Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Tag Archives: HHS

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District… Continue Reading

Embarrassing Fact: Few Seem to Understand HIPAA or the ACA (at least when it comes to individual health coverage to be purchased on an Exchange)

Posted in Health IT, Privacy & Security

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay… Continue Reading

The Parade of PHI Security Breaches: Why Did it Take Two Years for the Status of Minne-Tohe Health Center as a Marcher to be Disclosed?

Posted in Security Breach Notification

It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA.  This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a… Continue Reading

A Business Associate Agreement Dilemma: To Indemnify or Not to Indemnify – Ten Considerations

Posted in HIPAA Business Associates

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance #3

Posted in Uncategorized

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP THREE” – TIP THREE: Covered Entities and Business Associates:  make sure you know where your Protected… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance #2

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements.  In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading

The Parade of Major Reported PHI Breaches Jumps Ahead to 646 – Part 2: Business Associates Continue to Augment the Numbers

Posted in HIPAA Business Associates, Security Breach Notification

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”).  As reported in a previous blog post in this series,… Continue Reading

The Parade of Major Reported PHI Breaches Jumps Ahead to 646 – Theft Continues to Dominate the Numbers

Posted in Security Breach Notification

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and  here… Continue Reading

Sixty Days or Sixty Minutes – What is Your Breach Reporting Deadline?

Posted in Health Reform, Security Breach Notification

If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!”  Those involved with the new health insurance exchanges (or “Marketplaces”?  The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are… Continue Reading

The Parade of PHI Security Breaches: With a New Large Breach, Indiana Family and Social Services Administration Marches Again

Posted in Security Breach Notification

Elizabeth Litten and Michael Kline write: For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”).  If I’m a resident of Indiana and a client of… Continue Reading

The Parade of Large PHI Security Breaches: The University of Rochester Medical Center Makes it a Triple in 2013

Posted in Security Breach Notification

In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches.  The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which… Continue Reading

Collateral Effects of the Omnibus Rule: Exercise Caution in Using Past OCR Summaries on Large PHI Breaches as a Roadmap for Future Guidance

Posted in Security Breach Notification

While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.

Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach

Posted in Security Breach Notification

SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.

As the Breach Parade Passes 500 Marchers: Should There be a Posting on the HHS List for a Third Massachusetts Eye and Ear Infirmary Breach?

Posted in Security Breach Notification

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services the sum of $1.5 million to settle potential violations involving an alleged 2010 security breach of PHI under HIPAA. However, relatively little has been written that the 2010 breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.