Highlighting current events, news, and key legal and regulatory authorities and guidance related to health care data privacy and security. 

Blog Listing

  11.29.2017 OCR’s Phase 2 Desk Audit Results Indicate Covered Entities Have Room to Improve On September 6, 2017, at the Office for Civil Rights’ (OCR)/National Institute for Standards and Technology (NIST) 10th Annual Conference, Safeguarding Health Information: Building Assurance through HIPAA Security, Linda Sanches, a Senior Advisor with OCR, presented on the status of the HIPAA Phase 2 Audit Program.   09.18.2017 Recent Guidance from OCR Focuses on Hurricanes Harvey and Irma With the recent focus on the devastating hurricanes Harvey and Irma, the Department of Health and Human Services (HHS) has been heavily involved with supporting the recovery efforts.   08.17.2017 Another Key to HIPAA Compliance – Have Policies and Procedures and Implement Them, Too On this blog, we have discussed the criticality of risk analyses – the assessment required by the Security Rule of the “risks and vulnerabilities” that an organization faces with respect to all of its electronic protected health information (ePHI).   06.26.2017 Health Care Industry Still a Prime Target for Ransomware Attacks – Don’t Let Them Make You WannaCry The global ransomware attack known as “WannaCry” was among the biggest news stories in May, bringing the term “ransomware” into widespread public awareness.    06.16.2017 HIPAA Settlements in April and May Highlight Key Compliance Concerns for OCR After a break in March with no new settlement agreements, OCR returned in April and May with quite a few.   05.10.2017 Don’t Let a “Man in the Middle” Monkey with Your Health Data There are numerous causes of breaches of protected health information (PHI), ranging from human oversights to “high-tech” errors.    04.25.2017 It’s Just Plain Risky Not to Do A Risk Analysis: Recent OCR Settlement One of Several Resulting from Failure to Analyze and Address Risks to ePHI On April 12, 2017, the Office for Civil Rights (“OCR”) announced a settlement and corrective action plan with a Colorado federally-qualified health center, Metro Community Provider Network (“MCPN”), after a 2012 breach of electronic protected health information affected roughly 3,200 individuals.     03.30.2017 2017 HIPAA Enforcement: New Settlements and Penalties Already Total Over $11,000,000 In our last post, we highlighted the 2016 settlements between the Office for Civil Rights (OCR) and various covered entities (and business associates), in one of OCR’s most active years.   02.10.2017 An Active Year for OCR: A 2016 Retrospective of HIPAA Settlements Already this year, the Office for Civil Rights (OCR) has announced two settlements related to HIPAA violations, totaling over $2.5 million, and the imposition of a civil money penalty of $3.2 million. Before we get too far into 2017, however, OCR’s 2016 settlements provide valuable insight into where covered entities and business associates have had trouble complying with HIPAA, and what the potential consequences for substantial noncompliance might be.   10.24.2016 Policing PHI Privacy and Security: Prepare for Increased Scrutiny of Smaller Breaches According to the Ponemon Institute, almost all health care providers and other “covered entities” will experience a data breach.  If protected health information is compromised by the breach, the entity would be required to report the breach under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).  HIPAA’s breach notification structure requires reporting to the individual whose record was affected, the Department of Health and Human Services (“HHS”) and/or the media.  HHS recognizes a difference between “larger” breaches, or those affecting 500 or more individuals, and “smaller” breaches, or those affecting fewer than 500.