Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.
Continue Reading What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

On April 2, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) announced a Notification of Enforcement Discretion to allow certain uses and disclosures of Protected Health Information (“PHI”) by HIPAA business associates during the COVID-19 public health emergency.  Understanding that the CDC, CMS and state and local health departments need quick access to COVID-19 related healthcare data in order to fight the pandemic, HHS decided to grant HIPAA business associates greater freedom to cooperate and exchange COVID-19-related information with public health and oversight agencies.
Continue Reading HHS Further Relaxes HIPAA Regulations Governing Use and Disclosure of Protected Health Information During the COVID-19 Public Health Emergency

According to a December 20, 2019 Report by HIPAA Journal, nearly 39 million health care data breaches had been reported to the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) by the end of November 2019. This is a staggering number, especially considering that this is more than double what was reported in all of 2018. This appears to be part of an exponentially growing number of breach reports since, as we reported last year, 2018’s breach reports were already three times greater than what was reported in 2017.

This article explores some of the trends that can be attributed to the growing number of breaches and how the OCR has responded to the difficulties experienced by healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).
Continue Reading 2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA

According to a February 12, 2019 Press Release from Protenus, a developer of analytics for patient privacy monitoring and compliance, 15,085,302 patient records were breached in 2018 – a startling number made even more startling by the fact that the number of breached patient records in 2018 is three times greater than the number of records breached in 2017.

As evidenced by the Protenus data and information reported by the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”), a growing number of these breaches relate to third-party hacking, ransomware, and related malware incidents (collectively, “Hacking/IT Incidents”). As such, the OCR data shines a bright light on the obvious difficulties that healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).

The following examines representative HIPAA settlements and rulings from 2018, and considers the 2018 breach statistics and the growing security risk associated with Hacking/IT Incidents.
Continue Reading Cybersecurity, Inside Jobs, Outside Jobs, and HIPAA

The Office for Civil Rights (“OCR”) issued a request for information (“RFI”) to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations (the “HIPAA Rules”) that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information (“PHI”).
Continue Reading OCR Seeks Ideas on HIPAA Rule Changes to Promote Value-Based Care and Coordinated Care

This follows the blog article posted November 28, “Connection and Innovation Take Center Stage at the Patient ENGAGE Conference” and is the second feature regarding the MedCity ENGAGE conference Nov. 6-7 in San Diego. Here, we focus on the aspects of the conference that explored the impact of technology on patient engagement, from wearables to DNA sequencing, to apps used by insureds to quit smoking while reducing insurance premiums in the process.
Continue Reading Patient Empowerment Through Technology is Focus of ENGAGE Conference

The following article was originally posted to the Eye on Privacy Blog on July 5, 2018

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information.
Continue Reading Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

This is not a drill.

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. Hospitals and healthcare entities in the UK and elsewhere were particularly hard hit and continue struggling to recover, with doctors around the world blocked from access to patient files and multiple emergency room and even entire-hospital shut-downs. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Continue Reading WannaCry Ransomware Alert

The Center for Children’s Digestive Health (CCDH), a small, for-profit pediatric subspecialty practice that operates seven clinics in the Chicago area, has paid the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading A $31,000 Mistake: Failing To Manage Business Associate Agreements Proves Costly For Providers

Covered entities have a long list of laws and regulations governing their conduct, including their communications with patients, customers, and members.  Specifically, the Health Insurance Portability and Accountability Act (“HIPAA”) permits many such communications, including those about health care products and services, but precludes certain “marketing” communications absent written consent.  Recently, however, healthcare providers and health plans have been subject to a spate of class actions alleging violations of the Telephone Consumer Protection Act (“TCPA”), which generally precludes autodialed (or “robo”) calls to residential and cellular phones.  The TCPA was originally enacted to curtail pesky “telemarketers,” but has recently been used to go after a range of other business.  The penalties under the TCPA can be substantial – at $500 to $1,500 per phone call, the statutory damages can quickly exceed $100 million.
Continue Reading Do Routine Calls by Health Plans to Patients and Health Plan Members Constitute “Telemarketing” Under the Telephone Consumer Protection Act? Not Today!

The Department of Health & Human Services (DHHS) Office of Civil Rights (OCR) recently announced it will devote more resources to investigate smaller HIPAA breaches. Before this announcement, OCR typically opened investigations for HIPAA breaches affecting more than 500 individuals.
Continue Reading OCR to Focus More Investigative Resources on Smaller HIPAA Breaches with Less Than 500 Individuals Affected