On November 28, 2022, the Department of Health and Human Services (HHS) issued a proposed rule to modify the confidentiality protections of Substance Use Disorder (SUD) patient treatment records under 42 CFR Part 2 (Part 2) to implement statutory amendments passed under Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (42

On August 23, 2022, the Office for Civil Rights (OCR) issued a press release announcing that it had settled with New England Dermatology, P.C. (NED) for $300,640 “over the improper disposal of protected health information.”

The OCR’s investigation began after NED submitted a breach report stating that

“empty specimen containers with protected health information on

Last week, New York federal judge Vincent L. Bricetti dismissed a data breach class action against Northeast Radiology PC (Northeast) and Alliance HealthCare Services (Alliance) because the plaintiffs failed to allege a cognizable injury.

In July 2021, Jose Aponte II and Lisa Rosenberg filed suit alleging that Northeast and Alliance failed to protect their sensitive

Okta, which markets itself as a “leading provider of identity” in the health care, public sector, energy, financial services, technology, travel and hospitality, and nonprofit industries, has notified some of its customers that data may have been accessed by cybercriminal group LAPSUS$. (Late breaking news—LAPSUS$ may be a teenager living in the U.K.). According to

In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.

HIPAA requires that covered entities protect the confidentiality and integrity of protected health information in their possession and secure it from unauthorized access, use, or disclosure. In addition,

HIPAA requires covered entities and business associates to report to the Office for Civil Rights (OCR) all breaches of unsecured protected health information when the incident involves fewer than 500 individuals no later than 60 days following the calendar year in which the breach occurred.

This year, the deadline for reporting breaches that occurred in

Mobile health apps are growing in popularity and their number is increasing every year. Many of us find it convenient to use an app to schedule medical appointments, check medical records, track and store health data, and check symptoms. App developers have always needed to be mindful of protecting the privacy of the information that

One of the challenging things about HIPAA (Health Insurance Portability and Accountability Act) enforcement is the fact that both the Office for Civil Rights and State AGs have jurisdiction to assess fines and penalties for HIPAA violations. The old double whammy.

States enforce those rights sparingly, but New Jersey is getting itself on the map