Category Archives: HIPAA, HIT and EHR

Subscribe to HIPAA, HIT and EHR RSS Feed

Navigating HIPAA’s Breach Notification Rule Following A Breach

In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements surrounding the notification process following a breach. Whether it’s a small breach where someone in your organization accidentally sent a patient’s contact information … Continue Reading

HIPAA Fundamentals for Providers

In March of this year, The Office for Civil Rights of the Department of Health and Human Services issued a letter addressing the recent cybersecurity incident impacting many health care entities, primarily Change Healthcare, a unit of UnitedHealthcare Group (read the letter here). This incident was a great reminder of the constant vigilance required to … Continue Reading

Proposed HIPAA Changes Intended to “Empower Patients” and “Improve Coordination of Care”

On December 10, 2020, the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) collaborated on announcing proposed HIPAA changes, intended to “empower patients” and “improve coordination of care”. That’s encouraging, although one would have thought that to be unnecessary by now.  HIPAA was enacted in 1996.  It is a … Continue Reading

Orthopedic Practice Pays $1.5 Million for HIPAA Damages

Most medical practices view HIPAA compliance as maintaining appropriate documentation regarding patient notices and consents, and controlling access to the PHI within the office; that’s PRIVACY.  Practices tend to forget the technology/security side of HIPAA, which requires maintaining, or reasonably attempting to maintain, secure EHR/IT systems; that’s SECURITY. Athens Orthopedic Clinic PA agreed to pay … Continue Reading

COVID Impact: HIPAA and Privacy

The following are just some random thoughts or curated information regarding the impact the COVID pandemic will have on privacy in general, and health information privacy in particular. I have attached a link to information issued by HHS explaining that, not only are HHS and OCR specifically advising that the release of patient information regarding … Continue Reading

Ambulance Company Pays $65,000 Settlement

On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for  violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. According to HHS, in 2013 the ambulance company reported a breach … Continue Reading

$3,000,000 Settlement by University of Rochester Medical Center for Numerous HIPAA Violations

On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017. According to HHS, URMC … Continue Reading

$3,000,000 Settlement for HIPAA Breach by Diagnostic Medical Imaging Company

Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server. In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure … Continue Reading

Colorado Hospital Pays $111,400 HIPAA Settlement For Failing To Stop Former Employee From Having Access To Patient Protected Health Information

The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced an $111,400 settlement and substantial corrective action plan for a Colorado hospital whose former employee still had access to electronic patient protected health information (“PHI”). In 2013, Pagosa Springs Medical Center failed to de-activate a former employee’s username and password … Continue Reading

Allergy Practice Pays $125,000 HIPAA Settlement for Disclosing Patient Protected Health Information to Reporter

The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced a $125,000 settlement for a disclosure of patient protected health information (“PHI”) to a reporter. In 2015, a patient of Allergy Associates of Hartford, P.C. (“Allergy Associates”) contacted a local TV station about a dispute that the patient had with … Continue Reading

Hospital Network Reports Large HIPAA Breach

  Community Health Systems announced today, August 18th, that hackers broke into its computers and stole data on 4.5 million patients.  The information included names, Social Security numbers, physical addresses, birthdays and telephone numbers.  More information on the breach is available at  http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/index.html  … Continue Reading

Physical Therapy Provider Enters into HIPAA Settlement

U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced yet another enforcement action.  Specifically, OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a report that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center.  The investigation revealed that Concentra had previously recognized in … Continue Reading

Do Windows XP Users Risk HIPAA Non-Compliance?

Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP.  Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health … Continue Reading

FTC and Accretive Health Settle Unfair Business Practice Complaint Centered on Data Security Measures

Accretive Health recently agreed to settle a Federal Trade Commission (FTC) complaint that stems from a July, 2011 incident in which an Accretive employee’s laptop was stolen from his car. As a medical billing and revenue management services provider, Accretive grants its employees access to “sensitive personal health information” including “patient names, dates of birth, … Continue Reading

HHS Proposed Rule Affects HIPAA Privacy Rule and Background Check Reporting

The Department of Health and Human Services (HHS) has released a proposed rule that would modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by allowing health care providers to make certain disclosures to the National Instant Criminal Background Check System (NICS).  The NICS aims to keep guns from being sold to those … Continue Reading

Dermatology Practice Agrees to Settlement in Connection with HIPAA Breach

A Massachusetts-based dermatology practice recently agreed to pay $150,000 to settle claims that it failed to have sufficient policies and procedures in place to address a breach notification requirement under the HITECH Act.  The investigation was initiated following a report that an unencrypted thumb drive containing electronic protected health information of approximately 2,200 individuals was … Continue Reading

HIPAA Omnibus Rule Compliance: Is Your Practice Ready?

  HIPAA Omnibus Rule Compliance: Is Your Practice Ready? On January 17, 2013, the United States Department of Health and Human Services released a Final Rule, commonly known as the “HIPAA Omnibus Rule,” which included significant changes to the HIPAA compliance requirements for healthcare covered entities, including private practice rehabilitation and medical providers. The compliance date … Continue Reading

CERT event on health information exchanges – June 26, 2013 – Pittsburgh, PA (with live stream and underwritten by HHS)

Contributed by Lee Kim, Esq. The CERT program is having a free all-day event tomorrow (June 26, 2013) in Pittsburgh, PA on security incident management for health information exchanges.  This event is underwritten by the US Department of Health and Human Services. Registration is free, but required.  http://www.cert.org/cybersecurity-hie/.  The event will be live and also … Continue Reading

Healtheway (formerly National Health Information Network – NHIN) Announces its Founding Organizations

Contributed by Lee Kim 412.594.3915 Healtheway was previously known as the National Helath Information Network.  It is a non-profit public-private partnership and has announced today its nine founding members.  These members include the American Medical Association, Epic, Kaiser Permanente, New York eHealth Collaborative, among others.  For the full press release, please see http://finance.yahoo.com/news/healtheway-announces-founding-members-groundbreaking-110000367.html.… Continue Reading
LexBlog