Today, the HHS Office for Civil Rights (OCR) stands shoulder-to-shoulder with the likes of the Office of Inspector General and Office of General Counsel, one of just a dozen or so agencies reporting directly to the secretary....more
4/15/2025
/ Budget Cuts ,
Charter Schools ,
Compliance ,
Cybersecurity ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement ,
Enforcement Actions ,
Federal Funding ,
Health Care Providers ,
Hiring & Firing ,
Medical School ,
OCR ,
Patient Privacy Rights ,
Patients ,
Privacy Laws ,
Regulatory Requirements ,
Trump Administration
Nearly six years to the day that Warby Parker reported a breach affecting nearly 200,000 individuals, the HHS Office for Civil Rights (OCR) imposed a $1.5 million fine on the eyewear giant. Investigated by OCR under the Biden...more
3/12/2025
/ Business Associates ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
PHI ,
Privacy Laws ,
Trump Administration
The saga that led Children’s Hospital Colorado to accept a fine of more than $500,000 imposed by the HHS Office for Civil Rights (OCR) began on July 11, 2017, when a physician’s email account containing details on 3,300...more
2/7/2025
/ Civil Monetary Penalty ,
Compliance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Hospitals ,
OCR ,
PHI ,
Privacy Laws ,
Risk Management
Recent federal enforcement actions have brought home the lesson that there’s really no acceptable reason for denying a patient timely access to medical records. Last year, for example, the HHS Office for Civil Rights (OCR)...more
1/22/2025
/ Breach Notification Rule ,
Compliance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Information Technology ,
OCR ,
Patient Privacy Rights ,
Privacy Laws ,
Privacy Rule ,
Ransomware ,
State Privacy Laws
Note to research compliance officials still digesting news of Pennsylvania State’s recent $1.25 million settlement over False Claims Act (FCA) allegations related to cybersecurity and the government’s recent intervention in a...more
12/9/2024
/ Cloud Service Providers (CSPs) ,
Compliance ,
Cybersecurity ,
Data Security ,
Department of Defense (DOD) ,
Department of Justice (DOJ) ,
DFARS ,
Enforcement Actions ,
False Claims Act (FCA) ,
Federal Contractors ,
Fraud ,
Government Seals ,
NIST ,
Noncompliance ,
Penn State ,
Research and Development ,
Settlement ,
Whistleblowers
On the heels of a $7.6 million payment by Cleveland Clinic to settle allegations of False Claims Act (FCA) violations and unallowable sharing of passwords, Michael Lauer, NIH deputy director for extramural research, penned a...more
11/4/2024
/ Compliance ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Disclosure Requirements ,
Enforcement Actions ,
False Claims Act (FCA) ,
False Reporting ,
Federal Grants ,
Food and Drug Administration (FDA) ,
Harassment ,
Healthcare ,
HHS Office of Research Integrity (ORI) ,
Information Sharing ,
Investigations ,
Life Sciences ,
Medical Research ,
National Institute of Health (NIH) ,
National Science Foundation ,
Office for Human Research Protections (OHRP) ,
OIG ,
Policies and Procedures ,
SACHRP ,
Scientific Research ,
Settlement ,
Sexual Harassment ,
Statutory Requirements ,
Warning Letters
Unleashed on June 27, 2017, NotPetya caused an estimated $10 billion in damages globally, among the costliest ransomware attacks in history. In 2018, the Trump administration—in tandem with the British government—blamed...more
8/21/2024
/ Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cybersecurity ,
Data Protection ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
Malware ,
OCR ,
Patients ,
Privacy Laws ,
Settlement
United Healthcare Group (UHG) CEO Andrew Witty was in a board meeting on Feb. 21 when officials interrupted with the news that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased for $1.3 billion in October...more
5/13/2024
/ Business Associates ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Hackers ,
Health Care Providers ,
Healthcare ,
Legislative Agendas ,
OCR ,
Patients ,
Personal Information ,
Popular ,
Privacy Laws ,
Regulatory Oversight ,
Regulatory Requirements
Organizations typically deal with ransomware attacks out of the public eye, but the massive scale of United Healthcare Group’s (UHG) February breach made that an impossibility. UHG CEO Andrew Witty was recently on the hot...more
5/13/2024
/ Breach Notification Rule ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Healthcare Facilities ,
Incident Response Plans ,
Medical Records ,
Patients ,
Popular ,
Privacy Laws ,
Ransomware
Although the HHS Office for Civil Rights (OCR) described its recent $4.75 million agreement with a Bronx, New York, hospital as settling a “malicious insider cybersecurity investigation,” the agency considered a total of 11...more
3/12/2024
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Employees ,
Enforcement Actions ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
HIPAA Violations ,
Hospitals ,
Internal Investigations ,
Popular ,
Risk Assessment ,
Settlement
The Food and Drug Administration (FDA) is seeking strategies from Jeffrey W. Taub, M.D., to prevent future violations of human subject regulations the agency said were documented during site visits in September and October...more
1/30/2024
/ AAMC ,
Cancer ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Food and Drug Administration (FDA) ,
GAO ,
Healthcare ,
Legislative Agendas ,
Life Sciences ,
Medical Research ,
National Institute of Health (NIH) ,
National Science Foundation ,
OSTP ,
Proposed Legislation ,
Proposed Regulation ,
Regulatory Requirements ,
Scientific Research ,
Technology
If the penultimate enforcement settlement of 2023 issued by the HHS Office for Civil Rights (OCR) sounds familiar, that’s with good reason. And the last one of the year should ring some bells, too....more
1/17/2024
/ Amended Rules ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Employee Training ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
PHI ,
Policies and Procedures ,
Proposed Regulation ,
Regulatory Reform ,
Right-To-Access ,
Security Risk Assessments ,
Settlement
Report on Patient Privacy 23, no. 11 (November, 2023)
Tim DiBona clearly remembers Christmas Eve 2018 when the staff of his small firm—Doctors’ Management Service (DMS)—arrived at their West Bridgewater, Mass., office to...more
11/10/2023
/ Compliance ,
Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Data Recovery ,
Electronic Protected Health Information (ePHI) ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Popular ,
Ransomware ,
Risk Management
Report on Patient Privacy 23, no. 10 (October, 2023)
By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new...more
10/6/2023
/ Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Privacy Laws ,
Risk Assessment ,
Risk Management
Report on Patient Privacy Volume 23, no 8 (August 2023)
The allegation was shocking and, if true, would devastate the orthopedic surgeon’s reputation.
