Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.  
Continue Reading

Apparently, that answer is yes. According to Amazon, its virtual personal assistant, Alexa, can now transfer and handle protected health information (“PHI”) in accordance with HIPAA.  Amazon expects Alexa to handle various healthcare related tasks, including scheduling urgent care appointments, checking health insurance benefits and reading blood-sugar tests, among others.  To create these new services,

CMS recently sent a proposed request for information (RFI) to the Federal Office of Management and Budget (OMB) for review.  The RFI would seek feedback on whether provisions of HIPAA present barriers or otherwise discourage coordination of care among providers, payors and patients.  The RFI also seeks feedback on whether HIPAA “impede[s] the transformation to

In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy.  Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law.  An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it.  An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets.
Continue Reading

On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000.  In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.”  In all three separate investigations, OCR found deficiencies.  While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate.  In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations.
Continue Reading

In recognition of the vulnerability of mobile devices and the daily use of those devices in health care, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) released a practice guide earlier this month entitled Securing Electronic Health Records on Mobile Devices (NIST Special Publication 1800-1).  NIST and

HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. 
Continue Reading

This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance.  The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization.  A copy of the guidance can be obtained here
Continue Reading

Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations.  While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.  OCR is sending a message about HIPAA Security Rule compliance.

Five Fresenius entities in five different states suffered five completely separate but relatively common breaches.  Each breach involved stolen or missing equipment.  No one breach involved records of more than 500 patients.  In fact, combined, the total number of patients impacted was 521.  As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals.
Continue Reading