For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations. On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000
Medical Privacy
HHS Announces New Patient Privacy and Security Protections
On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form; and (3) provides…
Keep An Eye On Those Shiny, New Mobile Devices!
As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers create a “culture of compliance and awareness” and to protect patients’ Protected Health Information (“PHI”). While the material is focused on health care professionals, the information is also applicable to group health plan professionals and their business associates who use mobile devices to store and transmit PHI in connection with administration of group health plans.
OCR Issues Guidance On HIPAA Privacy Rule’s De-Identification Standard
On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (“OCR”) published a thirty-two page document titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (“De-Identification Guidance”). OCR described the guidance document as a culmination of two years of work by “stakeholders with practical, technical and policy experience in de-identification.” OCR also acknowledged that the guidance implements many of the issues and topics that were raised during an OCR workshop held in Washington, DC on March 8-9, 2010.
HIPAA Privacy In The Aftermath Of Sandy: Be Prepared For The Next Emergency
As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA” or “Privacy Rule”) protects individually identifiable health information held by “covered entities.” The information protected is referred to as protected health information or PHI. The Privacy Rule permits covered entities to disclose PHI for a variety of purposes including to (a) treat patients; (b) identify, locate and notify family members, guardians, or anyone else responsible for an individual’s care; (c) obtain the services of disaster relief agencies; (d) conduct public health activities; and (e) prevent or lessen serious and imminent threats to health or safety.
Governing the Code of Life
What if the story of your life was written at birth- a “future diary” available for someone to read? The decoding of the human genome over a decade ago held the promise of defying our genetic destiny, but it also foreshadowed some significant ethical issues on the horizon. This month, California legislators addressed some of these concerns in the Genetic Information Privacy Act (SB 1267). The proposed bill would guard against covert DNA testing by requiring written permission from California citizens before collecting, analyzing, storing or sharing their genetic information. Any such data obtained with permission could only be used within the scope of the permission given by the DNA owner, after which the DNA samples would have to be destroyed.
New York Court Finds Clinic Not Liable for Employee’s Disclosure of PHI
A federal district court dismissed an action against an employer alleging vicarious liability for an employee’s dissemination of a patient’s protected health information (PHI) related to treatment for a sexually transmitted disease (STD). Specifically, the court found that the employer, a private New York medical clinic, was not vicariously liable for the actions of the employee because the employee was acting in a personal capacity which was beyond the scope of her employment.
…
State Attorney General Action Under HITECH
On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection agency, lost a laptop containing unencrypted PHI of approximately 23,500 Minnesota patients. This represents one of the first cases brought by a state attorney general under HIPAA.