Privacy and Information Security Law Blog

Tag Archives: HITECH Act

HHS Announces Settlement with Idaho State University

Posted on May 23, 2013 by Hunton & Williams LLP

On May 21, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $400,000 settlement with Idaho State University (“ISU”) for a breach that affected 17,500 individuals.

The ISU settlement relates to servers that had their firewall protections disabled, which left the electronic protected health information (“ePHI”) of patients at ISU’s Pocatello Family Medicine Clinic unsecured for at least ten months. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that ISU allegedly had not complied with HIPAA Security Rule requirements, including by conducting an incomplete and inadequate risk analysis and by failing to “adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.”

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Protected Health Information, Security Rule

Business Associate Compliance with the New HIPAA Rules

Posted on April 3, 2013 by Hunton & Williams LLP

On January 17, 2013, the U.S. Department of Health and Human Services issued a final omnibus rule modifying prior regulations enacted pursuant to the Health Insurance Portability and Accountability Act of 1996. Among the key changes that will come into effect this September is the addition of a provision that dramatically increases the number of organizations directly subject to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. In an article published in the March/April issue of Storage & Destruction Business Magazine, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Ryan P. Logan and Melinda L. McLellan, senior associates on the firm’s Privacy and Data Security team, discuss how the newly-adopted HIPAA Rules will impact business associates and outline steps that records and information management companies should take to prepare for the upcoming changes.

Download a PDF copy of the article.

Tags: Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Lisa Sotto, Melinda McLellan, Privacy Rule, Protected Health Information, Ryan Logan, Security Breach, Security Rule

New HIPAA Omnibus Rule: A Compliance Guide

Posted on January 25, 2013 by Hunton & Williams LLP

The wait is over. On January 17, 2013, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released its long-anticipated megarule (“Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. These amendments implement and expand on the requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. Coming into compliance will require significant effort and attention by covered entities and business associates alike. Below we highlight some of the more significant aspects of the Omnibus Rule and provide critical compliance tips.

Tags: Aaron Simpson, Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Lisa Sotto, Privacy Rule, Protected Health Information, Ryan Logan, Security Breach, Security Rule

HHS Issues Final Omnibus Rule Modifying HIPAA Privacy, Security, Enforcement and Breach Notification Rules

Posted on January 17, 2013 by Hunton & Williams LLP

On January 17, 2013, the Department of Health and Human Services (“HHS”) issued a Final Omnibus Rule modifying the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as well as the Breach Notification Rule promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009. The Final Rule comes two and a half years after the proposed rule was published in July 2010.

Tags: Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Privacy Rule, Protected Health Information, Security Rule

HHS Settles First Enforcement Action Relating to a Breach Affecting Fewer than 500 Individuals

Posted on January 4, 2013 by Hunton & Williams LLP

On January 2, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $50,000 settlement with Hospice of North Idaho (“HONI”) for a breach that affected 441 individuals. This action is notable because prior HHS enforcement actions relating to breaches have involved a greater number of affected individuals (for example, the first breach-related enforcement action in March 2012 affected more than 1 million). The Health Information Technology for Economic and Clinical Health (“HITECH”) Breach Notification Rule sets 500 as a threshold number of affected individuals triggering certain notification requirements such as the obligation to notify HHS within 60 days of discovery of the breach.

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Protected Health Information, Security Breach, Security Rule

HHS Announces $1.5 Million HIPAA Settlement with Massachusetts Facilities

Posted on September 19, 2012 by Hunton & Williams LLP

On September 17, 2012, the Department of Health and Human Services (“HHS”) announced a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (“MEEI”) for potential violations of the HIPAA Security Rule. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that organizations should pay special attention to safeguarding information “stored and transported on portable devices such as laptops, tablets, and mobile phones” and that “compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Massachusetts, Penalty, Protected Health Information, Security Rule

Minnesota Attorney General Announces $2.5 Million Settlement with Accretive Health

Posted on August 24, 2012 by Hunton & Williams LLP

On July 31, 2012, Minnesota Attorney General Lori Swanson announced a $2.5 million settlement with Accretive Health, Inc. (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, and various Minnesota debt collection and consumer protection laws. As we previously reported in January 2012, Accretive, which acted as a business associate to two Minnesota hospital systems, experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

Tags: Consumer Protection, Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Minnesota, Protected Health Information, Security Breach, State Attorneys General

HHS Settles First HIPAA Enforcement Action Against a State Agency

Posted on June 27, 2012 by Hunton & Williams LLP

On June 26, 2012, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $1.7 million settlement with the Alaska Department of Health and Social Services (“DHSS”) for violations of the HIPAA Security Rule. This is the first HIPAA enforcement action taken by HHS against a state agency. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that OCR “expect[s] organizations to comply with their obligations under [the HIPAA Security and Privacy Rules] regardless of whether they are private or public entities.”

Tags: Alaska, Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Protected Health Information, Security Rule

OCR Director Leon Rodriguez Says Tolerance for HIPAA Non-Compliance Is Low

Posted on June 7, 2012 by Hunton & Williams LLP

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

Tags: Compliance, Department of Health and Human Services, Enforcement, Events, Health Privacy, HIPAA, HITECH Act, Minnesota, National Institute of Standards and Technology, Privacy Rule, Protected Health Information, Security Rule, State Attorneys General

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Tag Archives: HITECH Act

HHS Announces Settlement with Idaho State University

Business Associate Compliance with the New HIPAA Rules

New HIPAA Omnibus Rule: A Compliance Guide

HHS Issues Final Omnibus Rule Modifying HIPAA Privacy, Security, Enforcement and Breach Notification Rules

HHS Settles First Enforcement Action Relating to a Breach Affecting Fewer than 500 Individuals

HHS Announces $1.5 Million HIPAA Settlement with Massachusetts Facilities

Minnesota Attorney General Announces $2.5 Million Settlement with Accretive Health

HHS Settles First HIPAA Enforcement Action Against a State Agency

OCR Director Leon Rodriguez Says Tolerance for HIPAA Non-Compliance Is Low

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Stay Connected

Privacy News