Privacy and Information Security Law Blog

Tag Archives: HIPAA

HHS Settles with Shasta Regional Medical Center

Posted on June 18, 2013 by Hunton & Williams LLP

On June 13, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $275,000 settlement with Shasta Regional Medical Center (“Shasta”) that pertained to impermissible disclosures of protected health information (“PHI”) by Shasta officials to the media, as well as to Shasta’s entire workforce.

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, Privacy Rule, Protected Health Information, Workplace Privacy

HHS Announces Settlement with Idaho State University

Posted on May 23, 2013 by Hunton & Williams LLP

On May 21, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $400,000 settlement with Idaho State University (“ISU”) for a breach that affected 17,500 individuals.

The ISU settlement relates to servers that had their firewall protections disabled, which left the electronic protected health information (“ePHI”) of patients at ISU’s Pocatello Family Medicine Clinic unsecured for at least ten months. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that ISU allegedly had not complied with HIPAA Security Rule requirements, including by conducting an incomplete and inadequate risk analysis and by failing to “adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.”

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Protected Health Information, Security Rule

Court of Appeals Rules that HIPAA Preempts Florida Law

Posted on April 12, 2013 by Hunton & Williams LLP

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

Tags: Florida, Health Privacy, HIPAA, Privacy Rule, Protected Health Information, U.S. State Law

Business Associate Compliance with the New HIPAA Rules

Posted on April 3, 2013 by Hunton & Williams LLP

On January 17, 2013, the U.S. Department of Health and Human Services issued a final omnibus rule modifying prior regulations enacted pursuant to the Health Insurance Portability and Accountability Act of 1996. Among the key changes that will come into effect this September is the addition of a provision that dramatically increases the number of organizations directly subject to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. In an article published in the March/April issue of Storage & Destruction Business Magazine, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Ryan P. Logan and Melinda L. McLellan, senior associates on the firm’s Privacy and Data Security team, discuss how the newly-adopted HIPAA Rules will impact business associates and outline steps that records and information management companies should take to prepare for the upcoming changes.

Download a PDF copy of the article.

Tags: Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Lisa Sotto, Melinda McLellan, Privacy Rule, Protected Health Information, Ryan Logan, Security Breach, Security Rule

New HIPAA Omnibus Rule: A Compliance Guide

Posted on January 25, 2013 by Hunton & Williams LLP

The wait is over. On January 17, 2013, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released its long-anticipated megarule (“Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. These amendments implement and expand on the requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. Coming into compliance will require significant effort and attention by covered entities and business associates alike. Below we highlight some of the more significant aspects of the Omnibus Rule and provide critical compliance tips.

Tags: Aaron Simpson, Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Lisa Sotto, Privacy Rule, Protected Health Information, Ryan Logan, Security Breach, Security Rule

Sotto Discusses Top Privacy Trends for 2013

Posted on January 23, 2013 by Hunton & Williams LLP

In an interview with Tom Field of BankInfoSecurity, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, discussed the top privacy trends and threats for 2013. Lisa predicts that security vulnerabilities will remain the biggest threat to privacy, particularly with the move toward mobile computing. She also talked about key issues to watch in 2013, such as online behavioral advertising, big data and evolving privacy legislation and regulation, especially in the EU and other countries around the globe.

Listen to Lisa’s interview.

Tags: Behavioral Advertising, COPPA, EU Data Protection Directive, European Union, HIPAA, Information Security, Legislation, Lisa Sotto, Mobile Device, Multimedia Resources, Security Breach

HHS Issues Final Omnibus Rule Modifying HIPAA Privacy, Security, Enforcement and Breach Notification Rules

Posted on January 17, 2013 by Hunton & Williams LLP

On January 17, 2013, the Department of Health and Human Services (“HHS”) issued a Final Omnibus Rule modifying the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as well as the Breach Notification Rule promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009. The Final Rule comes two and a half years after the proposed rule was published in July 2010.

Tags: Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Privacy Rule, Protected Health Information, Security Rule

Medical Practices Agree to $140,000 Settlement with Massachusetts Attorney General

Posted on January 10, 2013 by Hunton & Williams LLP

On January 7, 2013, Massachusetts Attorney General Martha Coakley announced that several Massachusetts medical practices have agreed to a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendants, which include several pathology practices and a firm that provided medical billing services to those practices, were accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public. The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals. The illegal dumping allegations were publicized in a Boston Globe article after a photographer for the newspaper discovered medical records at the facility while he was disposing of his own trash.

Tags: Consent Order, Consumer Protection, Enforcement, Health Privacy, HIPAA, Massachusetts, Penalty, Privacy Rule, Protected Health Information, Social Security Number, State Attorneys General, U.S. State Law

HHS Settles First Enforcement Action Relating to a Breach Affecting Fewer than 500 Individuals

Posted on January 4, 2013 by Hunton & Williams LLP

On January 2, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $50,000 settlement with Hospice of North Idaho (“HONI”) for a breach that affected 441 individuals. This action is notable because prior HHS enforcement actions relating to breaches have involved a greater number of affected individuals (for example, the first breach-related enforcement action in March 2012 affected more than 1 million). The Health Information Technology for Economic and Clinical Health (“HITECH”) Breach Notification Rule sets 500 as a threshold number of affected individuals triggering certain notification requirements such as the obligation to notify HHS within 60 days of discovery of the breach.

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Protected Health Information, Security Breach, Security Rule

Sotto Discusses Preparation for Upcoming HIPAA Omnibus Rule

Posted on January 3, 2013 by Hunton & Williams LLP

In an interview with Marianne Kolbasuk McGee of HealthcareInfoSecurity, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, discusses the measures health care organizations should take to prepare for the issuance of the upcoming HIPAA Omnibus Rule. In March 2012, the Department of Health and Human Services (“HHS”) sent its final Omnibus Rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget. In the interview, Sotto outlines her predictions of the content of the Omnibus Rule, including “modifications to the HIPAA privacy, security and enforcement rules” and “a final version of the HIPAA breach notification rule.”

Tags: Department of Health and Human Services, Enforcement, Events, Health Privacy, HIPAA, Lisa Sotto, Multimedia Resources, Privacy Rule, Protected Health Information, Security Rule

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Tag Archives: HIPAA

HHS Settles with Shasta Regional Medical Center

HHS Announces Settlement with Idaho State University

Court of Appeals Rules that HIPAA Preempts Florida Law

Business Associate Compliance with the New HIPAA Rules

New HIPAA Omnibus Rule: A Compliance Guide

Sotto Discusses Top Privacy Trends for 2013

HHS Issues Final Omnibus Rule Modifying HIPAA Privacy, Security, Enforcement and Breach Notification Rules

HHS Settles First Enforcement Action Relating to a Breach Affecting Fewer than 500 Individuals

Sotto Discusses Preparation for Upcoming HIPAA Omnibus Rule

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Stay Connected

Privacy News