Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA.   As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay

It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA.  This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or

Where did the time go?  Today’s the day – September 23, 2013.  This is compliance day for most of the Omnibus Rule changes.  I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements.  In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”).  As reported in a previous blog post in this series,

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and  here

Elizabeth Litten and Michael Kline write:

For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”).  If I’m a resident of Indiana and a client