Header graphic for print
Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Tag Archives: HIPAA

Responding to Insider Data Theft

Posted in Cybersecurity, Data Compliance & Security, Events and Webinars, Security

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation.  Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the… Continue Reading

The Anthem Data Breach: The Fallout and What’s Next

Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Identity Theft

By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc.  Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next.

Notes from the Joint OCR/NIST HIPAA Security Conference

Posted in Cybersecurity, HIPAA/HITECH, Privacy Regulation, Security

Written by:  Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis  (original post in Mintz Levin’s Health Law & Policy Matters blog) As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii)… Continue Reading

NIST Issues Draft Report Enumerating Risks and Protections to Consider When Evaluating Mobile Apps for Your Enterprise

Posted in Cybersecurity, Data Compliance & Security, Mobile Privacy

Written by:  Stephanie D. Willis  As the world recovers from the excitement leading up to Tuesday’s Apple Live Event announcement of the new iPhone 6 and Apple Watch, mobile app developers are chomping at the bit to create software that leverages the new operating system and Apple’s widely-anticipated “HealthKit,” a purportedly secure platform that allows… Continue Reading

Record $4.8 Million HIPAA Fine Assessed

Posted in Data Breach Notification, HIPAA/HITECH

In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.  Our sister blog, Health Law Policy Matters, provides an analysis of the incidents and… Continue Reading

Coming Next Week: The 12 Days of Privacy

Posted in Uncategorized

Haul out the holly, fill up the stockings, even though it’s just one week past Thanksgiving day…..   Rather than look back at 2013, next week the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2014.    The editor’s muse for this series… Continue Reading

Business Associates Beware

Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECH

If you haven’t yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that….), you can take a listen to our recent webinar highlighting the most important changes and issues. A recent… Continue Reading

Words of Warning: “No breach too small”

Posted in Data Breach, Privacy Regulation

As originally posted in Mintz Levin’s Health Law & Policy Matters blog Written by: Stephanie D. Willis The Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals.  Under the December 2012 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that… Continue Reading

HHS Office of Civil Rights Director Speaks

Posted in HIPAA/HITECH, Privacy Regulation

Our colleagues over at the Mintz Health Law & Policy Matters blog have been attending this week’s HIPAA Security Conference and have posted an update here. Two big takeaways — Office of Civil Rights (the agency that enforces the HIPAA privacy and security standards) Director Leon Rodriguez says that HIPAA compliance expectations are higher than ever… Continue Reading

Ignorance of HIPAA Provisions No Excuse


As the old canard goes:  “Ignorance of the law is no excuse.” The Ninth Circuit agrees, particularly when it comes to misdemeanor charges under HIPAA for “wrongful disclosure.”     Our colleagues at the Mintz Health Law & Policy Matters blog tell the story here.  

New Texas Electronic Health Record Law Exceeds HIPAA Requirements

Posted in Uncategorized

Written by Dianne Bourque Texas covered entities (health care providers, health insurers and clearinghouses) and other entities that use and disclose PHI of Texas residents using electronic health records (EHRs) face new risks and stringent requirements under HB300, a new Texas privacy law.  The new law, which is effective September 1, 2012, is more stringent… Continue Reading

How Accountable Care Organizations (ACOs) Will Use and Disclose Protected Health Information While Complying with HIPAA

Posted in Uncategorized

Written by Dianne Bourque The Centers for Medicare & Medicaid Services (CMS) has released proposed regulations establishing Accountable Care Organizations (ACOs) and creating the Medicare Shared Savings Program (the Program). The Program will permit health care providers and suppliers to form ACOs and to reward those that lower health care costs for Medicare fee-for-service beneficiaries,… Continue Reading

Arizona Hospital Workers Fired for Inappropriately Accessing Shooting Victim Records

Posted in Uncategorized

Written by Dianne Bourque Once again, a public event has piqued the “curiosity” of hospital employees in violation of HIPAA.   The University Medical Center (UMC) at Tucson has fired three administrative staff and a contracted nurse for wrongfully accessing medical records related to the shooting rampage that killed six people and seriously injured Congresswoman Gabrielle Giffords. … Continue Reading

Improper Disposal Costs Rite Aid $1 Million

Posted in Data Breach

Written by Dianne Bourque Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies… Continue Reading

First Ever State-initiated HIPAA Enforcement Action Settled

Posted in Legislation

Written by Dianne Bourque Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net’s agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring… Continue Reading

Proposed HITECH Regulations Out in May?

Posted in Legislation

Buried in a part of today’s Federal Register was the publication of the Department of Health and Human Services’ regulatory agenda. The agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue the long-awaited proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules… Continue Reading

HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates

Posted in Legislation

As we have discussed before, HHS’s Office of Civil Rights has let it be known that a proposed rule implementing the HITECH Act’s privacy and security provisions as they apply to business associate liability is in the works. The proposed rule will also deal with new limitations on the sale of protected health information, marketing,… Continue Reading

Quick Compliance Survey

Posted in Data Breach

No, we’re not “taking names” here. This is just a 10-question survey to gauge some basic compliance metrics. Please participate! Click here to take survey

Today’s compliance deadline – Enforcement of the HITECH/HIPAA data breach notification rule

Posted in Data Breach

February and March are just full of significant deadlines for privacy/security reporting and compliance. Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To “celebrate” the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more… Continue Reading

HITECH Act Compliance Date Arrived — Without the Promised Regulatory Guidance

Posted in Legislation

We have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th…. Continue Reading

Data Privacy Day – Tip #4 – Transactional Best Practices for Lawyers

Posted in Employee Privacy

Written by Michael Arnold and Jennifer Rubin Even though lawyers working on both sides of an M&A transaction during the due diligence phase might immerse themselves in a “confidentiality bubble”, they still must be careful not to disclose or access confidential employee information in the course of that transaction. Attorneys evaluating potential transactions might be… Continue Reading

Data Privacy Day Tip #2 – HITECH Act

Posted in Legislation

Written by Dianne Bourque Effective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”). Business associates (or organizations that use or disclose protected health information on behalf of covered entities subject to HIPAA) will be directly liable… Continue Reading

Connecticut Attorney General Brings Charges Against Health Net for HIPAA Violations

Posted in Data Breach

Written by Dianne Bourque   On January 13, Connecticut Attorney General Richard Blumenthal filed charges against Health Net of Connecticut, Inc., for violating federal privacy law. Blumenthal is the first state attorney general to file such a suit using HIPAA enforcement authority granted to states under the HITECH provisions of the American Recovery and Reinvestment… Continue Reading