Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Category Archives: HIPAA Enforcement

Subscribe to HIPAA Enforcement RSS Feed

Health Care Providers: Have You Considered HIPAA Compliance for Your Practice’s Group Health Plans?

Posted in HIPAA Audits, HIPAA Enforcement

Contributed by Elizabeth R. Larkin and Jessica Forbes Olson Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered. What providers may not… Continue Reading

Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

Posted in HIPAA Enforcement, Individual Access Rights, Uncategorized

My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with… Continue Reading

HIPAA Audits: Ready or Not Here They Come! (Part 1)

Posted in HIPAA Business Associates, HIPAA Enforcement, Privacy & Security

Jessica Forbes Olson and T.J. Lang write: On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this… Continue Reading

Health System Settles for $1.5 Million for Failing To Implement Business Associate Agreement

Posted in HIPAA Enforcement

Matthew Redding contributed to this post. It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu. North Memorial Health Care of… Continue Reading

HIP-HIP(AA)-HOORAY: Margaret Davino, Esq. Joins Fox Rothschild HIPAA Team and Offers 5 Tips for 2016 HIPAA Compliance

Posted in HIPAA Enforcement, Privacy & Security

I’m sure fellow bloggers Bill Maruca and Michael Kline join me in giving three cheers for the recent growth in our firm’s health care practice (welcome, Minneapolis!) and ever-deepening pool of attorneys dealing with clients’ privacy and data security issues. But one recent addition to our team, Margaret (“Margie”) Davino, gets a fourth cheer for… Continue Reading

Election Year Predictions: Expansion of Federal Healthcare Privacy Regulation

Posted in HIPAA Enforcement, Privacy & Security

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below. For her article, Marla asked… Continue Reading

Emailing PHI? NIST Seeks Comments on Trustworthy Email by November 30, 2015

Posted in Health IT, HIPAA Enforcement, Privacy & Security, Uncategorized

When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate… Continue Reading

Oncology Group Fined $750,000 Over Stolen Backup Media, Lax Compliance Efforts

Posted in Articles, HIPAA Enforcement, Privacy & Security, Uncategorized

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper… Continue Reading

Six Tips for Physicians to Protect Patient Data on the Internet

Posted in HIPAA Enforcement, Privacy & Security

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up… Continue Reading

MINNESOTA BLUES GET HEALTH RECORDS SNOOPING BLUES

Posted in Articles, HIPAA Enforcement, Security Breach Notification

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy. The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under… Continue Reading

“No” to ACO Data Sharing? Proposed Rules Tweak Medicare Beneficiary Opt-Out Notice Procedure

Posted in HIPAA Enforcement, Privacy & Security

Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared.  Proposed rules published by… Continue Reading

HIPAA Hurdles in 2015

Posted in HIPAA Business Associates, HIPAA Enforcement, Privacy & Security

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in… Continue Reading

HIPAA Holiday Cheer (Lament?)

Posted in HIPAA Enforcement

On the twelfth day of breaches my hacker sent to me: Twelve Data Downloads Eleven Plundered Patches Ten Missed BA Contracts Nine Malware Installs Eight Mis-sent Faxes Seven Stolen Laptops Six Snooping Staffers Five Old NPPs Four Lost Thumbdrives Three Re-sent Texts Two Pop-up Links … And a Bill for Compliance Auditing. For a glimpse… Continue Reading

Cyber-Sleuth or Cyber-Thief? LabMD Case Continues to Expose the Good, the Bad, and the Downright Ugly in Cyber-Security Developments

Posted in HIPAA Enforcement, Privacy & Security

LabMD, Inc. CEO Michael J. Daugherty continues to doggedly defend LabMD against an action brought by the Federal Trade Commission (FTC) against LabMD based on Section 5 of the FTC Act.  He now has an opportunity to prove himself the “good guy” following last week’s decision by Chief Administrative Law Judge D. Michael Chappell granting LabMD’s motion that Chappell… Continue Reading

Two Months to Amend HIPAA Business Associate Agreements for Omnibus Compliance, But Beware the Bare Bones BAA

Posted in HIPAA Enforcement, Omnibus Rule

Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document? Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use… Continue Reading

Paper Records HIPAA Violation Results in $800,000 Payment under HHS Resolution Agreement

Posted in HIPAA Enforcement, Privacy & Security

My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.”  While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article.  (Elizabeth herself has… Continue Reading

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District… Continue Reading

The Wild West of Data Breach Enforcement by the Feds

Posted in HIPAA Enforcement, Privacy & Security

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule.  You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human… Continue Reading

HHS Enforces Against County Government in Washington State

Posted in HIPAA Enforcement, Security Breach Notification

Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with… Continue Reading

Puerto Rico Raises a High Bar for Fines Levied for PHI Breaches

Posted in HIPAA Enforcement

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it… Continue Reading

HIPAA Compliance Trends for 2014

Posted in HIPAA Enforcement

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her Medical Practice Compliance Alert article “HIPAA, ICD-10 Among 6 Compliance Trends That Will Affect You in 2014.” While the full text can be found in the January 6, 2014 issue of Medical Practice Compliance Alert, a synopsis is noted below. As we… Continue Reading