The Center for Children’s Digestive Health (CCDH), a small, for-profit pediatric subspecialty practice that operates seven clinics in the Chicago area, has paid the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading A $31,000 Mistake: Failing To Manage Business Associate Agreements Proves Costly For Providers

Covered entities have a long list of laws and regulations governing their conduct, including their communications with patients, customers, and members.  Specifically, the Health Insurance Portability and Accountability Act (“HIPAA”) permits many such communications, including those about health care products and services, but precludes certain “marketing” communications absent written consent.  Recently, however, healthcare providers and health plans have been subject to a spate of class actions alleging violations of the Telephone Consumer Protection Act (“TCPA”), which generally precludes autodialed (or “robo”) calls to residential and cellular phones.  The TCPA was originally enacted to curtail pesky “telemarketers,” but has recently been used to go after a range of other business.  The penalties under the TCPA can be substantial – at $500 to $1,500 per phone call, the statutory damages can quickly exceed $100 million.
Continue Reading Do Routine Calls by Health Plans to Patients and Health Plan Members Constitute “Telemarketing” Under the Telephone Consumer Protection Act? Not Today!

The Department of Health & Human Services (DHHS) Office of Civil Rights (OCR) recently announced it will devote more resources to investigate smaller HIPAA breaches. Before this announcement, OCR typically opened investigations for HIPAA breaches affecting more than 500 individuals.
Continue Reading OCR to Focus More Investigative Resources on Smaller HIPAA Breaches with Less Than 500 Individuals Affected

Messaging applications are popular tools to facilitate communication and workflow in healthcare settings—increasingly so as smart phones, tablets and other mobile mediums continue to penetrate the market. Organizations relying on or acquiescing in the use of informal messaging platforms, however, should be aware of the risk for data breaches and other HIPAA liability.
Continue Reading Communications Compliance: Are Messaging Applications Leaving Your Organization Vulnerable to HIPAA Liability?

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.
Continue Reading What Can You Expect in 2015 Regarding HIPAA Enforcement?

As the Ebola virus has spread to a second city in the United States, and with the potential for additional cities to be affected, many businesses are faced with the difficult task of determining how to properly handle their workforce in the face of such an epidemic.  While there are many concerns employers may have with respect to Ebola and their workforce, this article will focus on six key considerations for employers when managing this, or any other, health epidemic.
Continue Reading Six Considerations For Employers Faced With The Ebola Virus Or Other Infectious Diseases

On July 11, 2013, the U.S. Department of Health and Human Services (HHS) announced that it had reached a $1.7 million dollar resolution agreement with insurer WellPoint Inc., following a security breach that left the personal information of 612,402 individuals exposed and available to unauthorized computer users. Between October 23, 2009, and March 7, 2010, access to protected health information, including the names, dates of birth, addresses, social security numbers, and health information of applicants was made vulnerable after a system upgrade failed to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. WellPoint is an Indianapolis-based managed health care insurer that serves approximately 65.3 million individuals through its subsidiaries.
Continue Reading WellPoint, Inc. Reaches $1.7 Million Dollar HIPAA Settlement Continuing the 2012 Trend of Heavy Fines

By Maureen Corcoran

Sweeping changes to the obligations of providers, health plans and their service providers ("business associates") under HIPAA privacy and security rules were included in the American Recovery and Reinvestment Act of 2009. Previously only health plans and providers were covered under HIPAA and subject to the criminal and civil monetary penalties. Effective February 17, 2010, business associates are now directly covered. These new requirements will require amendments to all business associate agreements. Business associates must also draft policies and procedures to implement their obligations under the privacy and security standards. Immediate steps must be taken to prepare for implementation.


Continue Reading HIPAA Statutory Changes Require Action Now by Providers, Plans and Their Business Associates