When Jerry Menikoff retired at the end of 2022 after leading the HHS Office for Human Research Protections (OHRP) for 14 years, he left behind an agency limping along with 20 employees, less than half of what it needed. For...more
5/28/2025
/ Biden Administration ,
Compliance ,
Department of Health and Human Services (HHS) ,
Employees ,
Enforcement ,
Federal Funding ,
Government Agencies ,
Hiring & Firing ,
National Institute of Health (NIH) ,
OCR ,
Office for Human Research Protections (OHRP) ,
Regulatory Oversight ,
Trump Administration
In October, the HHS Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000, an amount that reflected a 20% discount for having “recognized security practices” (RSPs) in place. But many more covered...more
5/12/2025
/ Business Associates ,
Compliance ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Information Technologies ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
OCR ,
Penalties ,
Privacy Laws ,
Regulatory Reform ,
Security and Privacy Controls ,
Trump Administration
Today, the HHS Office for Civil Rights (OCR) stands shoulder-to-shoulder with the likes of the Office of Inspector General and Office of General Counsel, one of just a dozen or so agencies reporting directly to the secretary....more
4/15/2025
/ Budget Cuts ,
Charter Schools ,
Compliance ,
Cybersecurity ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement ,
Enforcement Actions ,
Federal Funding ,
Health Care Providers ,
Hiring & Firing ,
Medical School ,
OCR ,
Patient Privacy Rights ,
Patients ,
Privacy Laws ,
Regulatory Requirements ,
Trump Administration
Nearly six years to the day that Warby Parker reported a breach affecting nearly 200,000 individuals, the HHS Office for Civil Rights (OCR) imposed a $1.5 million fine on the eyewear giant. Investigated by OCR under the Biden...more
3/12/2025
/ Business Associates ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
PHI ,
Privacy Laws ,
Trump Administration
The saga that led Children’s Hospital Colorado to accept a fine of more than $500,000 imposed by the HHS Office for Civil Rights (OCR) began on July 11, 2017, when a physician’s email account containing details on 3,300...more
2/7/2025
/ Civil Monetary Penalty ,
Compliance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Hospitals ,
OCR ,
PHI ,
Privacy Laws ,
Risk Management
Recent federal enforcement actions have brought home the lesson that there’s really no acceptable reason for denying a patient timely access to medical records. Last year, for example, the HHS Office for Civil Rights (OCR)...more
1/22/2025
/ Breach Notification Rule ,
Compliance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Information Technology ,
OCR ,
Patient Privacy Rights ,
Privacy Laws ,
Privacy Rule ,
Ransomware ,
State Privacy Laws
It’s not immediately obvious why someone would want to disclose a health care test result as part of a job application. But one such request spurred a Pennsylvania entity to provide a lot more than that: it sent her whole...more
12/19/2024
/ Breach Notification Rule ,
Certifications ,
Chief Compliance Officers ,
Compliance ,
Corporate Governance ,
Corrective Action Plans (CAPs) ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Disclosure ,
Disclosure Requirements ,
Employer Liability Issues ,
Fines ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Job Applicants ,
Medical Records ,
OCR ,
Patients ,
Penalties ,
PHI ,
Popular ,
Privacy Laws ,
Sensitive Personal Information ,
Training Requirements ,
Unlawful Disclosure
Covered entities (CEs) and business associates (BAs) may receive a “discount” for having recognized security practices (RSPs) in place when the HHS Office for Civil Rights (OCR) calculates financial penalties for Security...more
11/14/2024
/ American Hospital Association ,
Business Associates ,
Compliance ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
OCR ,
Personal Information ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
Security Rule
Let’s review for a moment.
It’s not a HIPAA violation to be a victim of ransomware.
It’s not a HIPAA violation to pay a ransom.
It’s up to the covered entity (CE) to determine if a security or privacy incident is a...more
10/16/2024
/ Compliance ,
Covered Entities ,
Cyber Attacks ,
Cyber Incident Reporting ,
Data Breach ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Investigations ,
OCR ,
Patients ,
Popular ,
Privacy Laws ,
Ransomware ,
Regulatory Requirements ,
Settlement
Unleashed on June 27, 2017, NotPetya caused an estimated $10 billion in damages globally, among the costliest ransomware attacks in history. In 2018, the Trump administration—in tandem with the British government—blamed...more
8/21/2024
/ Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cybersecurity ,
Data Protection ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
Malware ,
OCR ,
Patients ,
Privacy Laws ,
Settlement
Attestations are at the heart of permissible disclosures under the HHS Office for Civil Rights’ (OCR) new reproductive health privacy rule—and OCR wants covered entities (CEs) and business associates (BA) to use them now. The...more
7/16/2024
/ Attestation Requirements ,
Breach Notification Rule ,
Covered Entities ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Disclosure ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Labeling ,
OCR ,
Patient Privacy Rights ,
Patients ,
PHI ,
Privacy Laws
United Healthcare Group (UHG) CEO Andrew Witty was in a board meeting on Feb. 21 when officials interrupted with the news that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased for $1.3 billion in October...more
5/13/2024
/ Business Associates ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Hackers ,
Health Care Providers ,
Healthcare ,
Legislative Agendas ,
OCR ,
Patients ,
Personal Information ,
Popular ,
Privacy Laws ,
Regulatory Oversight ,
Regulatory Requirements
The Association of American Universities (AAU) and the Council on Governmental Relations (COGR) are among a handful of groups “urging the Biden administration to rescind a policy proposal that would threaten the American...more
2/26/2024
/ Auditors ,
Audits ,
Bayh-Dole Act ,
Biden Administration ,
Compliance ,
Corrective Action Plans (CAPs) ,
Department of Health and Human Services (HHS) ,
Environmental Protection Agency (EPA) ,
Innovation Patent ,
Inventions ,
Inventors ,
Medical Records ,
National Security Agency (NSA) ,
NIST ,
OCR ,
OIG ,
Patents ,
Personal Data ,
Rescission ,
Research and Development ,
Settlement ,
Technology Sector ,
Universities
The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.
