Tag Archives: OCR

Get Ready for those HIPAA Audits – New Audit Protocol (and a Mintz Tool!)

Posted By Dianne Bourque, Jordan Cohen, and Cynthia Larose on April 20th, 2016 Posted in HIPAA/HITECH, Privacy Regulation, Security

At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin… Continue Reading

Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!

Posted By Dianne Bourque, Kate Stewart, Jordan Cohen, and Cynthia Larose on March 23rd, 2016 Posted in HIPAA/HITECH, Security

The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process. Why Audits?… Continue Reading

Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI

Posted By Cynthia Larose on February 5th, 2016 Posted in HIPAA/HITECH

Written by Kate Stewart Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home… Continue Reading

Save the Date — HIPAA Audit Preparedness Webinar January 28, 2015

Posted By Cynthia Larose on January 6th, 2015 Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation, Security

The First Rule of How to Survive a HIPAA Audit: Be Prepared 2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. It is anticipated that 300-400 business associates will be the subject of a… Continue Reading

On the Tenth Day of Privacy, OCR Gave to Me…..

Posted By Cynthia Larose on December 22nd, 2014 Posted in 12 Days of Privacy, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

……………..a cumbersome C-A-P Written by Dianne Bourque The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations. Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA… Continue Reading

OCR Issues New Bulletin on Ensuring Privacy in Public Health Emergencies

Posted By Cynthia Larose on November 13th, 2014 Posted in HIPAA/HITECH

Written by Stephanie Willis This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.” The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake… Continue Reading

Changes in Breach Notification Risk Assessments Under HIPAA

Posted By Cynthia Larose on July 18th, 2014 Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

Reposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed… Continue Reading

D’oh! OCR Confirms that Medical Records Should Not be Left in the Driveway

Posted By Cynthia Larose on June 26th, 2014 Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

Written by Dianne J. Bourque (reprinted from Mintz Levin’s Health Law Policy Matters blog) The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the… Continue Reading

We have seen this movie before ….. and we all should know that it does not end well.

Posted By Cynthia Larose on April 25th, 2014 Posted in Data Breach, HIPAA/HITECH, Privacy Regulation

This was originally posted on Mintz Levin’s Health Law & Policy Matters blog: Written by: Kimberly J. Gold How much is the cost of doing nothing when it comes to encryption of sensitive data? In the case of electronic protected health information, about $2 million. Two companies have been hit with fines equaling a total of almost… Continue Reading

Understanding HIPAA: OCR Publishes New Provider and Consumer Guides

Posted By Cynthia Larose on May 1st, 2013 Posted in HIPAA/HITECH, Privacy Regulation

Written by Kimberly Gold (Originally posted in Mintz Levin’s Health Law Policy Matters blog) Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers. Recognizing the widespread confusion surrounding the interpretation of the rules, the U.S. Department… Continue Reading

Finally! HHS Office of Civil Rights Releases HIPAA Omnibus Rule With Sweeping Changes to Compliance Requirements and Enforcement

Posted By Cynthia Larose on January 21st, 2013 Posted in HIPAA/HITECH, Privacy Regulation

BY DIANNE J. BOURQUE AND STEPHANIE D. WILLIS The final regulations1 from Department of Health and Human Services Office of Civil Rights (OCR) containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule) have finally been released, but the hard work of interpreting them has just begun for covered entities, business associates, and downstream entities… Continue Reading

HITECH Omnibus Rule Basics

Posted By Cynthia Larose on January 18th, 2013 Posted in HIPAA/HITECH, Privacy Regulation, Security

As we pore through the 562-page HITECH Omnibus Rule released by the Department of Health and Services late yesterday afternoon, here are some top line bullet points: Effective Date: Rule becomes effective on March 26, 2013. Covered entities and business associates must comply by September 23, 2013. Business Associates are now front and center — During… Continue Reading

Words of Warning: “No breach too small”

Posted By Cynthia Larose on January 4th, 2013 Posted in Data Breach, Privacy Regulation

As originally posted in Mintz Levin’s Health Law & Policy Matters blog Written by: Stephanie D. Willis The Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals. Under the December 2012 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that… Continue Reading

Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement

Posted By Cynthia Larose on September 19th, 2012 Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

Originally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog As the old saying goes, “no good deed goes unpunished….” The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement. Massachusetts Eye and Ear… Continue Reading

HITECH: Business Associates Beware – New Rules, Audits and Enforcement on the Horizon!

Posted By Cynthia Larose on June 22nd, 2012 Posted in Data Compliance & Security, HIPAA/HITECH

The upcoming HIPAA Omnibus Rule is poised to transform an already challenging privacy and security landscape for business associates or those who provide services to HIPAA “covered entities.” The HITECH Act has already imposed greater compliance responsibility on business associates and their subcontractors. The rules are set to change further and failure to comply can result in… Continue Reading

OCR Shares Preliminary HITECH Audit Results; What’s Next??

Posted By Cynthia Larose on June 13th, 2012 Posted in HIPAA/HITECH, Privacy Regulation

Written by Dianne J. Bourque Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings, what regulated entities can expect next and suggestions for covered entities concerned about being audited. Mintz Levin attended… Continue Reading

The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group

Posted By Cynthia Larose on April 19th, 2012 Posted in Data Compliance & Security, HIPAA/HITECH, Security

Written by Kimberly Gold If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike. Phoenix Cardiac… Continue Reading

The HIPAA Auditors Are Coming! The HIPAA Auditors Are Coming!

Posted By Cynthia Larose on July 12th, 2011 Posted in Uncategorized

It is time for covered entities and business associates to jump start HIPAA privacy and security programs and make sure that everything is in compliance. GovInfoSecurity reports that the Department of Health and Human Services (HHS) has awarded a $9.2 million contract to KPMG to develop protocols for conducting the long-awaited HITECH Act-mandated HIPAA compliance audit… Continue Reading

University of California Pays Close to $1M to Settle Celebrity Health Record Snooping Complaint

Posted By Cynthia Larose on July 8th, 2011 Posted in Uncategorized

Written by Dianne Bourque and Cynthia Larose The University of California has paid $865,500 to the Office of Civil Rights (OCR) and agreed to a Corrective Action Plan to settle allegations that UCLA Health System (UCLAHS) employees repeatedly snooped in the electronic health records of celebrity patients. The OCR’s investigation was prompted by two separate… Continue Reading

HIPAA Enforcement on the Rise: Do You Know Who Your Business Associates Are??

Posted By Cynthia Larose on March 28th, 2011 Posted in Uncategorized

Written by Stephen Bentfield In the two-plus years since the enactment of the HITECH Act, the health care industry has seen a dramatic shift in federal and state HIPAA enforcement posture. Just within the last month, HHS announced a $4.3 million civil fine imposed on Cignet Health for failing to provide patients with copies of… Continue Reading

Office of Civil Rights Speaks at HIMSS – on the heels of a $4.3 million fine to Cignet Health

Posted By Cynthia Larose on February 24th, 2011 Posted in Uncategorized

This week, we heard about the first civil money penalty under the HIPAA Privacy Rule for failure to provide access to medical records and willful neglect — and it was a whopper. The appearance of Adam Greene, Senior Health IT and Privacy Advisor to the Office of Civil Rights — the enforcement arm of the… Continue Reading