Header graphic for print
Privacy Law Blog

Tag Archives: HIPAA

A $1.2 Million Photocopier Mistake: Health Plan Settles with HHS in HIPAA Breach Case

Posted in Data Breaches, HIPAA, Identity Theft, Medical Privacy

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of… Continue Reading

HHS Empowers Consumers to Know (and Enforce) their Rights Under HIPAA

Posted in Electronic Communications, HIPAA, Medical Privacy

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail below and are available in… Continue Reading

HIPAA/HITECH Final Rule: Significant Changes to Existing Regulations

Posted in Data Breaches, HIPAA

Recently announced changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule represent one of the most significant developments in health care privacy law in the past 10 years. Known as the final omnibus rule, the changes were announced by the U.S. Department of Health and Human Services on January 17,… Continue Reading

HHS Announces New Patient Privacy and Security Protections

Posted in HIPAA, Medical Privacy, Mobile Privacy, Privacy Litigation, Security Breach Notification Laws, Uncategorized

On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form;  and (3) provides individuals with the right to… Continue Reading

Keep An Eye On Those Shiny, New Mobile Devices!

Posted in Data Breaches, HIPAA, Medical Privacy, Mobile Privacy, Workplace Privacy

As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers  create a “culture of compliance and awareness” and to protect patients’ Protected Health… Continue Reading

OCR Issues Guidance On HIPAA Privacy Rule’s De-Identification Standard

Posted in HIPAA, Medical Privacy

On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (“OCR”) published a thirty-two page document titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (“De-Identification Guidance”).  OCR described the guidance document as a culmination of two… Continue Reading

HIPAA Privacy In The Aftermath Of Sandy: Be Prepared For The Next Emergency

Posted in HIPAA, Medical Privacy, Miscellaneous, Mobile Privacy, Workplace Privacy

As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Act  of 1996 (“HIPAA”… Continue Reading

New York Court Finds Clinic Not Liable for Employee’s Disclosure of PHI

Posted in Medical Privacy

A federal district court dismissed an action against an employer alleging vicarious liability for an employee’s dissemination of a patient’s protected health information (PHI) related to treatment for a sexually transmitted disease (STD). Specifically, the court found that the employer, a private New York medical clinic, was not vicariously liable for the actions of the employee because the employee was acting in a personal capacity which was beyond the scope of her employment.

State Attorney General Action Under HITECH

Posted in HIPAA, Medical Privacy

On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection… Continue Reading

HIPAA Privacy and Security Audit Pilot Program Takes Flight

Posted in Medical Privacy

On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program. The OCR pilot program calls for approximately 150 audits of covered entities, which audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities. Although the pilot program is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Sanctions for Lazy Disposal Require Drug Store Chain to Re-”Rite” its Data Security Policies and Procedures

Posted in Data Privacy Laws

Rite Aid has agreed to pay $1 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”) by pitching pill bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. According to HHS’ resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs and procedures and penalties for employees that fail to comply with them. Rite Aid also entered into a separate, but related settlement with the FTC to resolve allegations that the company failed to live up to promises made in its privacy policy.

New HIPAA Cop: First AG Settlement for HIPAA Violations

Posted in Medical Privacy

Last week, the Connecticut Attorney General became the first state attorney general to enter into a settlement agreement for HIPAA violations, as a result of the new authority granted to attorneys general under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

Posted in Data Breaches, Medical Privacy, Security Breach Notification Laws

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning… Continue Reading

HHS Enters Into First Monetary Settlement Under HIPAA

Posted in Medical Privacy

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence… Continue Reading