Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
HHS ISSUES FINAL BREACH NOTIFICATION RULES – The end of “no harm, no foul”?
Last week the Department of Health and Human Services (HHS) issued its long-awaited “Final Rule”[.pdf] meant to strengthen various HIPAA/HITECH privacy and security rules related to individuals’ health information. The 563 pages of federal regulations contain numerous rule modifications. Notably with respect to the scope of this Blog, there are significant changes to the Breach Notification Rule for protected health information (PHI). When originally issued as an “interim final rule” in … Continue reading
OFFICE OF CIVIL RIGHTS RINGS IN NEW YEAR WITH SIGNIFICANT HIPAA DATA BREACH SETTLEMENT
The HHS’ Office of Civil Rights (OCR) announced today that The Hospice of North Idaho has agreed to pay a $50,000 settlement for violations of the HIPAA Security Rule. OCR made a point of announcing that the settlement is the first one that involves a breach of unprotected PHI affecting fewer than 500 individuals. In … Continue reading
A MASSACHUSETTS HEALTH CARE PROVIDER AGREED TO PAY $1.5 MILLION TO SETTLE A HIPAA PRIVACY VIOLATION
HHS’ Office of Civil Rights announced this week that a Mass. health care provider will pay a $1.5 million settlement to resolve a HIPAA privacy violation. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html. The monetary settlement is part of a resolution agreement and the result of the alleged 2010 theft of a laptop computer that held 3,621 patient records. The … Continue reading
STOLEN LAPTOP LEADS TO HEALTHCARE DATA BREACH INVOLVING 55,000 INDIVIDUALS IN INDIANA
Cancer Care Group (CCG), an Indiana oncology practice, has announced a data breach that affected approximately 55,000 individuals, including patients and employees. CCG has approximately 21 locations within Indiana. CCG reported that a laptop computer bag was stolen from an employee’s locked vehicle on July 19th. The data allegedly stored on the laptop computer … Continue reading
NEW CONNECTICUT DATA BREACH IS A PERFECT EXAMPLE OF DATA SECURITY FAILURES
The Connecticut Attorney General just announced that personal health information and protected health information for over 9,000 Hartford Hospital patients was lost in June. http://www.ct.gov/ag/cwp/view.asp?Q=508726&A=2341. A laptop carried by an EMC subsidiary employee was reportedly stolen. The State AG announced that the unencrypted information on the laptop contained names, addresses, dates of birth, social security … Continue reading
New HIPAA and HITECH Rules…. Delayed Again
Despite repeated promises, the new HIPAA and HITECH rules are still not out. While the Department of Health provided the Rules to the White House Office of Managment and Budget on March 24, 2012, OMB has asked for additional time to review the omnibus rules. Normally, OMB review is completed in 90 days. With this new delay, final rules seem … Continue reading
HIPAA Audits: Coming to Provider Near You?
In November, 2011, the Office of Civil Rights began conducting Audits of Covered Entities for compliance with the HIPAA privacy and security rules. These audits followed after Congress took the OCR to task for not effectively enforcing HIPAA. Readers of this Blog may also recall a study performed by OIG which found significant lapses in … Continue reading
HHS Hits Insurer for $1.5 Million
On March 13, 2012 the U.S. Department of Health and Human Services announced that it settled its first enforcement action resulting from a reported HITECH breach. In the settlement, Blue Cross/Blue Shield of Tennessee agreed to pay One Million Five Hundred Thousand Dollar ($1,500,000.00) to resolve potential violations of the HIPAA Privacy and Security Rules. Additionally, … Continue reading
Getting Ready for Private Enforcement: Is a New Form of Quasi-Qui Tam Brewing?
We all know that neither HIPAA nor HITECH create a private right of action against a Covered Entity or a Business Associate. At most, a HIPAA violation may be deemed evidence of a breach in the standard of care. Thus far, HIPAA enforcement is in the hands of the Office of Civil Rights which may … Continue reading
Health Care Data Breaches Significantly Increased in 2011
The Ponemon Institute just released their second annual benchmark study on patient privacy and data security. Not surprisingly, the study demonstrates that data breaches significantly increased in 2011. A number of key points can be found in the study’s findings. One of the more interesting findings was the increased use of unsecured mobile … Continue reading