Jessica Forbes Olson and T.J. Lang write: In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and… Continue Reading
Jessica Forbes Olson and T.J. Lang write: On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this… Continue Reading
“Maybe” is the take-away from recent guidance posted on OCR’s mHealth Developer Portal, making me wonder whether the typical health app user will know when her health information is or is not subject to HIPAA protection. The guidance is clear and straightforward and contains no real surprises to those of us familiar with HIPAA, but… Continue Reading
Matthew Redding contributed to this post. It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement. A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu. North Memorial Health Care of… Continue Reading
Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below. For her article, Marla asked… Continue Reading
When and how should you email PHI, if at all? The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed. Whether you are a covered entity or a business associate… Continue Reading
Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information. As is often the case, the breach incident triggered an investigation that revealed deeper… Continue Reading
Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.” The three of us together were able to come up… Continue Reading
We know by now that protected health information (PHI) and other personal information is vulnerable to hackers. Last week, the Washington Times reported that the Department of Health and Human Services (HHS), the agency responsible for HIPAA enforcement, had suffered security breaches at the hands of hackers in at least five separate divisions over the… Continue Reading
Health-related technology has developed light-years faster than health information privacy and security protection laws and policies, and consumers can find new mobile health applications for a wide range of purposes ranging from diabetes management to mole or rash evaluation to fitness tracking. Smart mobile app developers wondering when and how HIPAA privacy and security requirements… Continue Reading
As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year. While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue… Continue Reading
The threats to health privacy in the face of the Ebola scare has not escaped the notice of the Office of Civil Rights (OCR). As we reported last month, a great deal of information regarding the identity and condition of individuals who may have been exposed to or treated for Ebola has appeared in news… Continue Reading
LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District… Continue Reading
Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human… Continue Reading
Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading
Here’s the official 10th tip to help you comply with today’s Omnibus Rule deadline. However, since I had to make TIP TWO into TIPs TWO through SEVEN when I realized my time had was running out, I will continue to blog a few more tips over the coming weeks. I expect that at least a… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading
While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.
Here are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information in their job, even without the benefit of the long-awaited Mega Rule.
A thoughtful reader commented on a recent blog post in this series by highlighting the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach.
The recent paucity of postings of summaries on the Department of Health and Human Services list of large HIPAA privacy breaches by the federal Office of Civil Rights dampens the educational value that can be derived therefrom by covered entities and business associates.
Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.
The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
The federal Office of Civil Rights deems it necessary for a covered entity (CE) to verify whether a business associate (BA) is also a covered entity with respect to the CE’s protected health information; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the business associate agreement.