Header graphic for print
Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney


Subscribe to HIPAA/HITECH RSS Feed

Get Ready for those HIPAA Audits – New Audit Protocol (and a Mintz Tool!)

Posted in HIPAA/HITECH, Privacy Regulation, Security

At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin… Continue Reading

Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!

Posted in HIPAA/HITECH, Security

The HHS Office for Civil Rights (“OCR”) officially launched  the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process. Why Audits?… Continue Reading

Ransomware Strikes California Hospital – Could You Be Next?

Posted in Cybersecurity, Data Compliance & Security, HIPAA/HITECH, Identity Theft, Privacy Regulation, Security, Uncategorized

In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack… Continue Reading

Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI


Written by Kate Stewart Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home… Continue Reading

Privacy Monday – August 17, 2015: Three Bytes for End of Summer

Posted in Cybersecurity, Data Breach, EU Data Protection Regulation, Events and Webinars, Federal Trade Commission, HIPAA/HITECH

It’s Privacy Monday again – and summer is winding down. Here are three bytes of privacy/security information to start your week: 1.  House Committee Releases HHS Breach Investigation If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction. A report… Continue Reading

Data Breach = Class Action Suit. Again.

Posted in Class Action Litigation, Data Breach, Data Breach Notification, HIPAA/HITECH

Originally posted in Mintz Levin’s Health Law & Policy Matters Blog Written by Jordan Cohen In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record… Continue Reading

Privacy Monday – July 20, 2015: Hack Attack on Adultery Site Ashley Madison

Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy Monday

It’s Monday!   Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week. 1.    The Site that Promises “Discreet Encounters” Hacked — Karma? If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise… Continue Reading

Save the Date: June 24, 2015 — All You Need to Know About Risk Assessments

Posted in Cybersecurity, Events and Webinars, HIPAA/HITECH, Security

Register now for our June Wednesday Webinar.    This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and… Continue Reading

Could the Anthem Hack Happen in NY? New Report Highlights Risk for NY Insurers

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Security

The New York State Department of Financial Services (the “Department”) recently released a “Report on Cyber Security in the Insurance Sector” (the “Report”). The Report was released on February 8, 2015,  just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the… Continue Reading

Register for our next Wednesday Webinar — February 25

Posted in Employee Privacy, Events and Webinars, HIPAA/HITECH, Identity Theft, Mobile Privacy, Privacy Litigation, Security, Social Media

Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series — This webinar,  scheduled for Wednesday, February 25,  will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss… Continue Reading

The Anthem Data Breach: The Fallout and What’s Next

Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Identity Theft

By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc.  Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next.



Blizzards can affect even “virtual” events — tomorrow’s “How to Survive a HIPAA Audit” webinar has been rescheduled to February 4th.  You can still register here.

Privacy Monday – January 26, 2015

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Legislation, Privacy Monday, Privacy Regulation, Uncategorized

Good Monday – The East Coast prepares for Apocalypse (Sn)ow. In the meantime, here are three privacy-related tidbits for your day. Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.  … Continue Reading

You’re Invited: Tips for Surviving a HIPAA Audit


Celebrate Data Privacy Day!  On Wednesday January 28th, Mintz Levin’s Dianne Bourque, will be presenting a webinar on how to survive a HIPAA audit.  With the New Year in full swing, the HHS Office of Civil Rights (“OCR”) is resuming its random audit program to assess compliance with HIPAA privacy, security and breach notification rules. … Continue Reading

Save the Date — HIPAA Audit Preparedness Webinar January 28, 2015

Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation, Security

The First Rule of How to Survive a HIPAA Audit:  Be Prepared 2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules.   It is anticipated that 300-400 business associates will be the subject of a… Continue Reading

On the Tenth Day of Privacy, OCR Gave to Me…..

Posted in 12 Days of Privacy, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

……………..a cumbersome C-A-P Written by Dianne Bourque  The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations.  Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA… Continue Reading

On The Eighth Day of Privacy, Health Care Systems (Over)Shared Data

Posted in 12 Days of Privacy, HIPAA/HITECH, Privacy Regulation

When is “sharing” too much of a good thing?  And will it get worse for health care systems in 2015?  Read on….. Written by Stephanie D. Willis Data sharing has become a point of sharp focus in the efforts to improve the quality and efficiency of health services in the United States.  Given all that has… Continue Reading

OCR Issues New Bulletin on Ensuring Privacy in Public Health Emergencies


Written by Stephanie Willis   This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.”  The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake… Continue Reading

Notes from the Joint OCR/NIST HIPAA Security Conference

Posted in Cybersecurity, HIPAA/HITECH, Privacy Regulation, Security

Written by:  Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis  (original post in Mintz Levin’s Health Law & Policy Matters blog) As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii)… Continue Reading

Privacy Monday – September 22, 2014

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Privacy Monday

Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/ Home Depot Breach – By the Numbers 56 million cards at risk (compare to Target = 40 million) $62 million in estimated costs (compare to Target  =$146 million and counting) $27 million insurance coverage (compare to Target = $100 million in cover) Lawsuits filed – at least 1 in US and… Continue Reading

Massive Data Breach Affects 4.5 Million Patients in 29 States

Posted in Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH

Written by Julia Siripurapu, CIPP/US and Dianne J. Bourque Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data… Continue Reading

Changes in Breach Notification Risk Assessments Under HIPAA

Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation

Reposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013.   The examples analyzed… Continue Reading