Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial

Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the

In a press release dated July 27, 2010, the Department of Health and Human Services announced a settlment under which Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential HIPAA violations.   The pharmacy chain also entered into a consent order with the Federal Trade Commission.

HHS reports that the

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit

The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s

A former researcher at UCLA has the dubious distinction of being the first person sentenced to prison under HIPAA for snooping through medical records.

The Justice Department press release reports that the researcher, Huping Zhou, who admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, was sentenced to

On March 15, 2010, the Office of Civil Rights of the Department of Health and Human Services published an update on their rulemaking and enforcement efforts under the HITECH Act.  It can be accessed here

OCR acknowleged that they are still working on rulemaking covering business associate liability; new limitations on the sale of protected

On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount