Category Archives: Compliance

DMC Law’s HIPAA Helpline Virtual Discussion Group

Every couple of months, DMC Law invites healthcare professionals who regularly grapple with privacy issues to gather (remotely) and discuss those issues.  The HIPAA Helpline is not a webinar.  It’s an interactive session.  DMC Law’s lawyers, Dena Castricone and Tracy Guarnieri, review legal requirements while participants share stories, questions and best practices.  The goal of […]

Federal Court Strikes Down Part of Surprise Billing Rule

A federal district court in Texas issued an opinion on February 23, 2022 (Decision) in which it concluded that the involved governmental agencies made some significant missteps in promulgating regulations under the No Surprises Act (NSA).  The NSA took effect on January 1, 2022 and establishes federal protections against surprise medical bills.  The law and […]

A Year in Review: HIPAA Enforcement Action Resolutions in 2021

Here it is!  My annual summary of HIPAA enforcement action resolutions.  I know you all have been eagerly awaiting its arrival.  No plot twists or surprises this year – the enforcement themes are much the same as those in 2020.  As I explain below, Right of Access was again the star. 

CT AG Announces Online Breach Reporting Form

Today, the Connecticut Attorney General’s office announced that it created an online form for data breach reporting.  According to the CT AG’s office, “[t]he need for a standardized, online submission form was also motivated by recent amendments to Connecticut’s data breach notification statute.”  Those amendments, which took effect on October 1, 2021, include a broadened definition of personal information and a reduced timeframe for notification and reporting from 90 days to 60 days. 

The Good Faith Estimate Requirement Under the No Surprises Act

Effective January 1, 2022, healthcare providers and facilities will be subject to the No Surprises Act (NSA), which establishes federal protections against surprise medical bills. While there are several parts of the NSA that impact some but not all healthcare providers or facilities (e.g., balance billing prohibitions), the requirement to provide good faith estimates (GFEs) […]

OCR Announces Five More HIPAA Right of Access Resolutions

Yesterday, the Department of Health and Human Services’ Office for Civil Rights announced the resolution of five more HIPAA Right of Access claims. That brings the total number of Right of Access resolutions this year to 12 (including a civil monetary penalty), edging out last year’s total of 11. As for settlement and penalty amounts, the Right of Access total for 2021 has surpassed 2020 by more than $300,000.

Telehealth, Privacy, and the Three Little Pigs: A Year and a Half Later

In my July 23, 2020 blog post, I used the familiar characters in the beloved fable The Three Little Pigs to illustrate the importance of building a secure and compliant telehealth delivery system. I explained that, despite the Office for Civil Rights’ (OCR) announcement of enforcement discretion during the public health emergency (PHE), healthcare providers should establish HIPAA-compliant telehealth delivery systems before enforcement discretion ended. Because the PHE may soon be over, that message bears repeating.

Connecticut Makes Significant Changes to its Data Breach Statute

Written in collaboration with Nathaly Tamayo, JD.

Late in the legislative session, both the Connecticut House and Senate passed House Bill 5310 (now Public Act 21-59), An Act Concerning Data Privacy Breaches, which substantially amends Connecticut’s data breach notification statute (CGS §36a-701b). Although the bill implemented a number of revisions, the most notable changes significantly expand the definition of personal information and shorten the notification timeframe.

HIPAA’s Treatment Exception Permits Sharing with Certain Non-Healthcare Providers

Written in collaboration with Erin MacLean, JD, CHC, CHPC. Over the past several weeks, many have been focused on the proposed changes to the HIPAA Privacy Rule announced in mid-December. While the proposed changes warrant attention and comment, the commentary to those proposed changes from the Department of Health and Human Services’ Office for Civil Rights (OCR) must not be overlooked. In its commentary, OCR provides valuable insights on its interpretation of a provider’s ability to disclose information to third parties under HIPAA’s current treatment exception, including a provider’s ability to share protected health information (PHI) with non-healthcare providers without an authorization.

Watch Part 2 of the 3-Part HIPAA Security and Cybersecurity Webinar Series on the HIPAA Risk Analysis

Part II:  A deeper dive into the Risk Analysis One of the most common non-compliance findings by the Office for Civil Rights (the governmental entity that enforces HIPAA) is failure to perform or performing an inadequate risk analysis. In this session, we will dive deeper into the risk analysis requirement and look at the structure […]

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.