Department of Health and Human Services

Elizabeth Litten and Michael Kline write:

For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large
Continue Reading The Parade of PHI Security Breaches: With a New Large Breach, Indiana Family and Social Services Administration Marches Again

Under HIPAA, where do we draw the line between a run-of-the-mill, ordinary garden variety “security incident” and a “presumed breach” when it comes to reporting PHI events? How do we describe these types of reporting obligations in business associate agreements?
Continue Reading Do I really need to report (or get a report on) every “Security Incident” under the sun to comply with HIPAA?

SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.
Continue Reading Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach

UCLA has developed a mixed record of disclosure with respect to its most recent security breach of PHI that was reported as a theft of an other portable electronic device on September 7, 2011.
Continue Reading The Parade of PHI Security Breaches: UCLA Rejoins the March and Merits Mixed Reviews for the Quality of its Public Disclosures

Five members of Congress are co-signers of a bipartisan letter dated December 2, 2011, addressed to the Director of the TRICARE Management Authority to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information by TRICARE contractor Science Applications International Corporation (SAIC).”
Continue Reading Congressional Inquiry or Autopsy for SAIC Breach Disaster? – Part 5

The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services recently released a “sample” letter that will be used as the template for the actual letters that OCR will issue to those covered entities that are selected for HIPAA audits in 2012.
Continue Reading HHS/OCR Audits Are Almost Here – OCR Issues “Sample” Audit Letter

Those entities subject to both the HIPAA privacy and security rules should pay close attention to recent action taken by the U.S. Department of Health and Human Services Office for Civil Rights, which will increase the frequency and depth of government audits for HIPAA/ITECH compliance over the next year.
Continue Reading HHS/OCR Audits are Coming: What are Covered Entities Doing to Prepare?

Given earlier assurances to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low from the SAIC PHI breach and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare/DoD’s abrupt about-face as to offering credit monitoring and restoration services relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk.
Continue Reading Did Tricare/DoD Make a “Proactive Response” or a Preemptive Strike with SAIC in the PHI Breach Matter? Whose Risk is it Anyway? – Part 4

When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.
Continue Reading SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 3