LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District… Continue Reading
Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human… Continue Reading
Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading
Here’s the official 10th tip to help you comply with today’s Omnibus Rule deadline. However, since I had to make TIP TWO into TIPs TWO through SEVEN when I realized my time had was running out, I will continue to blog a few more tips over the coming weeks. I expect that at least a… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading
While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.
Here are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information in their job, even without the benefit of the long-awaited Mega Rule.
A thoughtful reader commented on a recent blog post in this series by highlighting the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach.
The recent paucity of postings of summaries on the Department of Health and Human Services list of large HIPAA privacy breaches by the federal Office of Civil Rights dampens the educational value that can be derived therefrom by covered entities and business associates.
Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.
The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
The federal Office of Civil Rights deems it necessary for a covered entity (CE) to verify whether a business associate (BA) is also a covered entity with respect to the CE’s protected health information; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the business associate agreement.
Many people who have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, are often surprised and deeply disappointed to learn that the HIPAA law does not provide a “private right of action.”
University of Texas MD Anderson Cancer Center posted notice on its website of a theft of an unencrypted laptop computer containing data on more than 30,000 patients exactly 59 days after the theft took place.
The recent Department of Health and Human Services (“HHS”) resolution with Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), which includes the payment by Alaska Medicaid to HHS of $1.7 million respecting possible violations of HIPAA, raises questions as to the exacting of payments by HHS from a state agency that funds medical care for the Alaska indigent from taxpayers.
The Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals includes focused guidance for covered entities and business associates in the form of brief summaries of the cases that the federal Office of Civil Rights has investigated and closed.
To avoid becoming marchers in the Breach Parade, covered entities and business associates should be aware of tools being used by the federal Office of Civil Rights and State Attorneys General to deter and catch HIPAA privacy and security breaches that may be similar to the red light cameras designed to deter and catch traffic violations.
The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services recently released a “sample” letter that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for HIPAA audits in 2012.
Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services Office for Civil Rights, which will increase the frequency and depth of government audits for HIPAA/ITECH compliance over the next year.
Last week for the first time, the Office for Civil Rights of HHS reported exacting heavy financial obligations from (i) Cignet Health on February 22, 2011, with a $4.3 million civil monetary penalty assessment for violations of the HIPAA Privacy Rule, and (ii) Massachusetts General Hospital on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 for potential violations of HIPAA.