Unleashed on June 27, 2017, NotPetya caused an estimated $10 billion in damages globally, among the costliest ransomware attacks in history. In 2018, the Trump administration—in tandem with the British government—blamed...more
8/21/2024
/ Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cybersecurity ,
Data Protection ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
Malware ,
OCR ,
Patients ,
Privacy Laws ,
Settlement
Attestations are at the heart of permissible disclosures under the HHS Office for Civil Rights’ (OCR) new reproductive health privacy rule—and OCR wants covered entities (CEs) and business associates (BA) to use them now. The...more
7/16/2024
/ Attestation Requirements ,
Breach Notification Rule ,
Covered Entities ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Disclosure ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Labeling ,
OCR ,
Patient Privacy Rights ,
Patients ,
PHI ,
Privacy Laws
United Healthcare Group (UHG) CEO Andrew Witty was in a board meeting on Feb. 21 when officials interrupted with the news that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased for $1.3 billion in October...more
5/13/2024
/ Business Associates ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Hackers ,
Health Care Providers ,
Healthcare ,
Legislative Agendas ,
OCR ,
Patients ,
Personal Information ,
Popular ,
Privacy Laws ,
Regulatory Oversight ,
Regulatory Requirements
The Association of American Universities (AAU) and the Council on Governmental Relations (COGR) are among a handful of groups “urging the Biden administration to rescind a policy proposal that would threaten the American...more
2/26/2024
/ Auditors ,
Audits ,
Bayh-Dole Act ,
Biden Administration ,
Compliance ,
Corrective Action Plans (CAPs) ,
Department of Health and Human Services (HHS) ,
Environmental Protection Agency (EPA) ,
Innovation Patent ,
Inventions ,
Inventors ,
Medical Records ,
National Security Agency (NSA) ,
NIST ,
OCR ,
OIG ,
Patents ,
Personal Data ,
Rescission ,
Research and Development ,
Settlement ,
Technology Sector ,
Universities
The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.
In fact, in 2022, the Government Accountability...more
2/9/2024
/ Centers for Medicare & Medicaid Services (CMS) ,
Compliance ,
Cyber Threats ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
GAO ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI ,
Privacy Laws ,
Risk Assessment ,
Risk Management ,
Risk Mitigation ,
Telehealth
If the penultimate enforcement settlement of 2023 issued by the HHS Office for Civil Rights (OCR) sounds familiar, that’s with good reason. And the last one of the year should ring some bells, too....more
1/17/2024
/ Amended Rules ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Employee Training ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
PHI ,
Policies and Procedures ,
Proposed Regulation ,
Regulatory Reform ,
Right-To-Access ,
Security Risk Assessments ,
Settlement
Report on Patient Privacy 23, no. 12 (December, 2023)
Spring 2020 was a terrifying period in the annals of COVID-19, and New York was at the epicenter. COVID-19 cases, and deaths, already the highest in the nation, were...more
12/8/2023
/ Coronavirus/COVID-19 ,
Corrective Action Plans (CAPs) ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Hospitals ,
Media ,
OCR ,
Patients ,
Personal Information ,
Photographs ,
Prior Authorization ,
Privacy Laws ,
Public Health Emergency ,
Settlement ,
Video
Report on Patient Privacy 23, no. 11 (November, 2023)
Tim DiBona clearly remembers Christmas Eve 2018 when the staff of his small firm—Doctors’ Management Service (DMS)—arrived at their West Bridgewater, Mass., office to...more
11/10/2023
/ Compliance ,
Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Data Recovery ,
Electronic Protected Health Information (ePHI) ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Popular ,
Ransomware ,
Risk Management
Report on Patient Privacy 23, no. 10 (October, 2023)
By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new...more
10/6/2023
/ Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Privacy Laws ,
Risk Assessment ,
Risk Management
Start with a records request. Add a seven months’ wait. Stir in the chaos of the pandemic, with most employees working from home. Blend in a perhaps-neglected post office box. Bake for two-and-a-half years....more
Report on Patient Privacy Volume 23, no 8 (August 2023)
The allegation was shocking and, if true, would devastate the orthopedic surgeon’s reputation.
