Tag Archives: HIPAA

HHS Issues Notice of Proposed Rulemaking for Accounting of Disclosures of Protected Health Information

Posted on May 31, 2011 by Hunton & Williams LLP

On May 27, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking regarding the HIPAA Privacy Rule provision that requires covered entities to provide an accounting of disclosures of protected health information (“PHI”) to individuals upon request.  The proposed rule revises existing HIPAA Privacy Rule provisions regarding an accounting of disclosures and also gives individuals a new right to obtain an “access report” about which specific individuals have accessed electronic PHI in a designated record set.  The proposed rule also requires covered entities to modify their privacy notices to include that individuals have the right to obtain an access report from the covered entities.

Continue reading…

Tags: , , , ,

CVS Sued for Alleged Privacy Violations

Posted on March 11, 2011 by Hunton & Williams LLP

On March 7, 2011, Arthur Steinberg and the Philadelphia Federation of Teachers Health and Welfare Fund sued CVS Caremark Corporation (“CVS”), alleging that its unauthorized disclosure of protected health information (“PHI”) constituted an unfair trade practice. The complaint claims that CVS, one of the nation’s largest pharmacies, sent letters to physicians that listed their patients’ names, dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send them. This purported disclosure of PHI would violate the HIPAA Privacy Rule’s prohibitions against disclosing PHI for marketing purposes without an individual’s authorization.

This is the second major lawsuit filed against CVS in the past few year. Last December, a group of Texas pharmacies filed suit against CVS for violations of Racketeer Influenced and Corrupt Organizations Act (“RICO”) and misappropriation of trade secrets. The Texas complaint alleged that CVS disclosed PHI to pharmaceutical manufacturers for the manufacturers’ marketing purposes. In 2009, CVS paid $2.25 million to the Department of Health and Human Services (“HHS”) to settle charges that it violated the HIPAA Security Rule by dumping prescription records in dumpsters.

Tags: , , , ,

HHS Announces $1,000,000 Resolution Agreement with Mass General for HIPAA Violations

Posted on February 28, 2011 by Hunton & Williams LLP

On February 24, 2011, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced a $1,000,000 Resolution Agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) that stemmed from the loss of protected health information (“PHI”) of 192 patients.  A Mass General employee had left hard-copy records containing PHI on the subway in March 2009.  The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS.  After receiving a complaint from an affected patient, OCR conducted an investigation that demonstrated that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

Continue reading…

Tags: , , , ,

HHS Fines Cignet Health $4.3 Million for Violation of HIPAA Privacy Rule

Posted on February 22, 2011 by Hunton & Williams LLP

On February 22, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed its first civil money penalty for an entity’s violation of HIPAA’s Privacy Rule.  In its Notice of Final Determination, OCR concluded that Cignet Health withheld patient records despite requests for their disclosure.  Of the $4.3 million penalty, $1.3 million was levied for denying patients access to their own medical records, while an additional $3 million was imposed due to Cignet’s failure to cooperate with OCR’s investigation as required by the Privacy Rule.  Increased penalty amounts were authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act).

Continue reading…

Tags: , , , ,

President’s Council of Advisors on Science and Technology Release Health IT Report

Posted on January 19, 2011 by Hunton & Williams LLP

While much of the attention of the privacy policy community in Washington, D.C. has been focused on the two reports issued in December 2010 by the Federal Trade Commission and the Department of Commerce, a third government report has received far less press attention, but may have a greater impact on U.S. business and consumers.  The work of the President’s Council of Advisors on Science and Technology (“PCAST”) and its Health Information Technology Working Group, the report, “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” was released by the White House on December 8, 2010.

Continue reading…

Tags: , ,

Health Care Organizations Comment on Proposed Modifications to HIPAA Privacy, Security and Enforcement Rules

Posted on October 4, 2010 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010.  Some highlights from the comments are outlined below.

Enforcement Rule

The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional.  According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective.  The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”

Continue reading…

Tags: , , , , ,

Rite Aid Pharmacy Pays $1 Million; Settles FTC and HHS Charges Regarding Data Practices

Posted on July 28, 2010 by Hunton & Williams LLP

Rite Aid has agreed to pay $1 million and implement remedial measures to resolve Department of Health and Human Services (“HHS”) and Federal Trade Commission allegations that it failed to protect customers’ sensitive health information.  The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications.  The FTC took issue with this practice in light of the pharmacy’s alleged claims that “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously . . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.”  At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act.

Continue reading…

Tags: , , ,

HHS Issues Modifications to the HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Hunton & Williams LLP

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

Continue reading…

Tags: , , , , ,

HHS To Examine Breach Notification and Risk Mitigation Plans

Posted on May 24, 2010 by Hunton & Williams LLP

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans.  OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches.  The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a breach, such as alternate storage facilities for data.”

As previously discussed on this blog, OCR has announced an uptick in HIPAA Security Rule enforcement and issued draft guidance regarding the “risk analysis” implementation specification in the Security Rule.

Tags: , , , , ,

HHS Official Reports Uptick in HIPAA Security Rule Enforcement

Posted on May 14, 2010 by Hunton & Williams LLP

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).  Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule.  In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

Continue reading…

Tags: , , , , ,