HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.  Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance.  The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization.  A copy of the guidance can be obtained hereContinue Reading OCR Issues Guidance on the Use of HIPAA Authorizations for Research

Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations.  While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.  OCR is sending a message about HIPAA Security Rule compliance.

Five Fresenius entities in five different states suffered five completely separate but relatively common breaches.  Each breach involved stolen or missing equipment.  No one breach involved records of more than 500 patients.  In fact, combined, the total number of patients impacted was 521.  As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals. Continue Reading $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each

Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention when responding to subpoenas but now they must also worry about broader breach of confidentiality claims by patients. Continue Reading Connecticut Recognizes New Cause of Action for Breach of Patient/Physician Confidentiality