Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements. In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading
This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a previous blog post in this series,… Continue Reading
In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches. The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which… Continue Reading
On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlined some direct effects of the new HIPAA Omnibus Rule on employers and their health plans.
While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.
As of January 1, 2013, there were 525 postings on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals. “Theft” constituted the majority of PHI breach types reported.
Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services the sum of $1.5 million to settle potential violations involving an alleged 2010 security breach of PHI under HIPAA. However, relatively little has been written that the 2010 breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.
The recent paucity of postings of summaries on the Department of Health and Human Services list of large HIPAA privacy breaches by the federal Office of Civil Rights dampens the educational value that can be derived therefrom by covered entities and business associates.
Make the lengthy wait for the long-awaited HIPAA/HITECH Mega Rule more enjoyable by participating in a contest to predict the date of its publication in the Federal Register and the number of its pages.
Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.
The federal Office of Civil Rights deems it necessary for a covered entity (CE) to verify whether a business associate (BA) is also a covered entity with respect to the CE’s protected health information; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the business associate agreement.
Many people who have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, are often surprised and deeply disappointed to learn that the HIPAA law does not provide a “private right of action.”
University of Texas MD Anderson Cancer Center posted notice on its website of a theft of an unencrypted laptop computer containing data on more than 30,000 patients exactly 59 days after the theft took place.
The recent Department of Health and Human Services (“HHS”) resolution with Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), which includes the payment by Alaska Medicaid to HHS of $1.7 million respecting possible violations of HIPAA, raises questions as to the exacting of payments by HHS from a state agency that funds medical care for the Alaska indigent from taxpayers.
The Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals includes focused guidance for covered entities and business associates in the form of brief summaries of the cases that the federal Office of Civil Rights has investigated and closed.
Within the last week, The Boston Globe has reported that venerable Boston Children’s Hospital, the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach that occurred in Buenos Aires, Argentina.
On March 30, 2012, a large data security breach, which has not yet been posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI, was experienced by the Utah Department of Technology Services on a computer server that stores Medicaid and Children’s Health Insurance Program claims data.
On February 24, 2012, HHS posted number 400 on its ever-lengthening list of breaches of unsecured PHI affecting 500 or more individuals. Theft of laptops is a recurrent source of such breaches, and the 400th breach was such an incident affecting Triumph, LLC in North Carolina.
On February 24, 2012, HHS posted number 400 on its ever-lengthening list of breaches of unsecured PHI affecting 500 or more individuals.
The recent MedPage Today survey results as to “third party errors” mirrors to some extent the proportion of business associate involvement reported for incidents that involved higher numbers of individuals on the HHS list of large PHI breaches as of December 2, 2011.
Spectators of the Protected Health Information Breach Parade (and of the “silent brigade” of Business Associate breaches) will be awed by the sight of the recent, somewhat bizarre, Business Associate breach involving Stanford Hospital’s emergency room data.
Ohio Health Plans, the public health care program overseen by the Ohio Department of Jobs and Family Services, reported that a PHI security breach had occurred on June 3, 2011 affecting 78,042 individuals, which had resulted from the theft of a laptop involving a business associate, Area Agency on Aging, Ohio District 5.
One area that has received relatively little attention from postings of the HHS list of large breaches of unsecured PHI is the extent to which such PHI breaches are reported as attributable to events involving business associates of covered entities.
We need to trust the keepers of our PHI so that, whether PHI is in the cloud or on a server, in a thumb drive or on a hard drive, only those who have a right and a need to access it can and will do so.