Tag Archives: Protected Health Information

HHS Issues Notice of Proposed Rulemaking for Accounting of Disclosures of Protected Health Information

Posted on May 31, 2011 by Hunton & Williams LLP

On May 27, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking regarding the HIPAA Privacy Rule provision that requires covered entities to provide an accounting of disclosures of protected health information (“PHI”) to individuals upon request.  The proposed rule revises existing HIPAA Privacy Rule provisions regarding an accounting of disclosures and also gives individuals a new right to obtain an “access report” about which specific individuals have accessed electronic PHI in a designated record set.  The proposed rule also requires covered entities to modify their privacy notices to include that individuals have the right to obtain an access report from the covered entities.

Continue reading…

Tags: , , , ,

CVS Sued for Alleged Privacy Violations

Posted on March 11, 2011 by Hunton & Williams LLP

On March 7, 2011, Arthur Steinberg and the Philadelphia Federation of Teachers Health and Welfare Fund sued CVS Caremark Corporation (“CVS”), alleging that its unauthorized disclosure of protected health information (“PHI”) constituted an unfair trade practice. The complaint claims that CVS, one of the nation’s largest pharmacies, sent letters to physicians that listed their patients’ names, dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send them. This purported disclosure of PHI would violate the HIPAA Privacy Rule’s prohibitions against disclosing PHI for marketing purposes without an individual’s authorization.

This is the second major lawsuit filed against CVS in the past few year. Last December, a group of Texas pharmacies filed suit against CVS for violations of Racketeer Influenced and Corrupt Organizations Act (“RICO”) and misappropriation of trade secrets. The Texas complaint alleged that CVS disclosed PHI to pharmaceutical manufacturers for the manufacturers’ marketing purposes. In 2009, CVS paid $2.25 million to the Department of Health and Human Services (“HHS”) to settle charges that it violated the HIPAA Security Rule by dumping prescription records in dumpsters.

Tags: , , , ,

HHS Announces $1,000,000 Resolution Agreement with Mass General for HIPAA Violations

Posted on February 28, 2011 by Hunton & Williams LLP

On February 24, 2011, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced a $1,000,000 Resolution Agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) that stemmed from the loss of protected health information (“PHI”) of 192 patients.  A Mass General employee had left hard-copy records containing PHI on the subway in March 2009.  The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS.  After receiving a complaint from an affected patient, OCR conducted an investigation that demonstrated that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

Continue reading…

Tags: , , , ,

Health Care Organizations Comment on Proposed Modifications to HIPAA Privacy, Security and Enforcement Rules

Posted on October 4, 2010 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010.  Some highlights from the comments are outlined below.

Enforcement Rule

The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional.  According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective.  The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”

Continue reading…

Tags: , , , , ,

HHS Issues Modifications to the HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Hunton & Williams LLP

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

Continue reading…

Tags: , , , , ,

Nevada and New Hampshire Data Security and Privacy Laws Take Effect

Posted on January 6, 2010 by Hunton & Williams LLP

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire.  The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

Continue reading…

Tags: , , , , , ,

Interim Final Rule Implements Increased Penalties for HIPAA Violations

Posted on October 30, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

Continue reading…

Tags: , , ,

Becoming HITECH: Actions Covered Entities and Business Associates Should Take Now to Comply with the Requirements of the HITECH Act

Posted on September 23, 2009 by Hunton & Williams LLP

The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was signed into law in February 2009 as part of the economic stimulus package, substantially impacts requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The HITECH Act creates several new and potentially burdensome obligations that affect the relationship between covered entities and business associates. Because these changes are quite substantial and necessitate revisions to existing business associate agreements (“BAAs”), covered entities and business associates should begin compliance efforts as soon as possible. Read more on actions to take to comply with the requirements of the HITECH Act.

Tags: , ,

FTC and HHS Issue Final Breach Notification Rules

Posted on August 28, 2009 by Hunton & Williams LLP

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

Continue reading…

Tags: , , , ,

New Hampshire Law Gives Consumers Greater Control Over Non-Medical Uses of Protected Health Information

Posted on August 25, 2009 by Hunton & Williams LLP

New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.

The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.

Continue reading…

Tags: , ,