On March 2, 2023, the Federal Trade Commission (FTC) announced that it had reached a $7.8 million settlement with mental health and online counseling platform, BetterHelp, Inc. (“BetterHelp”). The FTC alleged that BetterHelp shared consumers’ sensitive health data combined with other personal information (PI) with third party advertising platforms without first obtaining affirmative consent and … Continue Reading
On December 1, 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what OCR describes as “script or code on a website or mobile app used to gather information … Continue Reading
The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6, 2022 to submit comments. HHS … Continue Reading
By Elizabeth (Betsy) Rosen Siegel on Posted in HIPAA
Congress established the Health Care Industry Cybersecurity Task Force (the “Task Force”) in the Cybersecurity Act of 2015 (the “Act”) to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents. While all health care delivery organizations have a responsibility to secure their systems and patient data, many organizations … Continue Reading
On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft … Continue Reading
Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.… Continue Reading
We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of … Continue Reading
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules. These four factsheets are described in detail below. I. OCR Consumer Factsheet: … Continue Reading
Recently announced changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule represent one of the most significant developments in health care privacy law in the past 10 years. Known as the final omnibus rule, the changes were announced by the U.S. Department of Health and Human Services on January 17, … Continue Reading
On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form; and (3) provides individuals with the right to … Continue Reading
As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers create a “culture of compliance and awareness” and to protect patients’ Protected Health … Continue Reading
On November 26, 2012, the Department of Health and Human Services Office for Civil Rights (“OCR”) published a thirty-two page document titled “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (“De-Identification Guidance”). OCR described the guidance document as a culmination of two … Continue Reading
As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA” … Continue Reading
A federal district court dismissed an action against an employer alleging vicarious liability for an employee's dissemination of a patient's protected health information (PHI) related to treatment for a sexually transmitted disease (STD). Specifically, the court found that the employer, a private New York medical clinic, was not vicariously liable for the actions of the employee because the employee was acting in a personal capacity which was beyond the scope of her employment.
… Continue Reading
On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection … Continue Reading
On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program. The OCR pilot program calls for approximately 150 audits of covered entities, which audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities. Although the pilot program is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.
… Continue Reading
Cignet Health was fined $4.3 million by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights for violating the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996.
… Continue Reading
Rite Aid has agreed to pay $1 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act ("HIPAA") by pitching pill bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. According to HHS' resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs and procedures and penalties for employees that fail to comply with them. Rite Aid also entered into a separate, but related settlement with the FTC to resolve allegations that the company failed to live up to promises made in its privacy policy.
… Continue Reading
Last week, the Connecticut Attorney General became the first state attorney general to enter into a settlement agreement for HIPAA violations, as a result of the new authority granted to attorneys general under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
… Continue Reading
On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning … Continue Reading
On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence … Continue Reading
This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.