Tag Archives: OCR

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care … Continue Reading

HHS Office of the Assistant Secretary for Preparedness and Response Issues Series of Cybersecurity Updates in Response to WannaCry Attack

In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on … Continue Reading

OCR Settles With Texas Health System for $2.4 Million for Disclosing PHI to Media In a Press Release

The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff … Continue Reading

OCR Settles First Case With Wireless Provider for $2.5 Million

Touted as the first OCR settlement with a wireless health services provider, the OCR announced on April 24, 2017, that it has settled alleged HIPAA violations with CardioNet, based in Pennsylvania for $2.5 million. CardioNet self-reported a data beach in January 2012, stating that an unencrypted laptop of one of its employees was stolen from … Continue Reading

HIPAA Refresher for Workplace Wellness Programs

Now more than ever, workplace wellness programs are becoming increasingly popular among employers. A common concern many employers have is how to design a meaningful workplace program intended to improve the health of participating employees while complying with HIPAA’s privacy and security rules. Although employers are not covered entities, HIPAA may apply to an employer’s … Continue Reading

The Center for Children’s Digestive Health Settles with OCR for $31,000

The Office for Civil Rights (OCR) has announced that it entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a … Continue Reading

OCR Levies Hefty Fine Against FQHC

Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, … Continue Reading

ABCD Pediatrics Victim of Ransomware

ABCD Pediatrics, located in San Antonio, Texas has notified the Office for Civil Rights that a ransomware cyber intrusion has resulted in access to its servers, including the protected health information (PHI) of its patients. The ransomware used by the attackers was Dharma. The practice found through forensic analysis that access had been gained to … Continue Reading

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which … Continue Reading

$5.5 Million Shelled Out to OCR for Alleged HIPAA Violations

Florida Memorial Healthcare Systems has agreed to pay the Office for Civil Rights (OCR) $5.5 million to settle alleged HIPAA violations relating to an incident that occurred in April 2012 that two employees accessed patient information of 106,000 patients in an unauthorized manner and with criminal intent, including their names, dates of birth, and Social … Continue Reading

Report Summarizes Healthcare Data Breaches in January 2017

Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off. In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient … Continue Reading

Children’s Medical Center of Dallas Clobbered by OCR

In a rare move by the OCR, it assessed a $3.2 million fine against Children’s Medical Center of Dallas (Children’s) after it issued a Notice of Proposed Determination against Children’s and Children’s failed to request a hearing. The Notice was issued following the OCR’s investigation of two self-reported data breaches. The first involved the theft … Continue Reading

Three-Month Delay Means Health Network Must Pay

A delay in reporting a HIPAA violation can result in a significant monetary penalty. That was the message sent by the Office for Civil Rights (OCR), which recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). According to the OCR, Presence Health (a large … Continue Reading

2016 Was the Year of the Data Breach

Although every year we lament about the significance of data breaches in the past year, 2016 was by far the worst. Data breaches were rampant, victimizing every industry and numbing consumers in the process. It was so bad that consumers began to throw up their hands and say “My personal information is out there anyway. … Continue Reading

Top Ten Education Developments, Breaches, and Settlements of 2016

This year has been a busy year for education law in the area of data privacy. Educational institutions continue to be a rich target for hackers. Additionally, there were some important developments in the interpretation of Family Educational Rights and Privacy Act (FERPA) and the Telephone Consumer Protection Act (TCPA) as it applies to educational … Continue Reading

November the Worst Month Yet for Healthcare Breaches

We have repeatedly reiterated numerous warnings to the healthcare industry about malware and ransomware [see related posts here and here]. Our predictions have unfortunately become true, as November was the worst month ever for healthcare data breaches, according to self-reports to the Office for Civil Rights (OCR). In the month of November 57 incidents of … Continue Reading

ONC and OCR Issue Joint Fact Sheet on Use of PHI for Public Health Activities

Whenever fact sheets or other guidance is issued by either the Office of the National Coordinator for Health Information Technology (ONC) or the Office for Civil Rights (OCR), it helps gain insight into the thinking of the regulators so we watch it closely. But when the ONC and OCR issues joint guidance, it is hitting … Continue Reading

OCR Alerts Listservs About Fake Phishing Email to Covered Entities and Business Associates

On November 28, 2016, the Office for Civil Rights (OCR) issued an Alert to its listservs that a phishing email is being circulated on “mock HHS Departmental letterhead under the signature of OCR”s Director, Jocelyn Samuels” to employees of HIPAA covered entities and business associates. The email looks official and tells the recipient that it … Continue Reading

UMass Amherst Settles HIPAA Violations with OCR for $650,000

The Office for Civil Rights (OCR) has announced that the University of Massachusetts Amherst (UMass) has agreed to settle an investigation against it as a result of a malware infection for $650,000, along with implementing a Corrective Action Plan. Although $650,000 is a hefty sum for the allegations, the OCR in its announcement said it … Continue Reading

OCR Stresses Importance of Authentication in Newsletter

In a recent newsletter, the Office for Civil Rights (OCR) encourages health care organizations to review their procedures around authentication and “ensure that they have the appropriate safeguards in place.” The Newsletter, entitled What Type of Authentication is Right for You? states that “[O]ver the past years, the healthcare sector has been one of the … Continue Reading

Confusing Joint Guidance published by OCR and FTC on HIPAA Authorization Forms

There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the OCR and the FTC is rather confusing. The guidance titled “Sharing Consumer Health Information? Look to … Continue Reading
LexBlog