Archives: HIPAA and Health Information

Subscribe to HIPAA and Health Information RSS Feed

Governors Recommend States Align Privacy Laws with Federal HIPAA

The National Governors Association released a road map report on December 9 entitled, Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers. The report aims at reducing the legal barriers that prevent the effective and efficient flow of health … Continue Reading

ONC and OCR Issue Joint Fact Sheet on Use of PHI for Public Health Activities

Whenever fact sheets or other guidance is issued by either the Office of the National Coordinator for Health Information Technology (ONC) or the Office for Civil Rights (OCR), it helps gain insight into the thinking of the regulators so we watch it closely. But when the ONC and OCR issues joint guidance, it is hitting … Continue Reading

21st Century Cures Act Includes Prohibition on Information Blocking and Mandates for Additional HIPAA Guidance

On November 30, 2016, the U.S. House of Representatives voted strongly in favor of the 21st Century Cures Act (the Act), an expansive health bill that addresses the discovery and development of new medical therapies as well the delivery of health care treatment by providers. In 2015, the House had previously approved an earlier version … Continue Reading

UMass Amherst Settles HIPAA Violations with OCR for $650,000

The Office for Civil Rights (OCR) has announced that the University of Massachusetts Amherst (UMass) has agreed to settle an investigation against it as a result of a malware infection for $650,000, along with implementing a Corrective Action Plan. Although $650,000 is a hefty sum for the allegations, the OCR in its announcement said it … Continue Reading

OCR Stresses Importance of Authentication in Newsletter

In a recent newsletter, the Office for Civil Rights (OCR) encourages health care organizations to review their procedures around authentication and “ensure that they have the appropriate safeguards in place.” The Newsletter, entitled What Type of Authentication is Right for You? states that “[O]ver the past years, the healthcare sector has been one of the … Continue Reading

Three Former Warner Chilcott District Managers Prosecuted for HIPAA Violations

The United States Attorney’s Office for the District of Massachusetts recently announced that three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act (HIPAA) and committing healthcare fraud. The allegations include that the district managers directed certain sales representatives to fill out prior … Continue Reading

Confusing Joint Guidance published by OCR and FTC on HIPAA Authorization Forms

There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the OCR and the FTC is rather confusing. The guidance titled “Sharing Consumer Health Information? Look to … Continue Reading

OCR Releases HIPAA Guidance on Cloud Computing

On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes … Continue Reading

3.3 Million Health Records Breached by Business Associate Newkirk

Newkirk Products Inc., which provides ID cards and management services for healthcare organizations, including multiple Blue Cross Blue Shield organizations, has announced that it has discovered that its computer system was compromised starting on May 21, 2016, although the intrusion was not discovered until July 6, 2016. Newkirk has started to notify the 3.3 million … Continue Reading

Ransomware and Malware Continue to Plague Health Care Organizations

We continue to warn health care organizations about the real and serious risks associated with ransomware and malware, but organizations don’t prepare for it adequately and are getting hit hard. Just this past week, several healthcare organizations have publicly announced that they have been victims of ransomware and malware. The organizations include a dermatology practice … Continue Reading

CMS Issues Warning to Nursing Homes Regarding Abuse of Residents Via Social Media

On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) issued guidance to nursing homes in a letter to state survey agencies (Letter) that addresses nursing homes’ obligations to protect residents. The Letter focuses on potential psychosocial harm to nursing home residents caused by the sharing on social media of demeaning photographs or … Continue Reading

Record HIPAA Settlement Paid by Hospital Chain

Federal regulators announced last week that Illinois’ largest hospital chain would pay $5.5 million, a record payment under the Health Insurance Portability and Accountability Act (HIPAA), in connection with three 2013 data breaches that affected the protected health information of millions of its patients. The Advocate Health Care Network, which manages twelve hospitals and hundreds … Continue Reading

JCAHO Delays Decision Allowing Physicians to Text Orders

We previously reported that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) lifted its ban on allowing health care providers to use texts for physician orders. JCAHO recently reversed its decision and reinstated the ban stating that more guidance is needed “to ensure a safe implementation involving the secure texting of orders for those … Continue Reading

University of Mississippi Medical Center settles HIPAA violations for $2.75M

The Office for Civil Rights (OCR) has obtained another big settlement from a covered entity resulting from a data breach. This most recent settlement of fines and penalties and a Resolution Agreement is with the University of Mississippi Medical Center (UMMC) for $2.75 million. The OCR commenced an investigation against UMMC after UMMC self-reported a … Continue Reading

HHS: Ransomware attacks likely HIPAA breaches in absence of encryption

On July 11, 2016, the U.S. Department of Health & Human Services (HHS) issued a Fact Sheet that provides guidance on (i) how HIPAA Security Rule compliance can assist health care organizations combat ransomware attacks, and (ii) the applicability of HIPAA’s Breach Notification Rule to ransomware attacks. This guidance is particularly timely due to the … Continue Reading

Oregon Health & Science University pays $2.7M penalty for data breaches

Oregon Health & Science University (OHSU) has agreed to settle alleged HIPAA violations involving two separate data breaches with the Office for Civil Rights (OCR) for $2.7 million. In the span of three months in 2013, OHSU experienced two reportable data breaches, which triggered investigations by the OCR. The first occurred when an unencrypted laptop … Continue Reading

CMS allows qualified entities to sell claims data

The Centers for Medicare and Medicaid Services released a final rule permitting “qualified entities” to sell Medicare claims data to providers and others for use in improving quality of care. The rule expands on CMS’ Qualified Entity Program, which permits organizations to apply to become qualified to receive Medicare Parts A, B, and D claims … Continue Reading

Physical security still an issue: Pruitt Health suffers breach in break-in

The importance of physical security and the risk associated with the unauthorized access to or loss of paper records is clear from recent experiences of Pruitt Health in South Carolina. On March 2, 2016, an intruder broke the front door glass of one of its home health locations and had access to paper medical records … Continue Reading

OCR levies first fine ever directly against business associate

Our predictions that the Office for Civil Rights (OCR) will become more aggressive with audits, investigations, and fines against HIPAA business associates has come true. On June 24, 2016, the OCR announced that it has settled an investigation with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), stemming from CHCS’ capacity as a HIPAA … Continue Reading

HHS guidance seeks to clarify scope of PSQIA

On May 24, 2016, the Department of Health & Human Services (HHS) issued guidance (Guidance) to health care providers and patient safety organizations (PSOs) in an attempt to clarify the definition of patient safety work product (PSWP) under the Patient Safety and Quality Improvement Act of 2005 and its implementing regulations (collectively, the PSQIA). The … Continue Reading

Joint Commission lifts ban on physicians texting patient orders

The Joint Commission, which is the national accrediting organization for health care organizations, has long banned physicians using text messages to place orders for patient care due to data security concerns. In 2011, the Joint Commission stated that texting was not acceptable for health care providers to text orders for patient care, treatment or services. … Continue Reading

Raleigh Orthopedic Clinic settles with OCR for $750,000 for lack of business associate agreement

Consistent with the settlement the OCR agreed to with North Memorial Health Care of Minnesota, [view related post] the Office for Civil Rights has settled its investigation of Raleigh Orthopaedic Clinic, P.A. (Raleigh Orthopaedic) for $750,000. The OCR alleged that Raleigh Orthopaedic “potentially” violated HIPAA “by handing over protected health information for approximately 17,300 patients … Continue Reading
LexBlog