Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations

Share

A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in a no-fault settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

Filefax, an entity involuntarily dissolved by the Illinois Secretary of State in August 2017, previously provided services to HIPAA covered entities, including storage, maintenance, and delivery of medical records.  On February 10, 2015, OCR received an anonymous complaint alleging that an individual had transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015.  OCR investigated the matter and confirmed that an individual had left medical records that contained the protected health information (PHI) of approximately 2,150 patients at the shredding and recycling facility.  OCR’s investigation indicated that Filefax had either left the PHI in an unlocked truck in its parking lot or granted permission to an unauthorized person to remove the PHI from Filefax, and left the PHI unsecured outside of the Filefax facility.

Continue reading “Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations”

OCR Kick Starts 2018 with Severe $3.5 Million HIPAA Settlement and Corrective Action Plan

Share

Fresenius Medical Center North America (FMCNA) agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a two-year comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

The no-fault resolution agreement states that FMCNA reported five separate incidents that occurred between February 23, 2012 and July 18, 2012 at five distinct FMCNA facilities (FMCNA Covered Entities).  FMCNA provides centralized corporate support to the FMCNA Covered Entities, including storing patient’s medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances surrounding each breach reported to it by the FMCNA Covered Entities.

Continue reading “OCR Kick Starts 2018 with Severe $3.5 Million HIPAA Settlement and Corrective Action Plan”

Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches

Share

The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.

Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action.  The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court.  Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records.  Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.

Continue reading “Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches”

Oncology Services Provider Reaches $2.3 Million Settlement with HHS for Data Breach

Share

21st Century Oncology, Inc. (21CO), a Florida-based oncology services provider, has agreed to pay $2.3 million in a no-fault resolution to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential civil money penalties stemming from a 2015 cyberattack on its network SQL database.  The Federal Bureau of Investigation (FBI) was first to detect that an unauthorized third party illegally obtained patient information from 21CO in October 2015.  Upon further investigation by 21CO and OCR, it was determined that 21CO:

  • Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.   
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).   
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.   
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.   
  • Disclosed protected health information to  third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.

Continue reading “Oncology Services Provider Reaches $2.3 Million Settlement with HHS for Data Breach”

Recent OCR Action Provides HIPAA Guidance Related to Opioid Crisis and Privacy Rule in Research

Share

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently released several new tools and guidance to ensure that patients and their family members can gain access to information needed to prevent and address opioid abuse and overdose, as well as mental health crises. The materials are focused on the Health Insurance Portability and Accountability Act (HIPAA) and also serve to fulfill certain clarification requirements on HIPAA and research under the 21st Century Cures Act (the “Cures Act”).  The Cures Act was passed by Congress in 2016 and requires, in part, that “health care providers, professionals, patients and their families, and others involved in mental [health] or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information (PHI) under . . . [HIPAA].”

Continue reading “Recent OCR Action Provides HIPAA Guidance Related to Opioid Crisis and Privacy Rule in Research”

Investigation Continues After Massive Data Breach at Henry Ford Health System

Share

An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised.  Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access.  The email accounts contained patient health information, including:

  • Patient name
  • Date of birth
  • Medical record number
  • Provider’s name
  • Date of service
  • Department’s name
  • Location
  • Medical condition
  • Health insurer

Continue reading “Investigation Continues After Massive Data Breach at Henry Ford Health System”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy