The following article was originally posted to the Eye on Privacy Blog on July 5, 2018

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information.
Continue Reading Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

This is not a drill.

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. Hospitals and healthcare entities in the UK and elsewhere were particularly hard hit and continue struggling to recover, with doctors around the world blocked from access to patient files and multiple emergency room and even entire-hospital shut-downs. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Continue Reading WannaCry Ransomware Alert

The Center for Children’s Digestive Health (CCDH), a small, for-profit pediatric subspecialty practice that operates seven clinics in the Chicago area, has paid the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading A $31,000 Mistake: Failing To Manage Business Associate Agreements Proves Costly For Providers

Covered entities have a long list of laws and regulations governing their conduct, including their communications with patients, customers, and members.  Specifically, the Health Insurance Portability and Accountability Act (“HIPAA”) permits many such communications, including those about health care products and services, but precludes certain “marketing” communications absent written consent.  Recently, however, healthcare providers and health plans have been subject to a spate of class actions alleging violations of the Telephone Consumer Protection Act (“TCPA”), which generally precludes autodialed (or “robo”) calls to residential and cellular phones.  The TCPA was originally enacted to curtail pesky “telemarketers,” but has recently been used to go after a range of other business.  The penalties under the TCPA can be substantial – at $500 to $1,500 per phone call, the statutory damages can quickly exceed $100 million.
Continue Reading Do Routine Calls by Health Plans to Patients and Health Plan Members Constitute “Telemarketing” Under the Telephone Consumer Protection Act? Not Today!

The Department of Health & Human Services (DHHS) Office of Civil Rights (OCR) recently announced it will devote more resources to investigate smaller HIPAA breaches. Before this announcement, OCR typically opened investigations for HIPAA breaches affecting more than 500 individuals.
Continue Reading OCR to Focus More Investigative Resources on Smaller HIPAA Breaches with Less Than 500 Individuals Affected

Messaging applications are popular tools to facilitate communication and workflow in healthcare settings—increasingly so as smart phones, tablets and other mobile mediums continue to penetrate the market. Organizations relying on or acquiescing in the use of informal messaging platforms, however, should be aware of the risk for data breaches and other HIPAA liability.
Continue Reading Communications Compliance: Are Messaging Applications Leaving Your Organization Vulnerable to HIPAA Liability?

As of earlier this month, 1,170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.
Continue Reading What Can You Expect in 2015 Regarding HIPAA Enforcement?

As the Ebola virus has spread to a second city in the United States, and with the potential for additional cities to be affected, many businesses are faced with the difficult task of determining how to properly handle their workforce in the face of such an epidemic.  While there are many concerns employers may have with respect to Ebola and their workforce, this article will focus on six key considerations for employers when managing this, or any other, health epidemic.
Continue Reading Six Considerations For Employers Faced With The Ebola Virus Or Other Infectious Diseases

On July 11, 2013, the U.S. Department of Health and Human Services (HHS) announced that it had reached a $1.7 million dollar resolution agreement with insurer WellPoint Inc., following a security breach that left the personal information of 612,402 individuals exposed and available to unauthorized computer users. Between October 23, 2009, and March 7, 2010, access to protected health information, including the names, dates of birth, addresses, social security numbers, and health information of applicants was made vulnerable after a system upgrade failed to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. WellPoint is an Indianapolis-based managed health care insurer that serves approximately 65.3 million individuals through its subsidiaries.
Continue Reading WellPoint, Inc. Reaches $1.7 Million Dollar HIPAA Settlement Continuing the 2012 Trend of Heavy Fines

By Maureen Corcoran

Sweeping changes to the obligations of providers, health plans and their service providers ("business associates") under HIPAA privacy and security rules were included in the American Recovery and Reinvestment Act of 2009. Previously only health plans and providers were covered under HIPAA and subject to the criminal and civil monetary penalties. Effective February 17, 2010, business associates are now directly covered. These new requirements will require amendments to all business associate agreements. Business associates must also draft policies and procedures to implement their obligations under the privacy and security standards. Immediate steps must be taken to prepare for implementation.

Continue Reading HIPAA Statutory Changes Require Action Now by Providers, Plans and Their Business Associates