Category Archives: HIPAA, HIT and EHR

Subscribe to HIPAA, HIT and EHR RSS Feed

$3,000,000 Settlement by University of Rochester Medical Center for Numerous HIPAA Violations

On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017. According to HHS, URMC … Continue Reading

$3,000,000 Settlement for HIPAA Breach by Diagnostic Medical Imaging Company

Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server. In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure … Continue Reading

Colorado Hospital Pays $111,400 HIPAA Settlement For Failing To Stop Former Employee From Having Access To Patient Protected Health Information

The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced an $111,400 settlement and substantial corrective action plan for a Colorado hospital whose former employee still had access to electronic patient protected health information (“PHI”). In 2013, Pagosa Springs Medical Center failed to de-activate a former employee’s username and password … Continue Reading

Allergy Practice Pays $125,000 HIPAA Settlement for Disclosing Patient Protected Health Information to Reporter

The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced a $125,000 settlement for a disclosure of patient protected health information (“PHI”) to a reporter. In 2015, a patient of Allergy Associates of Hartford, P.C. (“Allergy Associates”) contacted a local TV station about a dispute that the patient had with … Continue Reading

Hospital Network Reports Large HIPAA Breach

  Community Health Systems announced today, August 18th, that hackers broke into its computers and stole data on 4.5 million patients.  The information included names, Social Security numbers, physical addresses, birthdays and telephone numbers.  More information on the breach is available at  … Continue Reading

Physical Therapy Provider Enters into HIPAA Settlement

U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced yet another enforcement action.  Specifically, OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a report that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center.  The investigation revealed that Concentra had previously recognized in … Continue Reading

Do Windows XP Users Risk HIPAA Non-Compliance?

Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP.  Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health … Continue Reading

FTC and Accretive Health Settle Unfair Business Practice Complaint Centered on Data Security Measures

Accretive Health recently agreed to settle a Federal Trade Commission (FTC) complaint that stems from a July, 2011 incident in which an Accretive employee’s laptop was stolen from his car. As a medical billing and revenue management services provider, Accretive grants its employees access to “sensitive personal health information” including “patient names, dates of birth, … Continue Reading

HHS Proposed Rule Affects HIPAA Privacy Rule and Background Check Reporting

The Department of Health and Human Services (HHS) has released a proposed rule that would modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by allowing health care providers to make certain disclosures to the National Instant Criminal Background Check System (NICS).  The NICS aims to keep guns from being sold to those … Continue Reading

Dermatology Practice Agrees to Settlement in Connection with HIPAA Breach

A Massachusetts-based dermatology practice recently agreed to pay $150,000 to settle claims that it failed to have sufficient policies and procedures in place to address a breach notification requirement under the HITECH Act.  The investigation was initiated following a report that an unencrypted thumb drive containing electronic protected health information of approximately 2,200 individuals was … Continue Reading

HIPAA Omnibus Rule Compliance: Is Your Practice Ready?

  HIPAA Omnibus Rule Compliance: Is Your Practice Ready? On January 17, 2013, the United States Department of Health and Human Services released a Final Rule, commonly known as the “HIPAA Omnibus Rule,” which included significant changes to the HIPAA compliance requirements for healthcare covered entities, including private practice rehabilitation and medical providers. The compliance date … Continue Reading

CERT event on health information exchanges – June 26, 2013 – Pittsburgh, PA (with live stream and underwritten by HHS)

Contributed by Lee Kim, Esq. The CERT program is having a free all-day event tomorrow (June 26, 2013) in Pittsburgh, PA on security incident management for health information exchanges.  This event is underwritten by the US Department of Health and Human Services. Registration is free, but required.  The event will be live and also … Continue Reading

Healtheway (formerly National Health Information Network – NHIN) Announces its Founding Organizations

Contributed by Lee Kim 412.594.3915 Healtheway was previously known as the National Helath Information Network.  It is a non-profit public-private partnership and has announced today its nine founding members.  These members include the American Medical Association, Epic, Kaiser Permanente, New York eHealth Collaborative, among others.  For the full press release, please see… Continue Reading

Health information security and healthcare technology

Lee Kim has been selected to the HIMSS Privacy and Security Committee for this coming fiscal year. In addition, she recently gave a talk on mobile healthcare information security on May 30, 2013 at the SANS Mobile Device Security Summit.  A review of her talk (and those of others) can be found here: Lee will … Continue Reading

The Health IT Legal Landscape: Policy Changes and Practical Examples in a post-Omnibus Privacy Rule World

Lee Kim will be speaking at the Government Health IT Conference on June 11-12, 2013 in Washington, D.C. addressing changes due to the Omnibus Privacy Rule.  Privacy and security requirements for health data can be complex and intimidating. HIPAA and HITECH, and now the January 2013 release of the HIPAA Omnibus Rule have a very practical … Continue Reading

Negotiating an Electronic Health Record Agreement: A Marriage Between Healthcare and Technology

Lee Kim will be giving a webinar on negotiating electronic health record agreements on Thursday, June 20, 2013. EHR’s are increasingly outsourced services provided by specialty vendors who can take advantage of economics of scale and concentrated expertise. But this means that mission-critical health care functions are more dependent on complex systems the provider does not … Continue Reading

mHealth’s Impact: The Most Rapid Transformation in Healthcare Today

Lee Kim will be presenting a webinar for HIMSS on May 22nd entitled, "Regulation and Innovation in mHealth: What You Need to Know to Successfully Play in the mHealth Space" as part of the HIMSS Virtual Forum on mHealth’s Impact: The Most Rapid Transformation in Healthcare Today.  A summary of the presentation can be accessed here:… Continue Reading

Proposed Rules Relating to Donated EHR software and certain related items to services to physicians

CMS and the Office of Inspector General at HHS (OIG) have respectively published proposed rules to extend the sunset dates for the Stark exception and anti-kickback statute safe harbor permitting donations of EHR software and certain related items and services to physicians. These provisions are set to expire on December 31, 2013. Both agencies have proposed almost … Continue Reading

Two New Federal Policy Documents on Critical Infrastructure Protection

Contributed by Lee Kim, Esq. 412.594.3915 The White House released two documents on February 12th related to critical infrastructure protection and cybersecurity: the Presidential Policy Directive #21 on Critical Infrastructure and Resilience (PPD-21) which replaces the Homeland Security Presidential Directive (HSPD-7) which previously served as the policy basis for the national critical infrastructure protection enterprise.  … Continue Reading