Protected Health Information

Recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and record settlement of $16 million with Anthem, Inc. (“Anthem”) following Anthem’s 2015 data breach. That breach, affecting approximately 79 million individuals, was the largest breach of protected health information (“PHI”) in history. Continue Reading OCR Enters into Record Settlement with Anthem

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes. Continue Reading CCPA Amended: Enforcement Delayed, Few Substantive Changes Made

In its most recent cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) provided guidance regarding identifying vulnerabilities and mitigating the associated risks of software used to process electronic protected health information (“ePHI”). The guidance, along with additional resources identified by OCR, are outlined below: Continue Reading OCR Issues Guidance on Disclosures to Family, Friends and Others

On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation.  Continue Reading Unsecured PHI Leads to OCR Settlement with Closed Business

On February 1, 2018, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with dialysis clinic operator, Fresenius Medical Care (“Fresenius”). Fresenius will pay OCR $3.5 million to settle claims brought under Health Insurance Portability and Accountability Act rules, alleging that lax security practices led to five breaches of electronic protected health information. Continue Reading HHS Announces $3.5 Million Settlement with Fresenius Medical Care

On January 23, 2018, the New York Attorney General announced that Aetna Inc. (“Aetna”) agreed to pay $1.15 million and enhance its privacy practices following an investigation alleging it risked revealing the HIV status of 2,460 New York residents by mailing them information in transparent window envelopes. In July 2017, Aetna sent HIV patients information on how to fill their prescriptions using envelopes with large clear plastic windows, through which patient names, addresses, claims numbers and medication instructions were visible. Through this, the HIV status of some patients was visible to third parties. The letters were sent to notify members of a class action lawsuit that, pursuant to that suit’s resolution, they could purchase HIV medications at physical pharmacy locations, rather than via mail order delivery. Continue Reading Aetna Agrees to $1.15 Million Settlement with New York Attorney General

On October 3, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement clarifying when protected health information (“PHI”) can be shared with family, friends and others. This announcement, prompted by the recent mass shooting in Las Vegas, outlines the purposes for which PHI can be disclosed to these parties pursuant to HIPAA and the conditions that apply, which are summarized below: Continue Reading OCR Issues Guidance on Disclosures to Family, Friends and Others

On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement follows a bulletin issued in late August during Hurricane Harvey that addressed how protected health information (“PHI”) can be shared during emergencies. Together, these communications underscore key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations. Continue Reading OCR Releases Guidance on HIPAA Compliance During Emergencies

On June 26, 2017, Airway Oxygen, a provider of oxygen therapy and home medical equipment, reported that it was the subject of a ransomware attack affecting 500,000 patients’ protected health information. The attack is the second largest health data breach recorded by the Office for Civil Rights (“OCR”) this year, and the largest ransomware incident recorded by OCR since it began tracking incidents in 2009. Continue Reading Ransomware Health Data Breach Affects 500,000 Patients