On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance.

“OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered

Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial

Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care

Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the

In a press release dated July 27, 2010, the Department of Health and Human Services announced a settlment under which Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential HIPAA violations.   The pharmacy chain also entered into a consent order with the Federal Trade Commission.

HHS reports that the

In the first settlement of a HIPAA enforcement action brought by a state attorney general under the new authority granted by the HITECH Act, Connecticut Attorney General Richard Blumenthal announced that the state had entered into an agreement with Health Net for failing to secure patient health and financial information.  The AG had brought suit

The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s

A former researcher at UCLA has the dubious distinction of being the first person sentenced to prison under HIPAA for snooping through medical records.

The Justice Department press release reports that the researcher, Huping Zhou, who admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, was sentenced to

On March 15, 2010, the Office of Civil Rights of the Department of Health and Human Services published an update on their rulemaking and enforcement efforts under the HITECH Act.  It can be accessed here

OCR acknowleged that they are still working on rulemaking covering business associate liability; new limitations on the sale of protected