An online commenter accused him of operating on the wrong arm or...more
8/17/2023
/ Cybersecurity ,
Health Care Providers ,
Healthcare ,
Internet ,
OCR ,
Online Commentary ,
Online Reputation ,
Online Reviews ,
Privacy Concerns ,
Reputation Management ,
Reputational Injury ,
Retaliation ,
Slander
NIH is unable to “ensure grants have appropriate cybersecurity provisions” and should make nearly a half-dozen changes, according to auditors for the HHS Office of Inspector General (OIG). Yet, NIH said it had already made...more
Report on Patient Privacy 22, no. 8 (August, 2022) -
Oklahoma State University Center for Health Sciences’ (OSUCHS) breach might not have seemed all that serious at the time: No data is believed to have been misused,...more
8/16/2022
/ Breach Notification Rule ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Data Breach ,
Data Breach Costs ,
Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
HIPAA Violations ,
Medical Centers ,
OCR ,
Settlement Agreements
Report on Patient Privacy 22, no. 6 (June, 2022) -
Sometimes numbers tell the most compelling story. So, here are some associated with a cyberattack the University of Vermont Medical (UVM) Center suffered in October 2020...more
Report on Patient Privacy 22, no. 5 (May, 2022) -
Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and...more
5/6/2022
/ Business Associates ,
Civil Monetary Penalty ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Fines ,
Funding ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Violations ,
HITECH Act ,
Injunctive Relief ,
OCR ,
PHI ,
Popular ,
Privacy Laws
Report on Patient Privacy 22, no. 3 (March, 2022) -
Typically a “legacy” describes the lasting impact of an influential person or movement, most often in a positive sense. Not so with medical devices. When legacy is applied...more
3/14/2022
/ Cyber Attacks ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Technology ,
Hospitals ,
Incident Response Plans ,
Medical Devices ,
PHI ,
Physicians ,
Popular
Report on Patient Privacy 22, no. 2 (February, 2022) -
The new national health information network calls for a number of privacy and security safeguards and standards that, in some instances, exceed what HIPAA covered...more
2/14/2022
/ Audits ,
Business Associates ,
Certifications ,
Covered Entities ,
Cyber Incident Reporting ,
Cyber Insurance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Apps ,
Notification Requirements ,
PHI ,
Popular
Report on Patient Privacy 21, no. 12 (December, 2021) -
Amid the letters of congratulations to new HHS Office for Civil Rights (OCR) Director Lisa Pino is a plea from the American Hospital Association (AHA): “victims” of...more
12/10/2021
/ American Hospital Association ,
Business Associates ,
Civil Monetary Penalty ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Security ,
Department of Health and Human Services (HHS) ,
HIPAA Security Rule ,
OCR ,
Popular ,
Request For Information ,
Rulemaking Process
Report on Patient Privacy 21, no. 10 (October, 2021) -
Conducting a risk analysis is a basic tenet of security compliance, with the overarching goal of understanding where protected health information (PHI) “lives” in an...more
10/15/2021
/ Business Associates ,
China ,
Covered Entities ,
Cyber Attacks ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Due Diligence ,
FBI ,
Hackers ,
Health Care Providers ,
National Security ,
PHI ,
Physicians ,
Risk Mitigation
Report on Patient Privacy 21, no. 5 (May 2021) -
Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights...more
5/7/2021
/ Business Associates ,
Cooperation ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Failure to Notify ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Investigations ,
OCR ,
PHI ,
Popular
Report on Patient Privacy 20, no. 12 (December 10, 2020) -
In late September, Anthem Inc. entered into a $39.5 million settlement for a 2014 data breach that affected nearly 79 million individuals. About a week later,...more
12/18/2020
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Hackers ,
Health Care Providers ,
Health Insurance ,
HIPAA Breach ,
Medical Records ,
PHI ,
Settlement ,
State Attorneys General