On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes. The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were … Continue Reading
Medical and healthcare-related security and privacy concerns have been front page news in 2013, especially with recent launches of federal and state medical healthcare exchanges and changes stemming from the “HIPAA Omnibus Final Rule” enacted early this year that went into effect as of September 23rd. In a timely and notable report, the Ponemon Institute … Continue Reading
Last week marked the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights comprehensive modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (“the Rules”). The arrival of the effective date commences the 180-day period for covered entities to come into compliance with most of the Rule’s … Continue Reading
Yesterday, the U.S. Department of Health and Human Services (HHS) released the long awaited final omnibus rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The full text of the Final Rule can be found HERE. The InfoLawGroup is analyzing the 500+ page document and will be posting on the changes in … Continue Reading
Released today, the Ponemon Institute‘s Third Annual Benchmark Study on Patient Privacy & Data Security (available at, http://www2.idexpertscorp.com/ponemon2012/) starkly highlights the continued serious challenges faced by healthcare organizations in adequately safeguarding protected health information (“PHI”). As the study notes straight out of the gate “the threats to healthcare organizations have become increasingly more difficult to … Continue Reading
This month, federal agencies and FINRA have announced significant privacy enforcement actions that have resulted in millions of dollars in fines. The U.S. Department of Health and Human Services (HHS) imposed a $4.3M fine on a health plan for violations of the HIPAA Privacy Rule; the Federal Trade Commission (FTC) settled with several resellers of consumer reports allegations that the resellers failed to adequately safeguard consumer information; and FINRA imposed a $600K fine on two securities firms for failure to safeguard access to customer records. Here are the details:
… Continue Reading
It didn’t take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North … Continue Reading
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.
… Continue Reading
The Department of Health and Human Services released proposed modifications to the privacy and security rules related to HIPAA. We are still reading through the 234 page document, but it appears that the new rules expand HIPAA responsibilities for business associates. In addition, HHS has set up a web portal that provides a summary of … Continue Reading
On February 17, 2009, Congress signed into law the Health Information Technology for Economic and Clinical Health or "HITECH" Act ("HITECH" or the "Act") as part of the American Recovery and Reinvestment Act. The HITECH Act requires entities covered by the Health Insurance Portability and Accountability Act ("HIPAA") to provide notification to affected individuals and to the Secretary of Health and Human Services ("HHS") following the discovery of a breach of unsecured protected health information. HITECH also requires business associates of HIPAA-covered entities to notify the covered entity in the event of the breach. The Act required HHS to issue interim final regulations with respect to the new breach notification requirements. On August 24, 2009, the HHS interim final regulations were published in the Federal Register.
… Continue Reading