incident” and a “presumed breach” when it comes to reporting PHI events? How do we describe these types of reporting obligations in business associate agreements?
Here are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information in their job, even without the benefit of the long-awaited Mega Rule.
SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.
UCLA has developed a mixed record of disclosure with respect to its most recent security breach of PHI that was reported as a theft of an other portable electronic device on September 7, 2011.
Five members of Congress are co-signers of a bipartisan letter dated December 2, 2011, addressed to the Director of the TRICARE Management Authority to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information by TRICARE contractor Science Applications International Corporation (SAIC).”
The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services recently released a “sample” letter that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for HIPAA audits in 2012.
Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services Office for Civil Rights, which will increase the frequency and depth of government audits for HIPAA/ITECH compliance over the next year.
Given earlier assurances to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low from the SAIC PHI breach and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare/DoD’s abrupt about-face as to offering credit monitoring and restoration services relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk.
When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.