The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued its Final Rule to modify HIPAA “to support reproductive health care privacy.” The Final Rule is in response to Executive Order 14076, where President Biden directed HHS to take actions to protect reproductive health information following Dobbs v.
HHS Updates Guidance on Use of Tracking Technologies with Websites and Mobile Apps
On March 18, the Office for Civil Rights of the U.S. Department of Health and Human Services issued a Bulletin updating its guidance to HIPAA-covered entities and business associates on the use of tracking technology on websites and mobile apps.
The Bulletin supplements the original guidance published by OCR in December 2022.
According to the…
HHS Settles with Doctors’ Management Services Over Ransomware Attack
On October 31, 2023, the Office for Civil Rights (OCR) issued a press release announcing that it has settled with Doctors’ Management Services for $100,000 following a ransomware attack that compromised the protected health information of 206,695 individuals.
According to the press release, “this marks the first ransomware agreement OCR has reached.” The facts underlying…
MedEvolve OCR Settlement for $350,000 due to Alleged Failures to Protect Data
On May 17, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with MedEvolve, Inc. for $350,000. MedEvolve provides practice and revenue cycle management and practice analytics software services to health care entities. The settlement resulted from MedEvolve’s alleged violation of the Health Insurance Portability and Accountability…
Annual Breach Notification Deadline to OCR Looming
HIPAA requires that covered entities notify the Office for Civil Rights (OCR) of any breaches of unsecured protected health information that affects less than 500 individuals in a calendar year within 60 days following the end of the calendar year.
Therefore, all breaches that affected less than 500 individuals that occurred in 2022 and have…
OCR Settles Improper Disposal Case for $300,640
On August 23, 2022, the Office for Civil Rights (OCR) issued a press release announcing that it had settled with New England Dermatology, P.C. (NED) for $300,640 “over the improper disposal of protected health information.”
The OCR’s investigation began after NED submitted a breach report stating that
“empty specimen containers with protected health information on…
Reporting of Breaches Under 500 Due by March 1
HIPAA requires covered entities and business associates to report to the Office for Civil Rights (OCR) all breaches of unsecured protected health information when the incident involves fewer than 500 individuals no later than 60 days following the calendar year in which the breach occurred.
This year, the deadline for reporting breaches that occurred in…
OCR Cybersecurity Newsletter Focuses on Controlling Access to ePHI
The Office of Civil Rights (OCR) of the U.S. Department of Health & Human Services recently issued its Summer 2021 Cybersecurity Newsletter, which focuses on controlling access to electronic personal health information (ePHI) and the HIPAA Security Rule standards. Citing to a recent report of security incidents and data breaches in the health care…
Diabetes, Endocrinology & Lipidology Center Becomes 19th Settlement with OCR for HIPAA Right-of-Access Violation
Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over allegations that it failed to provide timely access to a patient’s health records. The OCR alleged that DELC waited more than two years to send a minor’s medical records to their…
OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations
The Office for Civil Rights (OCR) this week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.
The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.
OCR initiated a compliance…