Nearly six years to the day that Warby Parker reported a breach affecting nearly 200,000 individuals, the HHS Office for Civil Rights (OCR) imposed a $1.5 million fine on the eyewear giant. Investigated by OCR under the Biden...more
3/12/2025
/ Business Associates ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
PHI ,
Privacy Laws ,
Trump Administration
The saga that led Children’s Hospital Colorado to accept a fine of more than $500,000 imposed by the HHS Office for Civil Rights (OCR) began on July 11, 2017, when a physician’s email account containing details on 3,300...more
2/7/2025
/ Civil Monetary Penalty ,
Compliance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Hospitals ,
OCR ,
PHI ,
Privacy Laws ,
Risk Management
It’s not immediately obvious why someone would want to disclose a health care test result as part of a job application. But one such request spurred a Pennsylvania entity to provide a lot more than that: it sent her whole...more
12/19/2024
/ Breach Notification Rule ,
Certifications ,
Chief Compliance Officers ,
Compliance ,
Corporate Governance ,
Corrective Action Plans (CAPs) ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Disclosure ,
Disclosure Requirements ,
Employer Liability Issues ,
Fines ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Job Applicants ,
Medical Records ,
OCR ,
Patients ,
Penalties ,
PHI ,
Popular ,
Privacy Laws ,
Sensitive Personal Information ,
Training Requirements ,
Unlawful Disclosure
Attestations are at the heart of permissible disclosures under the HHS Office for Civil Rights’ (OCR) new reproductive health privacy rule—and OCR wants covered entities (CEs) and business associates (BA) to use them now. The...more
7/16/2024
/ Attestation Requirements ,
Breach Notification Rule ,
Covered Entities ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Disclosure ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Labeling ,
OCR ,
Patient Privacy Rights ,
Patients ,
PHI ,
Privacy Laws
The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.
In fact, in 2022, the Government Accountability...more
2/9/2024
/ Centers for Medicare & Medicaid Services (CMS) ,
Compliance ,
Cyber Threats ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
GAO ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI ,
Privacy Laws ,
Risk Assessment ,
Risk Management ,
Risk Mitigation ,
Telehealth
If the penultimate enforcement settlement of 2023 issued by the HHS Office for Civil Rights (OCR) sounds familiar, that’s with good reason. And the last one of the year should ring some bells, too....more
1/17/2024
/ Amended Rules ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Employee Training ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
PHI ,
Policies and Procedures ,
Proposed Regulation ,
Regulatory Reform ,
Right-To-Access ,
Security Risk Assessments ,
Settlement
Five Years After ‘a Singular Human Error,’ Two Breach Notices, Revenue Firm Settles With OCR -
As far as settlements for alleged HIPAA violations go, a recent agreement announced by the HHS Office for Civil Rights (OCR)...more
6/9/2023
/ Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
File Transfer Protocols (FTP) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
OCR ,
PHI ,
Risk Assessment ,
Settlement ,
State Data Breach Notification Statutes ,
Subcontractors
HIPAA covered entities (CEs) longing for the opportunity to dispense with what some would call the more nettlesome aspects of notices of privacy practices (NPPs) will just have to be patient. For how long, no one is saying....more
5/12/2023
/ Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Reform ,
HIPAA Privacy Rule ,
OCR ,
Patient Privacy Rights ,
PHI ,
Proposed Amendments ,
Proposed Rules ,
Reproductive Healthcare Issues
Report on Research Compliance Volume 20, Number 3. February 23, 2023 -
The Office of Management and Budget (OMB) is planning to revise the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for...more
2/27/2023
/ Audits ,
Build America Investment Initiative ,
Buy American Act ,
Compliance ,
Corrective Actions ,
Department of Health and Human Services (HHS) ,
GAO ,
Hackers ,
Health Technology ,
HIPAA Breach ,
HIPAA Privacy Rule ,
Infrastructure ,
National Institute of Health (NIH) ,
National Science Foundation ,
OCR ,
OIG ,
OMB ,
PHI ,
Proposed Rules ,
Repayment Options ,
Request For Information ,
Uniformity
Report on Patient Privacy Volume 23, no 2 (February 2023)
When Micky Tripathi’s mom was recently transferred to a rehab facility to recover from a broken hip, the hospital, “right in front of me…printed off her record,...more
2/16/2023
/ Compliance ,
Data Privacy ,
Data Security ,
Data Storage ,
Department of Health and Human Services (HHS) ,
Digital Health ,
Electronic Medical Records ,
Enforcement ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Facilities ,
Hospitals ,
ONC ,
PHI ,
Regulatory Agenda
Report on Patient Privacy Volume 22, Number 11. (November 2022)
Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three...more
11/14/2022
/ Administrative Law Judge (ALJ) ,
Civil Monetary Penalty ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
HITECH Act ,
OCR ,
Patient Privacy Rights ,
PHI ,
Statutory Penalties
Report on Patient Privacy 22, no. 10 (October, 2022) -
How about free?
