Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals. The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server. The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information. Continue Reading HIPAA Enforcement In 2018 Hits All Time High
Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.
As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.
Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.
Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.
A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information. OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access. Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement. There are two main takeaways here. Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement
On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations. According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal. While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies. Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies. Continue Reading Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies
We’re all guilty of it. We keep things that we don’t need, like that pair of stone-washed jeans from 1992 that you hope will come back into style or your beanie baby collection that you blindly believe might be worth something someday. While our inability to purge old stuff from our closets may cost us closet space, the repercussions for an organization that hoards data are far more significant. From a cybersecurity perspective, the more personal information a company maintains, the more information it has to lose. Consequently, the more information a company loses, the higher the financial and reputational costs.
According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite. Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. Continue Reading The Importance of Training
In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack. All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack. Continue Reading October is National Cybersecurity Awareness Month!
On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country. California enacted the CCPA in June and it takes effect on January 1, 2020. Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses. Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles. Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act
Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm. Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane. The focus of the guidance is that HIPAA should not impede patient care in a disaster situation. Continue Reading OCR Releases Hurricane Florence Guidance Ahead of Storm
On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data. This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems. This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies must comply with the overarching GDPR principles and requirements. Continue Reading Denmark Implements Email Encryption Requirement, What Countries Will Follow?
HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital