Medical Privacy : Privacy Law Blog

Home > Medical Privacy >

HIPAA Privacy and Security Audit Pilot Program Takes Flight

Posted on November 30, 2011 by Robyn Sterling

On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program pursuant to the American Recovery and Reinvestment Act of 2009, Section 13411 of the HITECH Act. The OCR pilot program calls for approximately 150 audits of covered entities, to commence in November 2011 and expected to conclude by December 2012. The audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities.

Tags: HIPAA, HITECH Act, Medical Privacy, health information, privacy

Cignet Proves That It Is Bad To Violate The HIPPA Privacy Rule, But Worse To Ignore HHS

Posted on February 28, 2011 by Proskauer Rose LLP

Cignet Health (Cignet), which operates four health centers in Maryland, is a little lighter in the wallet after the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) found that Cignet violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - $4.3 million lighter, to be exact.

This penalty marks the first civil money penalty imposed by HHS for violations by a “covered entity” of the HIPAA Privacy Rule. In the past, HHS has primarily worked with covered entities to settle the violations and obtain agreement to changes in practices. The civil monetary penalty imposed upon Cignet is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified HIPAA.

Tags: Enforcement, HHS, HIPAA, HITECH, HITECH Act, Health, Medical Privacy, U.S. Dept. of Health & Human Services, health care, health information, medical, penalties

New HIPAA Cop: First AG Settlement for HIPAA Violations

Posted on July 14, 2010 by Proskauer Rose LLP

Last week, the Connecticut Attorney General became the first state attorney general to enter into a settlement agreement for HIPAA violations, as a result of the new authority granted to attorneys general under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Tags: Connecticut, HIPAA, HITECH Act, Medical Privacy, attorneys general, enforcement action, medical, privacy

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

Posted on September 23, 2009 by Kristen J. Mathews

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach. See September 1, 2009 client alert from Proskauer's Health Care Department for additional information.

Tags: Data Breaches, HIPAA, Medical Privacy, Security Breach Notification Laws

The New Frontier: "Genetic Exceptionalism" and The Battle Over Newborns' DNA

Posted on July 27, 2009 by S. Montaye Sigmon

The popularity of crime dramas on primetime television schedules has made certain aspects of genetic testing commonplace and uncontroversial. However, as science continues to advance at an exponential rate, and as technology and innovation have invaded the realm of individual privacy rights, individuals’ genetic make-up are likely the next frontier.

At least 32 states have genetic privacy laws on the books. These states have taken steps to protect genetic information beyond the protections given to other types of health information. This is referred to as “genetic exceptionalism,” which calls for special protections for genetic information due to its predictive, personal and familial nature and other unique characteristics. Generally speaking, state genetic privacy laws restrict parties (such as insurers or employers) from taking a particular action without consent. These laws cover a broad range of issues, including:

Requiring personal access to genetic information;
Requiring consent for performing tests, obtaining or accessing genetic information, retaining genetic information, and/or disclosing genetic information;
Defining genetic information or DNA samples as personal property; and
Providing for specific penalties for genetic privacy violations.

Tags: DNA, Medical Privacy, blood spots, genetic, genetic privacy

Decrypting HHS Guidance on Breach Notification and Security under the HITECH Act: NIST, FIPS, and More

Posted on June 5, 2009 by Proskauer Rose LLP

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

As we previously reported, the HITECH Act’s notification requirements for breaches of unsecured PHI apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must “compromise[] the security or privacy of such information.” HITECH Act at §13400(1)(A). The newly issued HHS guidance lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the HHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements, although these breaches may still be subject to state law notification requirements.

Tags: FIPS, HHS, HITECH, HITECH Act, Medical Privacy, NIST, PHI, Security Breach Notification Laws, breach notification, destruction, encryption, guidance, security, security breach

Red Flag Rules Leave Health Care Industry Wondering

Posted on April 1, 2009 by Kristen J. Mathews

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know.

The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA.

Tags: Identity Theft, Medical Privacy, american medical association, red flag rules

Will Congress Enact Data Security Breach Provisions This Year - ? Guess What, It Already Has

Posted on March 2, 2009 by Jeff Neuburger

By Jeffrey D. Neuburger and Sara Krauss

Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions applicable to health information were signed into law as part of the HITECH Act provisions of the massive economic stimulus legislation, H.R. 1 (111th Cong., 1st Sess. Feb. 17, 2009).

Beginning no later than September 16 of this year, "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) will be required to give notice of breaches in the security of protected health information, and "business associates" of HIPAA-covered entities will be required to report such breaches to the covered entities. §13402(a) & (b). Currently, California and Arkansas are the only states that require that notification be given in the case of a breach in the security of medical or health insurance information.

Tags: HITECH Act, Medical Privacy, Security Breach Notification Laws, data security breach, health information, stimulus legislation

HHS Enters Into First Monetary Settlement Under HIPAA

Posted on August 29, 2008 by Proskauer Rose LLP

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

Tags: HIPAA, Medical Privacy, PHI, U.S. Dept. of Health & Human Services, health care

Prying Eyes Make Headlines

Posted on August 18, 2008 by Proskauer Rose LLP

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

Tags: California, Medical Privacy, Michigan, celebrities, confidential information, data security breach, health care, personally identifying information