Category: HHS



HHS Immediately Reduces Annual Limits Across HIPAA Violations

Share

The Department of Health and Human Services (HHS) issued a notice, effective immediately, that it is exercising its enforcement discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS currently applies the same annual CMP limit across four separate tiers of violations based on the level of culpability surrounding the HIPAA violation. HHS will reduce the annual CMP limit for each of the four penalty tiers, pending further rulemaking, to better reflect the text of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Continue reading

HHS Task Group Releases Cybersecurity Guidelines for the Health Care Industry

Share

Health care is one of the most complex and socially impactful areas of digitalization. Ensuring cybersecurity of health care operations, therefore, is of paramount importance – because potential vulnerabilities may lead not only to financial or technical exposures, but to lapses in life-or-death situations for patients.

To assist practitioners with education and guidelines, and in pursuance of Cybersecurity Act of 2015 (Public Law 114-113), Section 405(d), the Department of Health and Human Services created a “405(d) Task Group” in May 2017, involving, more than 150 health care and cybersecurity experts. The result of their collaborative work became a voluntary guideline entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which was released at the end of 2018.

Continue reading

Physician Provided PHI to Media When “No Comment” Would Have Sufficed

Share

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $125,000 no-fault settlement and two-year corrective action plan with Allergy Associates of Hartford, P.C. (Allergy Associates) stemming from an incident involving a physician who impermissibly released protected health information (PHI) to the media.

Continue reading

Three Separate OCR Settlements Resulting from Hospital Failures to Obtain Patient Authorization for Use of Protected Health Information Before Filming Television Docuseries

Share

The Department of Health and Human Services, Office for Civil Rights (OCR) announced three separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH), respectively, over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule totaling $999,000. According to the settlements, the potential violations were the result of the alleged disclosure of patient protected health information (PHI) to ABC News employees during the production and filming of the docuseries called  “Save My Life: Boston Trauma,” at each hospital.

Continue reading

Continued Special Privacy Treatment for Substance Use Disorder Information

Share

The Senate Health, Education, Labor and Pensions Committee recently passed the Opioid Crisis Response Act of 2018 (OCRA) – a bipartisan package of more than 40 proposals designed to help families and entire communities affected by the nation-wide opioid crisis.

Continue reading

Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations

Share

A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in a no-fault settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Filefax, an entity involuntarily dissolved by the Illinois Secretary of State in August 2017, previously provided services to HIPAA covered entities, including storage, maintenance, and delivery of medical records.  On February 10, 2015, OCR received an anonymous complaint alleging that an individual had transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015.  OCR investigated the matter and confirmed that an individual had left medical records that contained the protected health information (PHI) of approximately 2,150 patients at the shredding and recycling facility.  OCR’s investigation indicated that Filefax had either left the PHI in an unlocked truck in its parking lot or granted permission to an unauthorized person to remove the PHI from Filefax, and left the PHI unsecured outside of the Filefax facility.

Continue reading

« Older posts

© 2019 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy