HIPAA Enforcement

Too Much (Protected Health) Information Exposed + Too Little Response = $3M and Corrective Action Plan for Medical Imaging Company

By Elizabeth G. Litten on May 8, 2019

Posted in HIPAA Enforcement, Privacy & Security

“TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical…

To BAA or Not to BAA? The Question a Florida Provider Should Have Asked in 2011 Results in a Half Million Dollar Payment in 2018

By Elizabeth Litten on December 5, 2018

Posted in HIPAA Business Associates, HIPAA Enforcement

Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient…

The Heavy Hit of HIPAA: Violations May Send You to Jail

By Elizabeth Litten on August 7, 2018

Posted in HIPAA Enforcement

The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges…

The Blindfolded Business Associate: New HHS Guidance on HIPAA and Cloud Computing

By Elizabeth Litten on October 12, 2016

Posted in Encryption, HIPAA Business Associates, HIPAA Enforcement

According to the latest HIPAA-related guidance (Guidance) published by the U.S. Department of Health and Human Services (HHS), a cloud service provider (CSP) maintaining a client’s protected health information (PHI) is a business associate even when the CSP can’t access or view the PHI. In other words, even where the PHI is encrypted…

Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches

By Elizabeth Litten on September 14, 2016

Posted in EHR and PHR, HIPAA Enforcement, Privacy & Security

Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals). The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents. Today, TechRepublic…

Small HIPAA Breaches, Big HIPAA Headaches

By Elizabeth Litten on September 9, 2016

Posted in HIPAA Enforcement, Privacy & Security, Security Breach Notification

What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy…

Eight Tips to Confront the New Initiative by HHS on PHI Security

By Michael Kline on September 5, 2016

Posted in HIPAA Enforcement, Privacy & Security

In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by…

Health Care Providers: Have You Considered HIPAA Compliance for Your Practice’s Group Health Plans?

By Elizabeth Litten on June 22, 2016

Posted in HIPAA Audits, HIPAA Enforcement

Contributed by Elizabeth R. Larkin and Jessica Forbes Olson

Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered.

What providers may not…

Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

By Elizabeth Litten on June 14, 2016

Posted in HIPAA Enforcement, Individual Access Rights

My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with…

A Checklist to Get Ready for the HIPAA Audits (Part 2)

By Fox Rothschild LLP on April 10, 2016

Posted in HIPAA Business Associates, HIPAA Enforcement, Privacy & Security

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security…

MENU

HIPAA & Health Information Technology