Covered entities, business associates, and any entities that collect health information about consumers online should carefully review the latest joint letter from the Office for Civil Rights (OCR) and the Federal Trade...more
7/25/2023
/ Cybersecurity ,
Data Collection ,
Data Privacy ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Third-Party ,
Tracking Systems
In response to concerns about the confidentiality of protected health information (PHI) related to reproductive health care less than one year after Dobbs v. Jackson Women’s Health Organization decision, and the prospect of...more
All players in the health and wellness ecosystem should be following developments around the American Data Privacy and Protection Act (ADPPA). If enacted, the ADPPA would be a watershed in the regulation of the privacy and...more
The HHS Office for Civil Rights (OCR) released a new guidance document regarding which HIPAA violations business associates (BAs) can and cannot be held directly liable for. In the guidance, OCR states that BAs can be held...more
Today, we’re looking back at HIPAA and other privacy and security developments in 2018. This past year saw continued HIPAA enforcement (including the largest ever fine for a HIPAA breach), reminders from the OCR on best...more
1/7/2019
/ Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
General Data Protection Regulation (GDPR) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Popular ,
State Data Breach Notification Statutes
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA...more
6/21/2018
/ Advanced Notice of Proposed Rulemaking (ANPRM) ,
Cybersecurity ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
New Guidance ,
OCR ,
Personally Identifiable Information ,
Revocation ,
State and Local Government ,
State Data Breach Notification Statutes
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C....more
While your business may indeed be a “victim” when hit by a phishing attack, your enterprise can also be responsible for violations of law associated with the incident. Earlier this week, the HHS Office for Civil Rights...more
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried...more
4/13/2017
/ Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Email ,
Enforcement Actions ,
Hackers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
Incident Response Plans ,
OCR ,
Phishing Scams ,
Risk Assessment ,
Risk Management ,
Settlement
Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare...more
On July 11, 2016, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health...more
7/12/2016
/ Breach Notification Rule ,
Covered Entities ,
Cyber Attacks ,
Data Breach ,
Employee Training ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
Hospitals ,
New Guidance ,
OCR ,
PHI ,
Ransomware ,
Security Risk Assessments
Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR...more
On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails...more
As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have...more
In a chain of events that should be a wake-up call to any entity using and storing critical health information, Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a malware attack...more
Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a...more
As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became...more
This Halloween, the scariest monsters might not be in your closet or under your bed. They may be overseas, orchestrating intrusions into your electronic medical record. Or they may be lurking in your own workforce, carrying...more
10/30/2015
/ App Developers ,
Audits ,
Business Associates ,
Corrective Actions ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Encryption ,
Fitbit ,
Hackers ,
Health Information Technologies ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Health Apps ,
OCR ,
OIG ,
Patient Privacy Rights ,
Personally Identifiable Information ,
PHI ,
Security Risk Assessments ,
Wearable Technology
After a summer that saw major data breaches at the Office of Personnel Management and UCLA Health System, this fall is a great time to take your organization back to school on HIPAA compliance and data security. Here are...more
8/27/2015
/ Business Associates ,
C-Suite Executives ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Employee Training ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
ONC ,
Security Risk Assessments
The HHS Office of the National Coordinator for Health Information Technology (“ONC”) recently released a new and improved version 2.0 of their Guide to Privacy and Security of Electronic Health Information. This revamped...more
A recently announced settlement between Anchorage Community Mental Health (“ACMHS”) and the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) emphasizes, once again, the importance of compliance with...more
As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance...more
As we previously reported, President Obama has made it a priority to improve the National Instant Criminal Background Check System (“NICS”). Last week, more than eight months after the issuance of a advance notice of...more