The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year. The most common breach type is “theft” in this… Continue Reading
Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document? Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use… Continue Reading
My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.” While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article. (Elizabeth herself has… Continue Reading
Michael Coco writes: The dreaded PHI data breach is every covered entity’s bad dream, but the West Virginia Supreme Court just turned that bad dream into a nightmare. The court decided a case, Tabata v. Charleston Area Medical Center, Inc., brought on behalf of thousands of patients requesting class certification to sue the medical center for… Continue Reading
As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario. So when an agency crafting guidance for a regulated industry has advisors on hand… Continue Reading
LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District… Continue Reading
Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human… Continue Reading
Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with… Continue Reading
My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014. The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”). Bill’s quote sums it… Continue Reading
What do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s… Continue Reading
It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA. This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a… Continue Reading
Where did the time go? Today’s the day – September 23, 2013. This is compliance day for most of the Omnibus Rule changes. I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP THREE” – TIP THREE: Covered Entities and Business Associates: make sure you know where your Protected… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements. In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading
This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a previous blog post in this series,… Continue Reading
This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and here… Continue Reading
If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!” Those involved with the new health insurance exchanges (or “Marketplaces”? The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are… Continue Reading
Elizabeth Litten and Michael Kline write: For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”). If I’m a resident of Indiana and a client of… Continue Reading
Tamarra Holmes writes: In recent weeks, people all around the world were made aware of a secret U.S. government surveillance program that essentially collects massive amounts of data from the general public through electronic communication providers, such as Facebook, Skype, and Google. The existence of the program, known as PRISM, was leaked by a former National… Continue Reading
In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches. The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which… Continue Reading
Under HIPAA, where do we draw the line between a run-of-the-mill, ordinary garden variety “security incident” and a “presumed breach” when it comes to reporting PHI events? How do we describe these types of reporting obligations in business associate agreements?
On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlined some direct effects of the new HIPAA Omnibus Rule on employers and their health plans.
While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.