At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin… Continue Reading
The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process. Why Audits?… Continue Reading
For our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA? It’s all getting real – read on.
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago. Read on for the gory details…..
In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack… Continue Reading
Written by Kate Stewart Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home… Continue Reading
It’s Privacy Monday again – and summer is winding down. Here are three bytes of privacy/security information to start your week: 1. House Committee Releases HHS Breach Investigation If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction. A report… Continue Reading
Originally posted in Mintz Levin’s Health Law & Policy Matters Blog Written by Jordan Cohen In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record… Continue Reading
It’s Monday! Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week. 1. The Site that Promises “Discreet Encounters” Hacked — Karma? If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise… Continue Reading
Register now for our June Wednesday Webinar. This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and… Continue Reading
The New York State Department of Financial Services (the “Department”) recently released a “Report on Cyber Security in the Insurance Sector” (the “Report”). The Report was released on February 8, 2015, just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the… Continue Reading
Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series — This webinar, scheduled for Wednesday, February 25, will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss… Continue Reading
By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc. Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next.
Blizzards can affect even “virtual” events — tomorrow’s “How to Survive a HIPAA Audit” webinar has been rescheduled to February 4th. You can still register here.
Good Monday – The East Coast prepares for Apocalypse (Sn)ow. In the meantime, here are three privacy-related tidbits for your day. Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data. … Continue Reading
Celebrate Data Privacy Day! On Wednesday January 28th, Mintz Levin’s Dianne Bourque, will be presenting a webinar on how to survive a HIPAA audit. With the New Year in full swing, the HHS Office of Civil Rights (“OCR”) is resuming its random audit program to assess compliance with HIPAA privacy, security and breach notification rules. … Continue Reading
The First Rule of How to Survive a HIPAA Audit: Be Prepared 2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. It is anticipated that 300-400 business associates will be the subject of a… Continue Reading
……………..a cumbersome C-A-P Written by Dianne Bourque The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations. Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA… Continue Reading
When is “sharing” too much of a good thing? And will it get worse for health care systems in 2015? Read on….. Written by Stephanie D. Willis Data sharing has become a point of sharp focus in the efforts to improve the quality and efficiency of health services in the United States. Given all that has… Continue Reading
Written by Stephanie Willis This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.” The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake… Continue Reading
Written by: Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis (original post in Mintz Levin’s Health Law & Policy Matters blog) As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases: (i) risk assessment, (ii)… Continue Reading
Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/ Home Depot Breach – By the Numbers 56 million cards at risk (compare to Target = 40 million) $62 million in estimated costs (compare to Target =$146 million and counting) $27 million insurance coverage (compare to Target = $100 million in cover) Lawsuits filed – at least 1 in US and… Continue Reading
Written by Julia Siripurapu, CIPP/US and Dianne J. Bourque Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data… Continue Reading
Reposted from Mintz Levin’s Health Law & Policy Matters blog The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed… Continue Reading