On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously.  OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule.  This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities.  OCR specifically noted that this practice sees approximately 3,000 patients per year.
Continue Reading A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule

Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.  
Continue Reading A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty

Apparently, that answer is yes. According to Amazon, its virtual personal assistant, Alexa, can now transfer and handle protected health information (“PHI”) in accordance with HIPAA.  Amazon expects Alexa to handle various healthcare related tasks, including scheduling urgent care appointments, checking health insurance benefits and reading blood-sugar tests, among others.  To create these new services,

Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals.  The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server.  The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information.
Continue Reading HIPAA Enforcement In 2018 Hits All Time High

A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information.  OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access.  Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement.  There are two main takeaways here.
Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement

The Request for Information on Modifying HIPAA Rules to Improve Coordinated Care is slated for publication in the federal register tomorrow.  The Department of Health and Human Services’ Office for Civil Rights (OCR) issued an advance copy of the RFI yesterday.  Specifically, “OCR seeks information on the provisions of the HIPAA Rules that may present obstacles to, or place unnecessary burdens on, the ability of covered entities and business associates to conduct care coordination and/or case management, or that may inhibit the transformation of the health care system to a value-based health care system.”  The public comment period closes 60 days from December 14, 2018.
Continue Reading OCR Issues Anticipated RFI on HIPAA Modifications

On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations.  According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal.  While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies.
Continue Reading Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies

CMS recently sent a proposed request for information (RFI) to the Federal Office of Management and Budget (OMB) for review.  The RFI would seek feedback on whether provisions of HIPAA present barriers or otherwise discourage coordination of care among providers, payors and patients.  The RFI also seeks feedback on whether HIPAA “impede[s] the transformation to

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. 
Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000.  In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.”  In all three separate investigations, OCR found deficiencies.  While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate.  In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations.
Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”