Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Category Archives: HIPAA/HITECH

Subscribe to HIPAA/HITECH RSS Feed

OCR Issues New Bulletin on Ensuring Privacy in Public Health Emergencies

Posted in HIPAA/HITECH

Written by Stephanie Willis   This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.”  The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake… Continue Reading

Notes from the Joint OCR/NIST HIPAA Security Conference

Posted in Cybersecurity, HIPAA/HITECH, Privacy Regulation, Security

Written by:  Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis  (original post in Mintz Levin’s Health Law & Policy Matters blog) As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) andNational Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii)… Continue Reading

Privacy Monday – September 22, 2014

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Privacy Monday

Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/ Home Depot Breach – By the Numbers 56 million cards at risk (compare to Target = 40 million) $62 million in estimated costs (compare to Target  =$146 million and counting) $27 million insurance coverage (compare to Target = $100 million in cover) Lawsuits filed – at least 1 in US and… Continue Reading

Massive Data Breach Affects 4.5 Million Patients in 29 States

Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH

Written by Julia Siripurapu, CIPP/US and Dianne J. Bourque Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data… Continue Reading

Changes in Breach Notification Risk Assessments Under HIPAA

Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

Reposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013.   The examples analyzed… Continue Reading

D’oh! OCR Confirms that Medical Records Should Not be Left in the Driveway

Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

Written by  Dianne J. Bourque  (reprinted from Mintz Levin’s Health Law Policy Matters blog) The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the… Continue Reading

Five Lessons from OCR’s Report to Congress on Breaches and HIPAA Rules Compliance

Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy Regulation, Security

Written by Stephanie D. Willis and Dianne J. Bourque (republished from Mintz Levin’s Health Law Policy Matters blog)   Last week, the HHS Office of Civil Rights (OCR) released two reports required by the Health Information Technology for Economic and Clinical Health (HITECH) Act: (i) the Annual Report to Congress on Breaches of Unsecured Protected Information… Continue Reading

Health Data Breach Victims Have Standing to Sue Says WV Supreme Court

Posted in Data Breach, HIPAA/HITECH, Privacy Litigation

The most common defense against class actions for data breach has itself been breached in a ruling last week by the West Virginia Supreme Court. The Court’s opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly… Continue Reading

Protecting Attorney-Client Privilege: Making Sure What’s Said In House Stays In House

Posted in HIPAA/HITECH, Uncategorized

Attorney-client privilege, and how to ensure that advice and counsel to their clients is covered by the privilege, is always a top-of-mind issue for in-house counsel, particularly with respect to compliance questions.   The privacy office does not always report into the legal department in all companies.  Therefore, when it comes to data breach compliance and privacy advice, privacy… Continue Reading

Record $4.8 Million HIPAA Fine Assessed

Posted in Data Breach Notification, HIPAA/HITECH

In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.  Our sister blog, Health Law Policy Matters, provides an analysis of the incidents and… Continue Reading

We have seen this movie before ….. and we all should know that it does not end well.

Posted in Data Breach, HIPAA/HITECH, Privacy Regulation

This was originally posted on Mintz Levin’s Health Law & Policy Matters blog: Written by: Kimberly J. Gold How much is the cost of doing nothing when it comes to encryption of sensitive data?   In the case of electronic protected health information, about $2 million. Two companies have been hit with fines equaling a total of almost… Continue Reading

Another major medical data breach in California

Posted in Data Breach, HIPAA/HITECH, Security

Written by Julia Siripurapu Or….why are health care institutions still leaving laptops containing PHI unencrypted???? The Los Angeles Times (the “Times”) reported this week the theft of two laptops from an administrative office of hospital group AHMC Healthcare Inc. (“AHMC”) in Alhambra, California that compromised the health data of approximately 729,000 individuals. The notice posted… Continue Reading

Privacy Monday – September 23, 2013: TODAY IS HIPAA COMPLIANCE DAY – 5 THINGS THAT YOU SHOULD HAVE DONE

Posted in HIPAA/HITECH, Privacy Monday, Privacy Regulation

Today’s the day!    Today marks the long-awaited compliance date for the HIPAA Omnibus Rule. In case you have put any thoughts of compliance with the Omnibus Rule out of your mind, you can no longer escape. Here are the key five things that you should have done by today: Update Notices of Privacy Practices… Continue Reading

Privacy Monday – September 16, 2013

Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy Monday

Dis-Like! Senator Markey Urges the FTC to Investigate Facebook’s New Policies Written By Adam Veness As we previously reported here, Facebook has proposed a number of revisions to its Data Use Policy and Statement of Rights and Responsibilities.  In response to these proposed changes, Senator Edward J. Markey (D-MA) sent a letter to the Federal… Continue Reading

REMINDER – HIPAA Omnibus Rule Compliance Webinar

Posted in HIPAA/HITECH

Hospital?  Health care provider?  Service provider to either a hospital or other health care provider?    You’ll want to listen in to our HIPAA Omnibus Rule Compliance webinar — details here Topics covered by the webinar include: What to do if you currently have a comprehensive, effective program What to do if your compliance program consists… Continue Reading

HIPAA Procrastinator? Have we got a webinar for you….REMINDER

Posted in Data Breach Notification, HIPAA/HITECH, Privacy Regulation

 REMINDER July 23, 2013 at 1 PM ET – Register here   The countdown is underway — the HIPAA Omnibus Rule compliance deadline is  less than two months away! Covered entities and business associates have until September 23, 2013 to comply with important, new requirements under the HIPAA Omnibus Rule. To avoid penalties for noncompliance, organizations… Continue Reading

First HIPAA Resolution Agreement of 2013 — and it certainly will not be the last

Posted in HIPAA/HITECH, Privacy Regulation

Written by Stephanie D. Willis   The HHS Office of Civil Rights (OCR) announced its first HIPAA Resolution Agreement of 2013 last week.  According to the press release, Idaho State University (ISU) must pay OCR $400,000 and comply with the terms of a two-year corrective action plan (CAP) to address violations of the HIPAA Security Rule,… Continue Reading

Rx for HIPAA Compliance

Posted in HIPAA/HITECH

Weighing in at half the length of Tolstoy’s legendary tome War and Peace, it is no surprise that the thought of the impending deadline for compliance with the 538-page  HIPAA Omnibus Rule  has left many small clinical practices feeling overwhelmed.   HHS Office of Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) are co-sponsoring four… Continue Reading

Understanding HIPAA: OCR Publishes New Provider and Consumer Guides

Posted in HIPAA/HITECH, Privacy Regulation

Written by Kimberly Gold (Originally posted in Mintz Levin’s Health Law Policy Matters blog) Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers.  Recognizing  the widespread confusion surrounding the interpretation of the rules, the U.S. Department… Continue Reading

Countdown Begins for HIPAA Omnibus Rule Compliance

Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

Written by Dianne J. Bourque and Stephanie D. Willis The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines. Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance… Continue Reading