In fact, in 2022, the Government Accountability...more
2/9/2024
/ Centers for Medicare & Medicaid Services (CMS) ,
Compliance ,
Cyber Threats ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
GAO ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI ,
Privacy Laws ,
Risk Assessment ,
Risk Management ,
Risk Mitigation ,
Telehealth
If the penultimate enforcement settlement of 2023 issued by the HHS Office for Civil Rights (OCR) sounds familiar, that’s with good reason. And the last one of the year should ring some bells, too....more
1/17/2024
/ Amended Rules ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Employee Training ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
PHI ,
Policies and Procedures ,
Proposed Regulation ,
Regulatory Reform ,
Right-To-Access ,
Security Risk Assessments ,
Settlement
Report on Patient Privacy 23, no. 12 (December, 2023)
Spring 2020 was a terrifying period in the annals of COVID-19, and New York was at the epicenter. COVID-19 cases, and deaths, already the highest in the nation, were...more
12/8/2023
/ Coronavirus/COVID-19 ,
Corrective Action Plans (CAPs) ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Hospitals ,
Media ,
OCR ,
Patients ,
Personal Information ,
Photographs ,
Prior Authorization ,
Privacy Laws ,
Public Health Emergency ,
Settlement ,
Video
Report on Patient Privacy 23, no. 11 (November, 2023)
Tim DiBona clearly remembers Christmas Eve 2018 when the staff of his small firm—Doctors’ Management Service (DMS)—arrived at their West Bridgewater, Mass., office to...more
11/10/2023
/ Compliance ,
Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Data Recovery ,
Electronic Protected Health Information (ePHI) ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Popular ,
Ransomware ,
Risk Management
Report on Patient Privacy 23, no. 10 (October, 2023)
By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new...more
10/6/2023
/ Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Privacy Laws ,
Risk Assessment ,
Risk Management
Start with a records request. Add a seven months’ wait. Stir in the chaos of the pandemic, with most employees working from home. Blend in a perhaps-neglected post office box. Bake for two-and-a-half years....more
Report on Patient Privacy Volume 23, no 8 (August 2023)
The allegation was shocking and, if true, would devastate the orthopedic surgeon’s reputation.
An online commenter accused him of operating on the wrong arm or...more
8/17/2023
/ Cybersecurity ,
Health Care Providers ,
Healthcare ,
Internet ,
OCR ,
Online Commentary ,
Online Reputation ,
Online Reviews ,
Privacy Concerns ,
Reputation Management ,
Reputational Injury ,
Retaliation ,
Slander
Report on Patient Privacy Volume 23, no 7 (July 2023)
In two public talks this spring, Melanie Fontes Rainer, director of the HHS Office for Civil Rights (OCR), said completing the 2021 proposed regulation extensively...more
7/17/2023
/ Data Privacy ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Healthcare Reform ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Information Blocking Rules ,
Information Technology ,
Investigations ,
OCR ,
Penalties ,
Proposed Regulation ,
Regulatory Requirements
Five Years After ‘a Singular Human Error,’ Two Breach Notices, Revenue Firm Settles With OCR -
As far as settlements for alleged HIPAA violations go, a recent agreement announced by the HHS Office for Civil Rights (OCR)...more
6/9/2023
/ Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
File Transfer Protocols (FTP) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
OCR ,
PHI ,
Risk Assessment ,
Settlement ,
State Data Breach Notification Statutes ,
Subcontractors
HIPAA covered entities (CEs) longing for the opportunity to dispense with what some would call the more nettlesome aspects of notices of privacy practices (NPPs) will just have to be patient. For how long, no one is saying....more
5/12/2023
/ Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Reform ,
HIPAA Privacy Rule ,
OCR ,
Patient Privacy Rights ,
PHI ,
Proposed Amendments ,
Proposed Rules ,
Reproductive Healthcare Issues
Report on Research Compliance Volume 20, Number 3. February 23, 2023 -
The Office of Management and Budget (OMB) is planning to revise the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for...more
2/27/2023
/ Audits ,
Build America Investment Initiative ,
Buy American Act ,
Compliance ,
Corrective Actions ,
Department of Health and Human Services (HHS) ,
GAO ,
Hackers ,
Health Technology ,
HIPAA Breach ,
HIPAA Privacy Rule ,
Infrastructure ,
National Institute of Health (NIH) ,
National Science Foundation ,
OCR ,
OIG ,
OMB ,
PHI ,
Proposed Rules ,
Repayment Options ,
Request For Information ,
Uniformity
Report on Patient Privacy Volume 22, Number 11. (November 2022)
Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three...more
11/14/2022
/ Administrative Law Judge (ALJ) ,
Civil Monetary Penalty ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
HITECH Act ,
OCR ,
Patient Privacy Rights ,
PHI ,
Statutory Penalties