Photo of Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha's Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.

As the Covid-19 pandemic continues throughout the world, many workplaces have gone virtual. While the advent of technology makes a remote workforce possible, the newly remote workforce brings with it additional challenges to a company’s information technology (“IT”) systems. However, proper policies and procedures that govern the security of IT systems and employees’ use of such systems can go a long way to help protect an organization.

Continue Reading Covid-19 and the Challenges of a Remote Workforce

On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously.  OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule.  This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities.  OCR specifically noted that this practice sees approximately 3,000 patients per year.
Continue Reading A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule

Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.  
Continue Reading A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty

There is no doubt that social media has its benefits, especially for medical practices that have come to use it for marketing and advertising.  However, risks are lurking.  On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) entered into a $10,000 settlement with a dental practice (the “Practice”) for disclosing protected health information of a patient when responding to a review on a Yelp page.

Continue Reading OCR Fines Dental Practice $10,000 For Social Media Disclosures

Apparently, that answer is yes. According to Amazon, its virtual personal assistant, Alexa, can now transfer and handle protected health information (“PHI”) in accordance with HIPAA.  Amazon expects Alexa to handle various healthcare related tasks, including scheduling urgent care appointments, checking health insurance benefits and reading blood-sugar tests, among others.  To create these new services,

Music.ly, now known as Tik Tok, an app popular with children and teenagers, settled a lawsuit with the FTC under the Children’s Online Privacy Protection Act (“COPPA”) to the tune of $5.7 Million Dollars.  This sum is the largest civil penalty the FTC has ever obtained under COPPA. 
Continue Reading Popular Children’s App Music.ly Settles FTC COPPA Claims

Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals.  The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server.  The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information.
Continue Reading HIPAA Enforcement In 2018 Hits All Time High

A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information.  OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access.  Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement.  There are two main takeaways here.
Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement

On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations.  According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal.  While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies.
Continue Reading Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies