Privacy & Security

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes.
Continue Reading HIPAA “Mega Rule”, Meet “Super BAA”: The CMS Data Use Agreement

The principle that individuals whose protected health information is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11th Circuit.
Continue Reading PHI Breach Involving Health Plan Leads to Lawsuit by Identity Theft Victims Who Were Plan Members

Make the lengthy wait for the long-awaited HIPAA/HITECH Mega Rule more enjoyable by participating in a contest to predict the date of its publication in the Federal Register and the number of its pages.
Continue Reading As We All Continue to Anticipate the HIPAA/HITECH “Mega Rule” from HHS, We Can Test Our Prognosticating Skills

Employers should limit PHI that they provide with respect to medical examinations of employees and job applicants and in other contexts to the least amount of medical information necessary for evaluation in order to avoid potential violations of the Americans with Disabilities Act, the Genetic Information Nondisclosure Act, State workers’ compensation laws and other statutes.
Continue Reading Employers: Beware of PHI “Minimum Necessary” Standards Lurking Under Statutes Other Than HIPAA and State PHI Statutes

The Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals includes focused guidance for covered entities and business associates in the form of brief summaries of the cases that the federal Office of Civil Rights has investigated and closed.
Continue Reading The Parade of Major PHI Breaches Marches Onward – What Lessons Can Be Learned from Comments by OCR’s Reviewing Stand?

If the PHI flowing through information superhighways and into and out of clouds and other data bases is adequately secured and the increased use and sophistication of health information technology results in improved quality and reduced cost, can anyone reasonably object to this race?
Continue Reading Protected Health Information on HIT Super-Highways: If it’s Secure, Do We Care Where it Travels and How it is Used When it Lands?

A recent Federal District Court case in Florida reminds us of the mandatory attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance, especially in the case of data security breaches.
Continue Reading A New Year’s Resolution: Review and Analyze Potentially Applicable State Laws Whenever Examining HIPAA Compliance Issues