OCR Announces Five More HIPAA Right of Access Resolutions

Yesterday, the Department of Health and Human Services’ Office for Civil Rights announced the resolution of five more HIPAA Right of Access claims. That brings the total number of Right of Access resolutions this year to 12 (including a civil monetary penalty), edging out last year’s total of 11. As for settlement and penalty amounts, the Right of Access total for 2021 has surpassed 2020 by more than $300,000.

Telehealth, Privacy, and the Three Little Pigs: A Year and a Half Later

In my July 23, 2020 blog post, I used the familiar characters in the beloved fable The Three Little Pigs to illustrate the importance of building a secure and compliant telehealth delivery system. I explained that, despite the Office for Civil Rights’ (OCR) announcement of enforcement discretion during the public health emergency (PHE), healthcare providers should establish HIPAA-compliant telehealth delivery systems before enforcement discretion ended. Because the PHE may soon be over, that message bears repeating.

My Incident Response Planning Epiphany

(2 min read) 3:35 AM.  Alarm blaring.  Disoriented, I pop out of bed, reach for my glasses and ask, “what is that?”  “It’s the security alarm” my spouse replies.  For a moment, I was relieved because I feared it was the fire alarm.  For a split second, fire seemed like a better option than an intruder.  After briefly playing out the intruder scenario in my head, the fear returned.

Health Care Providers: Take Note of Changes to Breach Reporting Obligations in CT as of Oct. 1

On October 1, 2021, major changes to Connecticut’s electronic data breach statute take effect.  Those changes will affect health care providers’ reporting obligations for HIPAA breaches involving electronic information (e.g., a misdirected email or fax).  This is because the definition of personal information in the state data breach statute will include “medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” as well as health insurance policy or identification numbers.  As a result, more HIPAA breaches will also trigger state data breach law reporting.

Connecticut Adopts an Act Incentivizing the Adoption of Cybersecurity Standards

Today, Connecticut’s Governor signed An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, Public Act 21-119 (the Act). The Act prohibits the assessment of punitive damages against an entity sued for negligent data protection practices related to a data breach involving personal information or information that can be used to identify an individual if the entity adopts and implements recognized cybersecurity standards.

Connecticut Makes Significant Changes to its Data Breach Statute

Written in collaboration with Nathaly Tamayo, JD.

Late in the legislative session, both the Connecticut House and Senate passed House Bill 5310 (now Public Act 21-59), An Act Concerning Data Privacy Breaches, which substantially amends Connecticut’s data breach notification statute (CGS §36a-701b). Although the bill implemented a number of revisions, the most notable changes significantly expand the definition of personal information and shorten the notification timeframe.

A Less Demanding HIPAA Standard: the 5th Circuit Holds OCR to the Letter of the Law

By Dayle A. Duran, Esq., CIPP/US and Dena M. Castricone, CIPP/US and CIPM
In January 2021, the 5th Circuit Court of Appeals issued an unanticipated decision that will send ripples across the healthcare industry for years. Beyond giving healthcare privacy and security professionals cause for relief, the M.D. Anderson v. HHS decision restores faith in the checks and balances on regulatory agency enforcement power.

And the HIPAA Right of Access Enforcement Saga Continues…

OCR continues with vigorous enforcement of HIPAA’s Right of Access rules in 2021. In the first three months of the year, OCR announced five Right of Access settlements. The story is nearly identical in each – a patient requests records and a provider fails to timely provide access. Compliance with the Right of Access rules is relatively simple and one of the best ways to avoid unwanted attention from OCR.