Tag Archives: OCR

Dental Practice Pays $10,000 Fine to OCR for Disclosing PHI on Social Media

Elite Dental Associates (Elite), located in Dallas, Texas has agreed to settle alleged HIPAA violations with the Office for Civil Rights (OCR) for $10,000. The OCR alleged that it received a complaint from a patient in June of 2016 that Elite had disclosed the patient’s last name and details of the patient’s health condition on … Continue Reading

For First Time Ever, Government Brings HIPAA Enforcement Action Alleging Violations of Right to Access Medical Records

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response … Continue Reading

OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations

In a development that may – understandably – have been overlooked by many heading into Memorial Day weekend, on May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Fact Sheet on Direct Liability of Business Associates under the Health Insurance Portability and Accountability Act (HIPAA). … Continue Reading

Privacy Tip #191 – Trying to Protect Your Medical Information—Let’s Ask Questions About Data Security

In the top three of the list of highly sensitive personal data to be concerned about is our medical information. It’s so sensitive because it is so personal. It used to be that our medical information was located in paper charts at our doctor’s office, the hospital, the pharmacy and our health insurer. Now it’s … Continue Reading

Tech Company Execs Sweat Personal Liability for Privacy Violations

In the Privacy Law classes I teach in the Brown University Executive Masters of Cybersecurity and at Roger Williams University School of Law, we discuss the enforcement authority that the Federal Trade Commission (FTC), the Office for Civil Rights (OCR) and other federal and state agencies have over data privacy and security, including how effective … Continue Reading

Diagnostic Medical Imaging Company Pays $3 Million to Resolve Potential HIPAA Violations Stemming from Data Breach

The Office of Civil Rights (OCR), the enforcement arm of the Department of Health & Human Services (HHS), announced that a Tennessee diagnostic medical imaging services company has agreed to pay $3 million to settle potential HIPAA violations arising from a data breach that exposed over 300,000 patients’ protected health information. As part of the … Continue Reading

Cottage Health Settles with OCR for $3M

We previously reported that Cottage Health, a health care entity operating several hospitals in California, settled with the State of California for $3 million in regard to a security incident that occurred in 2013. On February 7, 2019, the Office for Civil Rights (OCR) issued a press release that it settled HIPAA violations in December … Continue Reading

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s … Continue Reading

Advanced Care Hospitalists Settles with OCR for $500,000 for Alleged HIPAA Violations

The Office for Civil Rights has announced that it has settled with Lakeland, Florida based Advanced Care Hospitalists (ACH) for $500,000 for allegations of an impermissible disclosure of protected health information by one of its business associates. ACH provides contract internal medicine physicians to nursing homes and hospitals. According to the press release, between November … Continue Reading

OCR Announces $125,000 Settlement for Disclosure of Patient Information to Reporter

The United States Department of Health & Human Services, Office of Civil Rights (OCR) announced a settlement this week with Allergy Associates of Hartford, P.C. whereby Allergy Associates agreed to pay $125,000 to resolve a HIPAA violation complaint that alleged the covered entity impermissibly disclosed the complainant’s Protected Health Information (PHI) to an unauthorized third … Continue Reading

Anthem Settles with OCR for $16M for 2015 Data Breach

The Department of Health and Human Services Office for Civil Rights (OCR) announced this week that it has settled the largest health care data breach for the largest enforcement fine in history. OCR settled the massive data breach Anthem suffered in 2015 for $16 million—a substantially larger fine than any others assessed by OCR for … Continue Reading

July Worst Month in 2018 for Health Care Data Breaches Reported to OCR

Data breaches continue to plague the health care industry, and July 2018 was the worst month so far this year in the number of data breaches reported to the Office for Civil Rights (OCR). Thirty-three data breaches were reported by covered entities and business associates in July, with the largest one reported by UnityPoint Health, … Continue Reading

OCR Issues Guidance on Disposing Electronic Data and Media

In its July newsletter on cybersecurity, the Office for Civil Rights (OCR) released “Guidance on Disposing of Electronic Devices and Media,” which outlines the requirements health care providers and business associates have regarding the security of electronic data and media under the HIPAA Security Rule. The newsletter reminds health care providers and business associates that … Continue Reading

OCR Prevails with ALJ Against MD Anderson for $4.3 Million in HIPAA Fines and Penalties

It is a rare occurrence when a health care entity challenges the Office for Civil Rights (OCR) regarding proposed fines and penalties for HIPAA violations. In my memory, it has only happened once before. On June 1, 2018, an Administrative Law Judge (ALJ) granted summary judgment in favor of the OCR against The University of … Continue Reading

Paper Records Still Problematic for Health Care Providers

Data breaches continue to be an issue for health care providers, as indicated when looking at breaches reported to the Office for Civil Rights (OCR), as required by HIPAA. In the first three months of 2018, there were 77 breaches of protected health information (PHI) reported to OCR, which included more than one million patient … Continue Reading

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located … Continue Reading

Fresenius Pays OCR $3.5M for Five Separate Data Breaches Affecting a Total of 521 Individuals

In the first settlement for HIPAA violations in 2018, Fresenius Medical Care North America (Fresenius) has agreed to pay $3.5 million to the Office for Civil Rights (OCR) to settle allegations against it relating to five data breaches that occurred over a four month period in 2012. Interestingly, the five separate breaches affected the information … Continue Reading

Health Care Organizations Saw an 89% Increase in Ransomware in 2017

Our experience last year is consistent with the conclusion of a new report issued by Cryptonite in its 2017 Health Care Cyber Research Report—that the number of hacking events targeted at health care entities involving ransomware increased a whopping 89% from 2016. The report analyzed the self-reporting database of the Office for Civil Rights (OCR) … Continue Reading

OCR Warns Health Care Industry of Risks with Previous Employees

In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, … Continue Reading

OCR Clarifies Privacy Rule for Sharing PHI on Opioid Overdoses

In the wake of the national opioid overdose crisis, the Office for Civil Rights (OCR) has provided clarification on when covered entities are permitted to disclose patient information during opioid emergencies. The OCR commented that some health care providers believe that they must have the patient’s consent in order to share information with family members … Continue Reading
LexBlog