Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Tag Archives: Department of Health and Human Services

The Parade of Major Reported PHI Breaches Surges to 885 – Theft and Loss Dominate the Numbers

Posted in Privacy & Security, Security Breach Notification

The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this… Continue Reading

Two Months to Amend HIPAA Business Associate Agreements for Omnibus Compliance, But Beware the Bare Bones BAA

Posted in HIPAA Enforcement, Omnibus Rule

Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document? Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use… Continue Reading

Hobby Lobby, HIPAA and Happy Independence Day

Posted in Health Reform, Privacy & Security

The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations). … Continue Reading

Paper Records HIPAA Violation Results in $800,000 Payment under HHS Resolution Agreement

Posted in HIPAA Enforcement, Privacy & Security

My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.”  While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article.  (Elizabeth herself has… Continue Reading

Puerto Rico Raises a High Bar for Fines Levied for PHI Breaches

Posted in HIPAA Enforcement

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it… Continue Reading

The Parade of PHI Security Breaches: Why Did it Take Two Years for the Status of Minne-Tohe Health Center as a Marcher to be Disclosed?

Posted in Security Breach Notification

It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA.  This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a… Continue Reading

A Business Associate Agreement Dilemma: To Indemnify or Not to Indemnify – Ten Considerations

Posted in HIPAA Business Associates

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance #3

Posted in Uncategorized

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP THREE” – TIP THREE: Covered Entities and Business Associates:  make sure you know where your Protected… Continue Reading

The Parade of Major Reported PHI Breaches Jumps Ahead to 646 – Theft Continues to Dominate the Numbers

Posted in Security Breach Notification

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and  here… Continue Reading

The Parade of PHI Security Breaches: With a New Large Breach, Indiana Family and Social Services Administration Marches Again

Posted in Security Breach Notification

Elizabeth Litten and Michael Kline write: For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”).  If I’m a resident of Indiana and a client of… Continue Reading

Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach

Posted in Security Breach Notification

SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.

Congressional Inquiry or Autopsy for SAIC Breach Disaster? – Part 5

Posted in Security Breach Notification

Five members of Congress are co-signers of a bipartisan letter dated December 2, 2011, addressed to the Director of the TRICARE Management Authority to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information by TRICARE contractor Science Applications International Corporation (SAIC).”

Did Tricare/DoD Make a “Proactive Response” or a Preemptive Strike with SAIC in the PHI Breach Matter? Whose Risk is it Anyway? – Part 4

Posted in Security Breach Notification

Given earlier assurances to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low from the SAIC PHI breach and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare/DoD’s abrupt about-face as to offering credit monitoring and restoration services relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk.

SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 3

Posted in Security Breach Notification

When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.

SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 2

Posted in Security Breach Notification

Excerpt:

When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.

SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches (With Some Words on the Nemours PHI Breach) – Part 1

Posted in Security Breach Notification

When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.