Proskauer Rose LLP : Privacy Law Blog

Home > Proskauer Rose LLP

Proskauer Rose LLP

Sara Krauss practices with the Health Care Department at Proskauer Rose LLP. She has represented not-for-profit hospitals, physician groups, diagnostic and imaging centers, e-health providers, practice management companies, pharmaceutical companies, long-term care providers, home health agencies and adult homes on business, regulatory, reimbursement and fraud and abuse matters. Sara has devoted significant time to "Stark" and anti-kickback analyses, Medicare billing matters, concerns regarding confidentiality and privacy of health information, application of HIPAA privacy and security regulations, IRB and other human subjects research issues, hospital and home care compliance plan development and implementation, state licensure requirements, and transactions among health care providers and between physicians and business corporations.

A sample of Sara's experience in health care transactions includes the structuring and documenting of sales of medical practices, physician employment and partnership agreements, clinical trial, testing, material and technology transfer agreements, relationships among New York licensed and certified home care agencies and between the agencies and hospitals, payors and staffing agencies, and arrangements between management service organizations and health care providers. Sara also devotes considerable time to applying state and federal laws and regulations to the day-to-day operational issues of health care providers, with particular attention to compliance issues.

Sara is a magna cum laude graduate of Boston University School of Law, where she was a member of the Law Review, and has an undergraduate degree in economics from Brandeis University. Sara has lectured on regulatory issues for in-house CLE programs as well as seminars of the Health Law Section of the New York State Bar Association, and the New York State Association of Health Care Providers, Inc.

Articles By This Author

Cignet Proves That It Is Bad To Violate The HIPPA Privacy Rule, But Worse To Ignore HHS

Posted on February 28, 2011 by Proskauer Rose LLP

Cignet Health (Cignet), which operates four health centers in Maryland, is a little lighter in the wallet after the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) found that Cignet violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - $4.3 million lighter, to be exact.

This penalty marks the first civil money penalty imposed by HHS for violations by a “covered entity” of the HIPAA Privacy Rule. In the past, HHS has primarily worked with covered entities to settle the violations and obtain agreement to changes in practices. The civil monetary penalty imposed upon Cignet is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified HIPAA.

Tags: Enforcement, HHS, HIPAA, HITECH, HITECH Act, Health, Medical Privacy, U.S. Dept. of Health & Human Services, health care, health information, medical, penalties

New HIPAA Cop: First AG Settlement for HIPAA Violations

Posted on July 14, 2010 by Proskauer Rose LLP

Last week, the Connecticut Attorney General became the first state attorney general to enter into a settlement agreement for HIPAA violations, as a result of the new authority granted to attorneys general under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Tags: Connecticut, HIPAA, HITECH Act, Medical Privacy, attorneys general, enforcement action, medical, privacy

Decrypting HHS Guidance on Breach Notification and Security under the HITECH Act: NIST, FIPS, and More

Posted on June 5, 2009 by Proskauer Rose LLP

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

As we previously reported, the HITECH Act’s notification requirements for breaches of unsecured PHI apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must “compromise[] the security or privacy of such information.” HITECH Act at §13400(1)(A). The newly issued HHS guidance lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the HHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements, although these breaches may still be subject to state law notification requirements.

Tags: FIPS, HHS, HITECH, HITECH Act, Medical Privacy, NIST, PHI, Security Breach Notification Laws, breach notification, destruction, encryption, guidance, security, security breach

HHS Enters Into First Monetary Settlement Under HIPAA

Posted on August 29, 2008 by Proskauer Rose LLP

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

Tags: HIPAA, Medical Privacy, PHI, U.S. Dept. of Health & Human Services, health care