An online commenter accused him of operating on the wrong arm or...more
8/17/2023
/ Cybersecurity ,
Health Care Providers ,
Healthcare ,
Internet ,
OCR ,
Online Commentary ,
Online Reputation ,
Online Reviews ,
Privacy Concerns ,
Reputation Management ,
Reputational Injury ,
Retaliation ,
Slander
Report on Patient Privacy Volume 23, no 7 (July 2023)
In two public talks this spring, Melanie Fontes Rainer, director of the HHS Office for Civil Rights (OCR), said completing the 2021 proposed regulation extensively...more
7/17/2023
/ Data Privacy ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Healthcare Reform ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Information Blocking Rules ,
Information Technology ,
Investigations ,
OCR ,
Penalties ,
Proposed Regulation ,
Regulatory Requirements
Five Years After ‘a Singular Human Error,’ Two Breach Notices, Revenue Firm Settles With OCR -
As far as settlements for alleged HIPAA violations go, a recent agreement announced by the HHS Office for Civil Rights (OCR)...more
6/9/2023
/ Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
File Transfer Protocols (FTP) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
OCR ,
PHI ,
Risk Assessment ,
Settlement ,
State Data Breach Notification Statutes ,
Subcontractors
HIPAA covered entities (CEs) longing for the opportunity to dispense with what some would call the more nettlesome aspects of notices of privacy practices (NPPs) will just have to be patient. For how long, no one is saying....more
5/12/2023
/ Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Reform ,
HIPAA Privacy Rule ,
OCR ,
Patient Privacy Rights ,
PHI ,
Proposed Amendments ,
Proposed Rules ,
Reproductive Healthcare Issues
Report on Research Compliance Volume 20, Number 3. February 23, 2023 -
The Office of Management and Budget (OMB) is planning to revise the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for...more
2/27/2023
/ Audits ,
Build America Investment Initiative ,
Buy American Act ,
Compliance ,
Corrective Actions ,
Department of Health and Human Services (HHS) ,
GAO ,
Hackers ,
Health Technology ,
HIPAA Breach ,
HIPAA Privacy Rule ,
Infrastructure ,
National Institute of Health (NIH) ,
National Science Foundation ,
OCR ,
OIG ,
OMB ,
PHI ,
Proposed Rules ,
Repayment Options ,
Request For Information ,
Uniformity
Report on Patient Privacy Volume 22, Number 11. (November 2022)
Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three...more
11/14/2022
/ Administrative Law Judge (ALJ) ,
Civil Monetary Penalty ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
HITECH Act ,
OCR ,
Patient Privacy Rights ,
PHI ,
Statutory Penalties
Report on Patient Privacy 22, no. 10 (October, 2022) -
How about free?
Patients daily face the machinations of getting records from their providers, and health care practices, hospitals and even dentists struggle with...more
10/10/2022
/ Corrective Action Plans (CAPs) ,
Covered Entities ,
Dentists ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Excessive Fees ,
Health Care Providers ,
HIPAA Violations ,
Medical Records ,
OCR ,
PHI ,
Settlement Agreements
Report on Patient Privacy 22, no. 9 (September, 2022) -
When recommending best practices, federal privacy and security officials stress that organizations need to follow their protected health information (PHI) wherever...more
9/12/2022
/ Business Associates ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Improper Disposal ,
OCR ,
PHI ,
Settlement Agreements
Report on Patient Privacy 22, no. 8 (August, 2022) -
Oklahoma State University Center for Health Sciences’ (OSUCHS) breach might not have seemed all that serious at the time: No data is believed to have been misused,...more
8/16/2022
/ Breach Notification Rule ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Data Breach ,
Data Breach Costs ,
Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
HIPAA Violations ,
Medical Centers ,
OCR ,
Settlement Agreements
Report on Patient Privacy 22, no. 5 (May, 2022) -
Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and...more
5/6/2022
/ Business Associates ,
Civil Monetary Penalty ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Fines ,
Funding ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Violations ,
HITECH Act ,
Injunctive Relief ,
OCR ,
PHI ,
Popular ,
Privacy Laws
Report on Patient Privacy 22, no. 4 (April, 2022) -
By many measures, David Northcutt’s unsuccessful 2018 bid for the Alabama senate was a costly one. Northcutt, a dentist, loaned his campaign $73,000 throughout the...more
4/8/2022
/ Breach Notification Rule ,
Business Associates ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Dentists ,
Email ,
Enforcement Actions ,
HIPAA Privacy Rule ,
HIPAA Violations ,
OCR ,
Online Reviews ,
PHI ,
Policies and Procedures ,
Political Campaigns ,
Privacy Rule ,
Security Rule
Report on Patient Privacy 21, no. 12 (December, 2021) -
Amid the letters of congratulations to new HHS Office for Civil Rights (OCR) Director Lisa Pino is a plea from the American Hospital Association (AHA): “victims” of...more
12/10/2021
/ American Hospital Association ,
Business Associates ,
Civil Monetary Penalty ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Security ,
Department of Health and Human Services (HHS) ,
HIPAA Security Rule ,
OCR ,
Popular ,
Request For Information ,
Rulemaking Process
Issue a final rule revising the privacy regulation and write guidance on the information blocking rule. Formalize the fledgling audit program required by Congress more than 10 years ago. Engage with providers and other...more
8/13/2021
/ 21st Century Cures Act ,
Audits ,
Biden Administration ,
Business Associates ,
Covered Entities ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
HIPAA Violations ,
Information Blocking Rules ,
Notice of Proposed Rulemaking (NOPR) ,
OCR ,
Ransomware
Report on Research Compliance 18, no. 8 (August, 2021) -
NIH is continuing to face pushback and questionable actions by institutions grappling with agency-funded “superstar” principal investigators (PIs) who sexually...more
7/23/2021
/ Employee Misconduct ,
Graduate Students ,
Investigations ,
National Institute of Health (NIH) ,
Non-Disclosure Agreement ,
OCR ,
Peer Review ,
Proposed Regulation ,
Sanctions ,
Scientific Research ,
Sexual Harassment ,
Title IX
Report on Patient Privacy 21, no. 7 (July, 2021) -
...These heartfelt comments are among those submitted to the HHS Office for Civil Rights (OCR) in response to its January notice of proposed rulemaking (NPRM), which...more
7/9/2021
/ Caregivers ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Mental Health ,
Notice of Proposed Rulemaking (NOPR) ,
OCR ,
PHI ,
Physicians ,
Public Comment ,
Substance Abuse