Header graphic for print
Privacy Law Blog

Category Archives: HIPAA

Subscribe to HIPAA RSS Feed

A $1.2 Million Photocopier Mistake: Health Plan Settles with HHS in HIPAA Breach Case

Posted in Data Breaches, HIPAA, Identity Theft, Medical Privacy

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of… Continue Reading

HHS Empowers Consumers to Know (and Enforce) their Rights Under HIPAA

Posted in Electronic Communications, HIPAA, Medical Privacy

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail below and are available in… Continue Reading

HIPAA/HITECH Final Rule: Significant Changes to Existing Regulations

Posted in Data Breaches, HIPAA

Recently announced changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule represent one of the most significant developments in health care privacy law in the past 10 years. Known as the final omnibus rule, the changes were announced by the U.S. Department of Health and Human Services on January 17,… Continue Reading

Massachusetts AGO Enters Into Another Settlement For Data Security Violations

Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical Privacy

For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading

HHS Announces New Patient Privacy and Security Protections

Posted in HIPAA, Medical Privacy, Mobile Privacy, Privacy Litigation, Security Breach Notification Laws, Uncategorized

On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form;  and (3) provides individuals with the right to… Continue Reading

Keep An Eye On Those Shiny, New Mobile Devices!

Posted in Data Breaches, HIPAA, Medical Privacy, Mobile Privacy, Workplace Privacy

As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers  create a “culture of compliance and awareness” and to protect patients’ Protected Health… Continue Reading

OCR Issues Guidance On HIPAA Privacy Rule’s De-Identification Standard

Posted in HIPAA, Medical Privacy

On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (“OCR”) published a thirty-two page document titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (“De-Identification Guidance”).  OCR described the guidance document as a culmination of two… Continue Reading

HIPAA Privacy In The Aftermath Of Sandy: Be Prepared For The Next Emergency

Posted in HIPAA, Medical Privacy, Miscellaneous, Mobile Privacy, Workplace Privacy

As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Act  of 1996 (“HIPAA”… Continue Reading

OCR Reaches $1.7 Million HIPAA Settlement with Alaska Medicaid

Posted in HIPAA

On June 26, 2012, the U.S. Department of Health and Human Services (HHS) entered into a settlement with the Alaska Department of Health and Social Services (DHSS) for $1.7 million as well as a corrective action plan (CAP) for alleged security violations of the Health Insurance Portability and Accountability Act (HIPAA). This represents the first HHS… Continue Reading

First Data Breach Settlement Under HITECH–$1.5 million

Posted in HIPAA

HHS reached a settlement on March 12, 2012 with Blue Cross Blue Shield of Tennessee (“BCBST”) for $1.5 million stemming from a 2009 data breach. This settlement represents the first under the HITECH Act. 

HHS Settlement for Lack of HIPAA Safeguards

Posted in HIPAA

One April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules. 

State Attorney General Action Under HITECH

Posted in HIPAA, Medical Privacy

On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection… Continue Reading

No Report; No Pay

Posted in Data Breaches, HIPAA

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.