The U.S. District Court for the Northern District of Texas ruled that HHS's December 1, 2022, guidance applying HIPAA to online tracking technologies is unlawful with respect to its treatment of certain combinations of...more
The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) recently announced its first cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act of...more
4/28/2021
/ Benefit Plan Sponsors ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Department of Labor (DOL) ,
EBSA ,
Employee Benefits ,
Employee Retirement Income Security Act (ERISA) ,
Popular ,
Retirement Plan ,
Retirement Plan Providers ,
Risk Management
On December 2, 2020, under the Trump Administration's "Regulatory Sprint to Coordinated Care" initiative, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) published final...more
12/4/2020
/ Anti-Kickback Statute ,
Centers for Medicare & Medicaid Services (CMS) ,
Cybersecurity ,
Data Collection ,
EHR ,
Medical Records ,
OIG ,
Popular ,
Safe Harbors ,
Stark Law ,
Trump Administration
Recent statements at the 27th National HIPAA Summit suggest that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may be changing its position and expecting a greater level of vendor due...more
What if Artificial Intelligence (AI) is deployed within a health system to apply machine learning to patient information, in part, to allow patients to download information and wellness numbers (such as steps, blood pressure,...more
March 1, 2018 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were...more
There has been confusion as to whether the Affordable Care Act’s nondiscrimination provision (“ACA”) affects a covered entity’s notice of privacy practices (“NPP”) or data breach notifications. OCR has issued guidance...more
The administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA) impose obligations on employer-sponsored group health plans. Given recent...more
What’s worse than receiving an email indicating that you have been selected for an audit by your favorite government regulator? Clicking on a link in the email and discovering that it is a phishing attack that has just...more
It’s a HIPAA first. A business associate has settled a direct enforcement action over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA). This settlement portends future...more
8/3/2016
/ Business Associates ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Financial Institutions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Popular ,
Settlement Agreements
Much like a tornado watch, the conditions appear to be right for a coming storm: the upcoming Phase 2 HIPAA audits. The Department of Health and Human Services Office for Civil Rights (OCR) has begun verifying contact...more
Passage of H.B. 1078 sets a 45-day notification deadline, adds additional notice requirements Washington Governor Jay Inslee signed H.B. 1078 into law on April 23, revising the state’s data breach notification statute and...more
On March 17, 2015, Premera announced a data breach involving the personal information of more than 11 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Employers and plan...more
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued its first settlement under new OCR Director Jocelyn Samuels earlier this month. This latest settlement serves as a reminder that a...more
The Massachusetts Attorney General announced Friday that her office had reached a settlement with Beth Israel Deaconess Medical Center (BIDMC) surrounding a 2012 data breach in which a physician’s unencrypted personal laptop...more
On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics,...more