U.S. Department of Health and Human Services

Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants

On the twelfth day of breaches
my hacker sent to me:

Twelve Data Downloads

Eleven Plundered Patches

Ten Missed BA Contracts

Nine Malware Installs

Eight Mis-sent Faxes

Seven Stolen Laptops

Six Snooping Staffers

Five Old NPPs

Four Lost Thumbdrives

Three Re-sent Texts

Two Pop-up Links …

And a Bill for Compliance Auditing.

For a glimpse

I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact:  very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay

The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
Continue Reading