Tag Archives: Privacy Rule

Minnesota AG Sues Debt Collection Agency for Health Privacy Violations

Posted on January 24, 2012 by Hunton & Williams LLP

On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.

Tags: Consumer Protection, HIPAA, HITECH Act, Minnesota, Privacy Rule, Protected Health Information, Social Security Number, State Attorneys General

HHS Pressured to Drop Access Report Provision in Proposed Rule

Posted on August 5, 2011 by Hunton & Williams LLP

Several health care industry groups requested that the Department of Health and Human Services (“HHS”) either remove or significantly revise a proposed “access report” requirement in its recent notice of proposed rulemaking (the “Proposed Rule”) for the accounting of disclosures of protected health information (“PHI”). As we reported in May, HHS issued the Proposed Rule that revises existing HIPAA Privacy Rule provisions regarding accounting of disclosures and gives individuals a new right to obtain an “access report” that would list the specific persons who have accessed a patient’s PHI, and describe any actions taken by those persons with respect to the PHI (e.g., create, modify, access or delete).

Tags: Department of Health and Human Services, HIPAA, HITECH Act, Privacy Rule, Protected Health Information

IAPP Hosts Webinar on Upcoming OCR Audit Program

Posted on August 2, 2011 by Hunton & Williams LLP

On July 28, 2011, the International Association of Privacy Professionals (“IAPP”) hosted a webinar that addressed the upcoming audit program of the Department of Health and Human Services Office of Civil Rights (“OCR”). Susan McAndrew, the Deputy Director for Health Information Privacy at OCR, provided an overview of the audit program, noting that it stemmed from Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. That section of the HITECH Act authorized the Secretary of the Health and Human Services to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy and Security Rules.

Tags: Compliance, Department of Health and Human Services, HIPAA, HITECH Act, International Association of Privacy Professionals, Privacy Rule, Protected Health Information, Security Rule

Texas Enacts Expansive New Health Privacy Law

Posted on July 11, 2011 by Hunton & Williams LLP

Last month, Texas Governor Rick Perry signed a health privacy bill into law that imposes new obligations exceeding the requirements in the HIPAA Privacy Rule. The law, which will become effective on September 1, 2012, incorporates the expanded definition of the term “covered entity” in Texas’s existing health privacy law and could have a broad impact on many non-HIPAA covered entities.

Tags: HIPAA, Privacy Rule, Protected Health Information, Texas

HHS Announces $865,500 Settlement with UCLA Health System for HIPAA Violations

Posted on July 8, 2011 by Hunton & Williams LLP

On June 7, 2011, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $865,500 settlement with the University of California at Los Angeles Health System (“UCLA Health System”) for violations of the HIPAA Privacy and Security Rules. UCLA Health System employees were accused of violating the Privacy Rule by improperly accessing the protected health information (“PHI”) of patients, including several high-profile celebrities who filed complaints with HHS. A subsequent investigation by HHS’s Office of Civil Rights (“OCR”) revealed that in addition to neglecting to sanction the employees who had improperly accessed patient PHI, UCLA Health System had failed to train its employees on the HIPAA Privacy and Security Rules or implement security measures to “reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.”

Tags: Department of Health and Human Services, HIPAA, Penalty, Privacy Rule, Protected Health Information

HHS Issues Notice of Proposed Rulemaking for Accounting of Disclosures of Protected Health Information

Posted on May 31, 2011 by Hunton & Williams LLP

On May 27, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking regarding the HIPAA Privacy Rule provision that requires covered entities to provide an accounting of disclosures of protected health information (“PHI”) to individuals upon request. The proposed rule revises existing HIPAA Privacy Rule provisions regarding an accounting of disclosures and also gives individuals a new right to obtain an “access report” about which specific individuals have accessed electronic PHI in a designated record set. The proposed rule also requires covered entities to modify their privacy notices to include that individuals have the right to obtain an access report from the covered entities.

Tags: Department of Health and Human Services, HIPAA, HITECH Act, Privacy Rule, Protected Health Information

CVS Sued for Alleged Privacy Violations

Posted on March 11, 2011 by Hunton & Williams LLP

On March 7, 2011, Arthur Steinberg and the Philadelphia Federation of Teachers Health and Welfare Fund sued CVS Caremark Corporation (“CVS”), alleging that its unauthorized disclosure of protected health information (“PHI”) constituted an unfair trade practice. The complaint claims that CVS, one of the nation’s largest pharmacies, sent letters to physicians that listed their patients’ names, dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send them. This purported disclosure of PHI would violate the HIPAA Privacy Rule’s prohibitions against disclosing PHI for marketing purposes without an individual’s authorization.

This is the second major lawsuit filed against CVS in the past few year. Last December, a group of Texas pharmacies filed suit against CVS for violations of Racketeer Influenced and Corrupt Organizations Act (“RICO”) and misappropriation of trade secrets. The Texas complaint alleged that CVS disclosed PHI to pharmaceutical manufacturers for the manufacturers’ marketing purposes. In 2009, CVS paid $2.25 million to the Department of Health and Human Services (“HHS”) to settle charges that it violated the HIPAA Security Rule by dumping prescription records in dumpsters.

Tags: Consumer Protection, Department of Health and Human Services, HIPAA, Privacy Rule, Protected Health Information

HHS Announces $1,000,000 Resolution Agreement with Mass General for HIPAA Violations

Posted on February 28, 2011 by Hunton & Williams LLP

On February 24, 2011, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced a $1,000,000 Resolution Agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) that stemmed from the loss of protected health information (“PHI”) of 192 patients. A Mass General employee had left hard-copy records containing PHI on the subway in March 2009. The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS. After receiving a complaint from an affected patient, OCR conducted an investigation that demonstrated that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

Tags: Department of Health and Human Services, HIPAA, Penalty, Privacy Rule, Protected Health Information

HHS Fines Cignet Health $4.3 Million for Violation of HIPAA Privacy Rule

Posted on February 22, 2011 by Hunton & Williams LLP

On February 22, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed its first civil money penalty for an entity’s violation of HIPAA’s Privacy Rule. In its Notice of Final Determination, OCR concluded that Cignet Health withheld patient records despite requests for their disclosure. Of the $4.3 million penalty, $1.3 million was levied for denying patients access to their own medical records, while an additional $3 million was imposed due to Cignet’s failure to cooperate with OCR’s investigation as required by the Privacy Rule. Increased penalty amounts were authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act).

Tags: Department of Health and Human Services, HIPAA, HITECH Act, Penalty, Privacy Rule

Health Care Organizations Comment on Proposed Modifications to HIPAA Privacy, Security and Enforcement Rules

Posted on October 4, 2010 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010. Some highlights from the comments are outlined below.

Enforcement Rule

The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional. According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective. The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”

Tags: Enforcement Rule, HIPAA, HITECH Act, Privacy Rule, Protected Health Information, Security Rule

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Tag Archives: Privacy Rule

HHS Pressured to Drop Access Report Provision in Proposed Rule

IAPP Hosts Webinar on Upcoming OCR Audit Program

Texas Enacts Expansive New Health Privacy Law

HHS Announces $865,500 Settlement with UCLA Health System for HIPAA Violations

HHS Issues Notice of Proposed Rulemaking for Accounting of Disclosures of Protected Health Information

CVS Sued for Alleged Privacy Violations

HHS Announces $1,000,000 Resolution Agreement with Mass General for HIPAA Violations

HHS Fines Cignet Health $4.3 Million for Violation of HIPAA Privacy Rule

Health Care Organizations Comment on Proposed Modifications to HIPAA Privacy, Security and Enforcement Rules

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News