Tag Archives: Protected Health Information

HHS Finalizes Omnibus HIPAA Rule for OMB Review; Settles with Phoenix Cardiac Surgery Following OCR Investigation

Posted on April 19, 2012 by Hunton & Williams LLP

In the past month, the Department of Health and Human Services (“HHS”) sent its final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget (“OMB”) and announced a $100,000 settlement with Phoenix Cardiac Surgery, P.C. for violations of the HIPAA Rules.

Tags: Consumer Protection, Department of Health and Human Services, HIPAA, HITECH Act, Penalty, Privacy Rule, Protected Health Information, Security Rule

HHS Settles First Breach Notification Rule Case for $1.5 Million

Posted on March 14, 2012 by Hunton & Williams LLP

On March 13, 2012, the Department of Health and Human Services (“HHS”) announced that it had settled the first case related to the HITECH Act Breach Notification Rule. BlueCross Blue Shield of Tennessee (“BCBS Tennessee”) agreed to pay $1.5 million to settle potential HIPAA violations related to the October 2009 theft of 57 unencrypted hard drives containing protected health information (“PHI”) from a network data closet at a leased facility leased in Chattanooga, Tennessee.

Tags: Consumer Protection, Department of Health and Human Services, HIPAA, HITECH Act, Penalty, Privacy Rule, Protected Health Information, Social Security Number, Tennessee

Article 29 Working Party Issues Guidance on European Patients Smart Open Services

Posted on February 14, 2012 by Hunton & Williams LLP

On January 25, 2012, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on data protection issues relating to the European Patients Smart Open Services (“epSOS”) project. epSOS is a pilot project focused on developing an information and communications technology infrastructure that enables access to patient health information (i.e., Patient Summaries) among different EU Member States for the purpose of providing medical treatment. The project also aims to facilitate the cross-border use of electronic prescriptions (i.e., ePrescriptions). epSOS involves the collaboration of a significant number of health care provider organizations and companies that contribute their knowledge and expertise to the project.

Tags: Article 29 Working Party, Cross-Border Data Flow, Data Controller, Data Protection Authority, EU Member States, Protected Health Information

Minnesota AG Sues Debt Collection Agency for Health Privacy Violations

Posted on January 24, 2012 by Hunton & Williams LLP

On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.

Tags: Consumer Protection, HIPAA, HITECH Act, Minnesota, Privacy Rule, Protected Health Information, Social Security Number, State Attorneys General

HHS Issues New Model Privacy Notice for PHR Vendors

Posted on September 15, 2011 by Hunton & Williams LLP

On September 12, 2011, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (“ONC”) unveiled a model privacy notice for personal health records (the “PHR Model Privacy Notice”). The PHR Model Privacy Notice was developed by ONC in collaboration with consumers and vendors of personal health records (“PHRs”). The PHR Model Privacy Notice is intended to enable consumers to “understand privacy and security policies and data sharing practice information, compare PHR company practices, and make informed decisions.”

Tags: Consumer Protection, Cookies, Department of Health and Human Services, Federal Trade Commission, Protected Health Information

HHS Pressured to Drop Access Report Provision in Proposed Rule

Posted on August 5, 2011 by Hunton & Williams LLP

Several health care industry groups requested that the Department of Health and Human Services (“HHS”) either remove or significantly revise a proposed “access report” requirement in its recent notice of proposed rulemaking (the “Proposed Rule”) for the accounting of disclosures of protected health information (“PHI”). As we reported in May, HHS issued the Proposed Rule that revises existing HIPAA Privacy Rule provisions regarding accounting of disclosures and gives individuals a new right to obtain an “access report” that would list the specific persons who have accessed a patient’s PHI, and describe any actions taken by those persons with respect to the PHI (e.g., create, modify, access or delete).

Tags: Department of Health and Human Services, HIPAA, HITECH Act, Privacy Rule, Protected Health Information

IAPP Hosts Webinar on Upcoming OCR Audit Program

Posted on August 2, 2011 by Hunton & Williams LLP

On July 28, 2011, the International Association of Privacy Professionals (“IAPP”) hosted a webinar that addressed the upcoming audit program of the Department of Health and Human Services Office of Civil Rights (“OCR”). Susan McAndrew, the Deputy Director for Health Information Privacy at OCR, provided an overview of the audit program, noting that it stemmed from Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. That section of the HITECH Act authorized the Secretary of the Health and Human Services to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy and Security Rules.

Tags: Compliance, Department of Health and Human Services, HIPAA, HITECH Act, International Association of Privacy Professionals, Privacy Rule, Protected Health Information, Security Rule

EEOC Letter Suggests Employers May Need to Increase Privacy Safeguards for Employee Medical Information

Posted on July 25, 2011 by Hunton & Williams LLP

As reported in the Hunton Employment & Labor Perspectives Blog:

The EEOC recently released an informal discussion letter suggesting that employers may be obligated to do more than just maintain a separate file for employee medical records, especially when those records are in an electronic format. Both the Americans with Disabilities Act of 1990 (“ADA”), as amended, and the Genetic Information Non-Discrimination Act of 2008 (“GINA”) require employers to maintain a confidential medical record, which is separate from the employee’s other personnel file(s), for information about the employee’s medical conditions, medical history or “genetic information.” The statutes do not, however, specify how such records are to be maintained or what level of security must be in place to protect the confidentiality of medical or genetic information.

Tags: Genetics, Litigation, Protected Health Information

Texas Enacts Expansive New Health Privacy Law

Posted on July 11, 2011 by Hunton & Williams LLP

Last month, Texas Governor Rick Perry signed a health privacy bill into law that imposes new obligations exceeding the requirements in the HIPAA Privacy Rule. The law, which will become effective on September 1, 2012, incorporates the expanded definition of the term “covered entity” in Texas’s existing health privacy law and could have a broad impact on many non-HIPAA covered entities.

Tags: HIPAA, Privacy Rule, Protected Health Information, State Attorneys General, Texas

HHS Announces $865,500 Settlement with UCLA Health System for HIPAA Violations

Posted on July 8, 2011 by Hunton & Williams LLP

On June 7, 2011, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $865,500 settlement with the University of California at Los Angeles Health System (“UCLA Health System”) for violations of the HIPAA Privacy and Security Rules. UCLA Health System employees were accused of violating the Privacy Rule by improperly accessing the protected health information (“PHI”) of patients, including several high-profile celebrities who filed complaints with HHS. A subsequent investigation by HHS’s Office of Civil Rights (“OCR”) revealed that in addition to neglecting to sanction the employees who had improperly accessed patient PHI, UCLA Health System had failed to train its employees on the HIPAA Privacy and Security Rules or implement security measures to “reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.”

Tags: Department of Health and Human Services, HIPAA, Penalty, Privacy Rule, Protected Health Information

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Tag Archives: Protected Health Information

HHS Finalizes Omnibus HIPAA Rule for OMB Review; Settles with Phoenix Cardiac Surgery Following OCR Investigation

Article 29 Working Party Issues Guidance on European Patients Smart Open Services

HHS Issues New Model Privacy Notice for PHR Vendors

HHS Pressured to Drop Access Report Provision in Proposed Rule

IAPP Hosts Webinar on Upcoming OCR Audit Program

EEOC Letter Suggests Employers May Need to Increase Privacy Safeguards for Employee Medical Information

Texas Enacts Expansive New Health Privacy Law

HHS Announces $865,500 Settlement with UCLA Health System for HIPAA Violations

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News