On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously. OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule. This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities. OCR specifically noted that this practice sees approximately 3,000 patients per year. Continue Reading A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule
Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”). The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016. Continue Reading A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty
There is no doubt that social media has its benefits, especially for medical practices that have come to use it for marketing and advertising. However, risks are lurking. On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) entered into a $10,000 settlement with a dental practice (the “Practice”) for disclosing protected health information of a patient when responding to a review on a Yelp page.
We are 100 days away from the California Consumer Privacy Act (“CCPA”). Are you ready? The CCPA, the first comprehensive United States privacy law takes effect on January 1, 2020, with an enforcement date of July 1, 2020.
Does CCPA Apply to My Business? Continue Reading 100 Days from CCPA, Is Your Business Ready?
Apparently, that answer is yes. According to Amazon, its virtual personal assistant, Alexa, can now transfer and handle protected health information (“PHI”) in accordance with HIPAA. Amazon expects Alexa to handle various healthcare related tasks, including scheduling urgent care appointments, checking health insurance benefits and reading blood-sugar tests, among others. To create these new services, Amazon collaborated with various companies, including Cigna and major hospitals. When it comes to privacy, Amazon and its partners embedded various privacy barriers into the new services, including voice codes or requiring a user to login with passwords for existing health-care specific accounts.
As technology and health care continue to become more intertwined, I would not be surprised if Apple and Google follow Amazon’s lead, rolling out similar products for Siri and Google Home. Additionally, the types of health care services offered through these virtual personal assistants as well as our smart phones will likely only grow in breadth. It no longer seems far-fetched that you may communicate and transmit data to your health care provider or pharmacy by talking into a speaker in the comfort of your home. The question becomes what happens to all the information that you are saying aloud? This will be service-dependent, but it is clear that Amazon, among other tech companies, will now be maintaining your electronic PHI.
This represents a seismic shift from the information maintained by your everyday fitness tracker and comes with an entire new set of compliance responsibilities. Thus, while HIPAA is both scalable, depending on the scope of the covered entity, and flexible to adapt to new technologies, these tech companies may soon realize that HIPAA has real compliance costs as well. In today’s age of big data breaches, even a minor slip-up, for example leaking usernames of a specific health care service through the tech provider’s platform, could ultimately prove to be very costly.
Think your business is too small to risk a cyber security threat? Do you have:
- A point-of-sale cash register?
- A credit card authorization system?
- An email account?
- Old software?
- Any computer connected to the internet, ever?
We’ll explain the ways you never dreamed that you were at risk. Continue Reading Upcoming Seminar in Connecticut: Cyber Weapons You Must Deploy to Defeat the Criminals Stalking Your Small Business (and a Battle Plan to Launch Today)
Music.ly, now known as Tik Tok, an app popular with children and teenagers, settled a lawsuit with the FTC under the Children’s Online Privacy Protection Act (“COPPA”) to the tune of $5.7 Million Dollars. This sum is the largest civil penalty the FTC has ever obtained under COPPA. Continue Reading Popular Children’s App Music.ly Settles FTC COPPA Claims
Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals. The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server. The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information. Continue Reading HIPAA Enforcement In 2018 Hits All Time High
For many years, the plaintiffs’ bar has been very active in bringing class action litigation against public companies immediately after the announcement of adverse news concerning a company, which many times triggers a decline in the company’s stock price. Since at least the Yahoo data breach in 2013 (which led to a settled SEC enforcement action and a recently-settled class action lawsuit), plaintiffs’ lawyers have been increasingly drawn to using data breach problems to allege misconduct or fraud by corporate officials charged with keeping the securities markets apprised of all material information about a public company. Continue Reading Federal Court Dismisses Federal Securities Class Action Based on Data Breach
A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information. OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access. Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement. There are two main takeaways here. Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement