Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Tag Archives: HIPAA

Which Privacy Protections Apply? HIPAA, FERPA and Ebola

Posted in Privacy & Security, Uncategorized

Recent news articles regarding a New Jersey elementary school’s handling of the enrollment of two new students from Rwanda provided another glimpse of Ebola hysteria and the opportunity for me to follow up on Bill Maruca’s blog about Ebola and HIPAA with yet another (fairly obscure) statutory acronym.  When it comes to protecting the privacy… Continue Reading

Cyber-Sleuth or Cyber-Thief? LabMD Case Continues to Expose the Good, the Bad, and the Downright Ugly in Cyber-Security Developments

Posted in HIPAA Enforcement, Privacy & Security, Uncategorized

LabMD, Inc. CEO Michael J. Daugherty continues to doggedly defend LabMD against an action brought by the Federal Trade Commission (FTC) against LabMD based on Section 5 of the FTC Act.  He now has an opportunity to prove himself the “good guy” following last week’s decision by Chief Administrative Law Judge D. Michael Chappell granting LabMD’s motion that Chappell… Continue Reading

“Step Away from that Subpoena” and Review HIPAA Obligations Before Producing PHI

Posted in Privacy & Security

If you receive a subpoena, discovery request, or even a court order demanding the release or production of documents or files that may contain protected health information (PHI), are you obligated to comply?  The surprising answer, in many cases, is “no”.  Even more surprising may be the fact that, in attempting to comply with what… Continue Reading

Countdown to September 22nd — Shortcuts for Business Associate Agreement Compliance

Posted in HIPAA Business Associates

The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts… Continue Reading

The Parade of Major Reported PHI Breaches Surges to 885 – Theft and Loss Dominate the Numbers

Posted in Privacy & Security, Security Breach Notification

The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this… Continue Reading

Two Months to Amend HIPAA Business Associate Agreements for Omnibus Compliance, But Beware the Bare Bones BAA

Posted in HIPAA Enforcement, Omnibus Rule

Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document? Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use… Continue Reading

Hobby Lobby, HIPAA and Happy Independence Day

Posted in Health Reform, Privacy & Security

The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations). … Continue Reading

Paper Records HIPAA Violation Results in $800,000 Payment under HHS Resolution Agreement

Posted in HIPAA Enforcement, Privacy & Security

My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.”  While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article.  (Elizabeth herself has… Continue Reading

PHI Data Breaches just went from Bad Dream to Nightmare in West Virginia

Posted in Privacy & Security

Michael Coco writes: The dreaded PHI data breach is every covered entity’s bad dream, but the West Virginia Supreme Court just turned that bad dream into a nightmare. The court decided a case, Tabata v. Charleston Area Medical Center, Inc., brought on behalf of thousands of patients requesting class certification to sue the medical center for… Continue Reading

Risky (Health Care) Business: Disclosure of FTC Data Security Enforcement Potential to Investors and Other Third Parties

Posted in Privacy & Security

Readers of this blog know that we have been tracking the FTC’s recent data security enforcement activities with a particular focus on the FTC v. LabMD case.  As reported by Cause of Action, a nonprofit organization involved in the defense of LabMD, the LabMD trial was put on hold on May 30, 2014 until June… Continue Reading

Will Unearthing the FTC’s Data Security Standards Help the Health Care Industry?

Posted in Privacy & Security

As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario.  So when an agency crafting guidance for a regulated industry has advisors on hand… Continue Reading

When the Long Arm of HIPAA Reaches into Mergers, Acquisitions and Asset Sales of Health Care Practices

Posted in HIPAA Business Associates

Michael J. Coco writes: If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the… Continue Reading

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District… Continue Reading

More on Considerations for Entering into or Revising Business Associate Agreements

Posted in HIPAA Business Associates

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed… Continue Reading

Puerto Rico Raises a High Bar for Fines Levied for PHI Breaches

Posted in HIPAA Enforcement

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it… Continue Reading

“Boilerplate” Provisions in Business Associate Agreements Warrant Attention

Posted in HIPAA Business Associates

Michael J. Coco writes: The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase… Continue Reading

HIPAA Compliance Trends for 2014

Posted in HIPAA Enforcement

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her Medical Practice Compliance Alert article “HIPAA, ICD-10 Among 6 Compliance Trends That Will Affect You in 2014.” While the full text can be found in the January 6, 2014 issue of Medical Practice Compliance Alert, a synopsis is noted below. As we… Continue Reading

Springing, Shifting, and Slip-Sliding Business Associate Agreements

Posted in HIPAA Business Associates

What do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s… Continue Reading

Embarrassing Fact: Few Seem to Understand HIPAA or the ACA (at least when it comes to individual health coverage to be purchased on an Exchange)

Posted in Health IT, Privacy & Security

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay… Continue Reading