A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information.  OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access.  Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement.  There are two main takeaways here. Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement

The Request for Information on Modifying HIPAA Rules to Improve Coordinated Care is slated for publication in the federal register tomorrow.  The Department of Health and Human Services’ Office for Civil Rights (OCR) issued an advance copy of the RFI yesterday.  Specifically, “OCR seeks information on the provisions of the HIPAA Rules that may present obstacles to, or place unnecessary burdens on, the ability of covered entities and business associates to conduct care coordination and/or case management, or that may inhibit the transformation of the health care system to a value-based health care system.”  The public comment period closes 60 days from December 14, 2018. Continue Reading OCR Issues Anticipated RFI on HIPAA Modifications

On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations.  According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal.  While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies. Continue Reading Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies

CMS recently sent a proposed request for information (RFI) to the Federal Office of Management and Budget (OMB) for review.  The RFI would seek feedback on whether provisions of HIPAA present barriers or otherwise discourage coordination of care among providers, payors and patients.  The RFI also seeks feedback on whether HIPAA “impede[s] the transformation to value-based health care without providing commensurate privacy or security protections. . . .”  Importantly, the RFI seems to acknowledge some of the most burdensome requirements under HIPAA by requesting feedback on provisions regarding accountings of disclosures and written acknowledgement of receipt of a notice of privacy practices.  The RFI also asks for comments regarding good faith disclosures.  Hopefully, this is a signal that there may be some common sense changes to HIPAA that reduce burdens on covered entities without jeopardizing patients’ privacy.  Stay tuned…

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach.  Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

 

On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000.  In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.”  In all three separate investigations, OCR found deficiencies.  While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate.  In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations. Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”

In recognition of the vulnerability of mobile devices and the daily use of those devices in health care, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) released a practice guide earlier this month entitled Securing Electronic Health Records on Mobile Devices (NIST Special Publication 1800-1).  NIST and NCCoE specifically examined physician use of a mobile device (i.e. smart phone or tablet) to send a referral or an electronic prescription.  Using open-source tools and commercially available technologies, NIST and NCCoE offer technical guidance on how to ensure that such mobile device use complies with the HIPAA Security Rule and is in line with NIST best practices.  The 260-page practice guide has something for everyone ‒ high-level summaries for business leaders and technical guidance for information security and technology teams.

HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.  Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance.  The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization.  A copy of the guidance can be obtained hereContinue Reading OCR Issues Guidance on the Use of HIPAA Authorizations for Research

Yesterday, DHHS’s Office for Civil Rights (OCR) announced a $100,000 settlement with a dissolved medical records moving and storage company in Illinois.  This is another example of OCR bringing enforcement actions against a business associate under HIPAA.  OCR investigated a complaint that the business associate brought medical records to a shredding and recycling facility in exchange for cash.  According to OCR, it confirmed that the business associate violated the HIPAA Privacy Rule when it left the medical records of approximately 2,150 people at the shredding and recycling facility.  Due to other legal troubles, a court had already forced the business associate to liquidate its assets and appointed a receiver to pay its debts.  The receiver agreed to pay the $100,000 settlement and to ensure that the storage and disposal of the remaining medical records would be in compliance with HIPAA.

Read a copy of the Resolution Agreement here.