Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”),
Continue Reading Back to School and Back to BAAs: OCR Guidance Provides Reason to Review BAA Provisions
HIPAA Enforcement
Bankrupt Medical Records Company Hit with $100,000 Penalty for HIPAA Violations
Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s…
Continue Reading Bankrupt Medical Records Company Hit with $100,000 Penalty for HIPAA Violations
The Heavy Hit of HIPAA: Violations May Send You to Jail
The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that…
Continue Reading The Heavy Hit of HIPAA: Violations May Send You to Jail
Fireworks over ESPN’s tweet of NFL player’s medical records
New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4. A screenshot of a page from his hospital records was tweeted by ESPN reporter…
Continue Reading Fireworks over ESPN’s tweet of NFL player’s medical records
This Just In: Guidance for Health Care Providers, and the Omnibus Rule
With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care…
Continue Reading This Just In: Guidance for Health Care Providers, and the Omnibus Rule
OCR Announces First “Under 500” Breach Settlement
The first breach settlement announcement of the new year breaks new ground – a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It’s the first settlement of …
Continue Reading OCR Announces First “Under 500” Breach Settlement
Another Case of Snooping Prosecuted
Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly…
Business Associate Breach Leads to $2.5M Settlement by Accretive: But Who is the Covered Entity or Business Associate Here, and Do We Care?
The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
Continue Reading Business Associate Breach Leads to $2.5M Settlement by Accretive: But Who is the Covered Entity or Business Associate Here, and Do We Care?
Advice from OCR’s Breach Parade Reviewing Stand: Verify Whether Your Business Associate is also an Independent Covered Entity
The federal Office of Civil Rights deems it necessary for a covered entity (CE) to verify whether a business associate (BA) is also a covered entity with respect to the CE’s protected health information; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the business associate agreement.
Continue Reading Advice from OCR’s Breach Parade Reviewing Stand: Verify Whether Your Business Associate is also an Independent Covered Entity
A Peek Behind the OCR Wall of Shame
Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a…