Patients daily face the machinations of getting records from their providers, and health care practices, hospitals and even dentists struggle with...more
10/10/2022
/ Corrective Action Plans (CAPs) ,
Covered Entities ,
Dentists ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Excessive Fees ,
Health Care Providers ,
HIPAA Violations ,
Medical Records ,
OCR ,
PHI ,
Settlement Agreements
Report on Patient Privacy 22, no. 9 (September, 2022) -
When recommending best practices, federal privacy and security officials stress that organizations need to follow their protected health information (PHI) wherever...more
9/12/2022
/ Business Associates ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Improper Disposal ,
OCR ,
PHI ,
Settlement Agreements
Report on Patient Privacy 22, no. 5 (May, 2022) -
Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and...more
5/6/2022
/ Business Associates ,
Civil Monetary Penalty ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Fines ,
Funding ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Violations ,
HITECH Act ,
Injunctive Relief ,
OCR ,
PHI ,
Popular ,
Privacy Laws
Report on Patient Privacy 22, no. 4 (April, 2022) -
By many measures, David Northcutt’s unsuccessful 2018 bid for the Alabama senate was a costly one. Northcutt, a dentist, loaned his campaign $73,000 throughout the...more
4/8/2022
/ Breach Notification Rule ,
Business Associates ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Dentists ,
Email ,
Enforcement Actions ,
HIPAA Privacy Rule ,
HIPAA Violations ,
OCR ,
Online Reviews ,
PHI ,
Policies and Procedures ,
Political Campaigns ,
Privacy Rule ,
Security Rule
Report on Patient Privacy 22, no. 3 (March, 2022) -
Typically a “legacy” describes the lasting impact of an influential person or movement, most often in a positive sense. Not so with medical devices. When legacy is applied...more
3/14/2022
/ Cyber Attacks ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Technology ,
Hospitals ,
Incident Response Plans ,
Medical Devices ,
PHI ,
Physicians ,
Popular
Report on Patient Privacy 22, no. 2 (February, 2022) -
The new national health information network calls for a number of privacy and security safeguards and standards that, in some instances, exceed what HIPAA covered...more
2/14/2022
/ Audits ,
Business Associates ,
Certifications ,
Covered Entities ,
Cyber Incident Reporting ,
Cyber Insurance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Apps ,
Notification Requirements ,
PHI ,
Popular
Report on Patient Privacy 21, no. 10 (October, 2021) -
Conducting a risk analysis is a basic tenet of security compliance, with the overarching goal of understanding where protected health information (PHI) “lives” in an...more
10/15/2021
/ Business Associates ,
China ,
Covered Entities ,
Cyber Attacks ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Due Diligence ,
FBI ,
Hackers ,
Health Care Providers ,
National Security ,
PHI ,
Physicians ,
Risk Mitigation
Report on Patient Privacy 21, no. 7 (July, 2021) -
...These heartfelt comments are among those submitted to the HHS Office for Civil Rights (OCR) in response to its January notice of proposed rulemaking (NPRM), which...more
7/9/2021
/ Caregivers ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Mental Health ,
Notice of Proposed Rulemaking (NOPR) ,
OCR ,
PHI ,
Physicians ,
Public Comment ,
Substance Abuse
Report on Patient Privacy 21, no. 5 (May 2021) -
Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights...more
5/7/2021
/ Business Associates ,
Cooperation ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Failure to Notify ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Investigations ,
OCR ,
PHI ,
Popular
Report on Patient Privacy 21, no. 3 (March 2021) -
Sometime during the fall, a worker for a subcontractor of Humana Inc. decided to share actual member information from medical records via a Google document with people he...more
3/25/2021
/ Business Associates ,
Business Associates Agreement (BAA) ,
Compliance ,
Covered Entities ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Medical Records ,
Notice Requirements ,
OCR ,
Patient Privacy Rights ,
PHI ,
Subcontractors
Report on Patient Privacy 20, no. 12 (December 10, 2020) -
In late September, Anthem Inc. entered into a $39.5 million settlement for a 2014 data breach that affected nearly 79 million individuals. About a week later,...more
12/18/2020
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Hackers ,
Health Care Providers ,
Health Insurance ,
HIPAA Breach ,
Medical Records ,
PHI ,
Settlement ,
State Attorneys General
Report on Patient Privacy 20, no. 11 (November 2020) -
In her 14-plus years of investigating and blogging about hacking and breaches, “Dissent” has been yelled at, threatened with lawsuits and accused of being a criminal....more
11/10/2020
/ Criminal Liability ,
Cyber Attacks ,
Cyber Crimes ,
Cyber Incident Reporting ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Breach Plans ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Hackers ,
HIPAA Breach ,
OCR ,
Personally Identifiable Information ,
PHI ,
Phishing Scams ,
Popular ,
Ransomware
Report on Patient Privacy 20, no. 10 (October 2020) -
September was quite the month for enforcement actions by the HHS Office for Civil Rights (OCR). The agency announced eight settlements totaling more than $10 million....more
10/16/2020
/ Business Associates ,
Compliance ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Data Breach ,
De-Identified Protected Health Information ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Settlement
Report on Patient Privacy 20, no. 7 (July 2020) -
During the first six months of this year, 228 breaches affecting 500 or more individuals were reported to the HHS Office for Civil Rights (OCR), and of the top 20, five...more