On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.
According to HHS, in 2013 the ambulance company reported a breach…
On November 7, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,600,000 civil money penalty for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.
According to HHS, the Texas Health and Human Services Commission (TX HHSC) “operates state…
On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017.
According to HHS, URMC…
On October 23, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $2,154,000 civil money penalty for numerous violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016.
According to HHS, Jackson Health System (“JHS”) is a…
Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.
In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure…
The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced an $111,400 settlement and substantial corrective action plan for a Colorado hospital whose former employee still had access to electronic patient protected health information (“PHI”).
In 2013, Pagosa Springs Medical Center failed to de-activate a former employee’s username and password…
HHS has published a very brief guide, in the form of a checklist, to explain the steps for a HIPAA covered entity or business associate to take in response to a cyber related security incident. You can access the checklist at this link:
In September, 2015, OCR and HHS issued a press release announcing a Resolution Agreement with the Cancer Care Group, P.C., which included entry into the agreement, the adoption of a robust compliance plan, and the payment of a $750,000 penalty. The settlement arose out of an incident involving the theft of an employee laptop containing…
Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP. Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health…
The Department of Health and Human Services (HHS) has released a proposed rule that would modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by allowing health care providers to make certain disclosures to the National Instant Criminal Background Check System (NICS). The NICS aims to keep guns from being sold to those…
