HIPAA

Foreshadowing HIPAA Trends for 2020

By Michael Kline on January 13, 2020

As she has done for a number of years now, our good friend Marla Durben Hirsch highlighted Fox Rothschild (Fox) lawyers in her annual predictions articles in the January 2020 issue of Medical Practice Compliance Alert (MPCA). In her first article entitled “Technology will propel compliance trends in 2020”, Marla included the following…

CA Senate Proposes Expanded CCPA Carve-Outs Related to HIPAA, Biomedical Research

By Odia Kagan on January 9, 2020

Posted in CCPA

On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out.

AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research.

Specific carve-outs:

De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify

…

HIPAA versus FERPA: New Joint Guidance Highlights Emergencies and Complexities

By Elizabeth G. Litten on December 30, 2019

Posted in Privacy & Security

More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and…

The California AG May Be Watching You, Covered Entity

By Elizabeth G. Litten on December 18, 2019

Posted in CCPA

As Fox partner Odia Kagan posted yesterday, early enforcement of CCPA will focus on data related to kids. In addition, according to a recent article in the San Francisco Chronicle, the California Attorney General will focus on how large companies that deal with sensitive information, including health data, comply with CCPA.

A post this…

One of Three $3 Million Lessons: Encrypt Mobile Devices

By Elizabeth G. Litten on November 8, 2019

Posted in Encryption, HIPAA Enforcement

A large New York hospital system learned this lesson the expensive way. According to a U.S. Department of Health and Human Services (HHS) press release issued earlier this week, the Office for Civil Rights (OCR) investigated a hospital system breach back in 2010 involving the loss of an unencrypted flash drive. According to the press…

Too Much (Protected Health) Information Exposed + Too Little Response = $3M and Corrective Action Plan for Medical Imaging Company

By Elizabeth G. Litten on May 8, 2019

Posted in HIPAA Enforcement, Privacy & Security

“TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical…

Mental Health Apps Sharing Health Data Without Disclosure or Consent

By Odia Kagan on April 27, 2019

Posted in Privacy & Security, Sensitive Health Information

Illustration of stethoscope and mobile phone, symbolizing telemedicine

A study shows that “92 percent of 36 mental health apps shared data with at least one third party — mostly services that help with marketing, advertising, or data analytics.”

“About half of those apps did not disclose that third-party data sharing, for a few different reasons: nine apps didn’t have a privacy policy at…

Feeling Lucky? You Could Be One of the Nine Covered Entities Selected for HIPAA Compliance Review this Month

By Elizabeth G. Litten on April 9, 2019

Posted in Health IT, HIPAA Audits

If you are a covered entity health plan or clearinghouse, you may be among the nine (un)lucky entities randomly chosen this month for review into compliance with HIPAA’s Administrative Simplification rules governing electronic transactions, code sets, and unique identifiers. According to an FAQ published in March, the Centers for Medicare & Medicaid Services (CMS), acting…

HIPAA Security and “Zero Day” Exploits: How to Stay Ahead of the Hack

By Elizabeth G. Litten on April 4, 2019

Posted in Health IT, HIPAA Audits, HIPAA Business Associates, Privacy & Security

HHS Office for Civil Rights (OCR)’s April 3, 2019 cybersecurity newsletter highlights one of the more challenging cybersecurity vulnerabilities faced by covered entities and business associates. OCR reminds covered entities (CEs) and business associates (BAs) that compliance with the HIPAA Security Rule can help, but stops a bit short of providing concrete guidance as to…

To BAA or Not to BAA? The Question a Florida Provider Should Have Asked in 2011 Results in a Half Million Dollar Payment in 2018

By Elizabeth Litten on December 5, 2018

Posted in HIPAA Business Associates, HIPAA Enforcement

Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient…

MENU

HIPAA & Health Information Technology