Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Tag Archives: Health and Human Services

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements.  In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading

The Parade of Major Reported PHI Breaches Jumps Ahead to 646 – Part 2: Business Associates Continue to Augment the Numbers

Posted in HIPAA Business Associates, Security Breach Notification

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”).  As reported in a previous blog post in this series,… Continue Reading

The Parade of Large PHI Security Breaches: The University of Rochester Medical Center Makes it a Triple in 2013

Posted in Security Breach Notification

In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches.  The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which… Continue Reading

Collateral Effects of the Omnibus Rule: Exercise Caution in Using Past OCR Summaries on Large PHI Breaches as a Roadmap for Future Guidance

Posted in Security Breach Notification

While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.

As the Breach Parade Passes 500 Marchers: Should There be a Posting on the HHS List for a Third Massachusetts Eye and Ear Infirmary Breach?

Posted in Security Breach Notification

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services the sum of $1.5 million to settle potential violations involving an alleged 2010 security breach of PHI under HIPAA. However, relatively little has been written that the 2010 breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.

Employers: Beware of PHI “Minimum Necessary” Standards Lurking Under Statutes Other Than HIPAA and State PHI Statutes

Posted in Privacy & Security

Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.

The Breach Parade: OCR’s Reviewing Stand Lashes Out and Takes $1.7 million from Alaska Medicaid – Who is Really Being Penalized?

Posted in HIPAA Enforcement

The recent Department of Health and Human Services (“HHS”) resolution with Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), which includes the payment by Alaska Medicaid to HHS of $1.7 million respecting possible violations of HIPAA, raises questions as to the exacting of payments by HHS from a state agency that funds medical care for the Alaska indigent from taxpayers.

Ohio District 5 Area Agency on Aging, Inc.: a Business Associate Marcher in the Parade of Major PHI Security and Privacy Breaches

Posted in Security Breach Notification

Ohio Health Plans, the public health care program overseen by the Ohio Department of Jobs and Family Services, reported that a PHI security breach had occurred on June 3, 2011 affecting 78,042 individuals, which had resulted from the theft of a laptop involving a business associate, Area Agency on Aging, Ohio District 5.