Category Archives: HIPAA

Drafting an Effective HIPAA Breach Report

HIPAA breaches happen. So long as humans are involved in handling protected health information (PHI), there will be mistakes that result in a breach (and, of course, this does not include hacking incidents or bad actor breaches). For compliance purposes, the response to a breach is key. Providers that respond swiftly, implement corrective measures and timely notify affected patients and file a thorough breach report with the Department of Health and Human Services (DHHS) are far more likely to avoid scrutiny.

First Seven-Figure HIPAA Settlement of 2020

Less than one week after its last announced settlement, the Office for Civil Rights announced its first seven-figure HIPAA settlement of 2020. A non-profit healthcare system in Rhode Island, Lifespan, agreed to pay $1,040,000 for alleged systemic HIPAA violations. A 2017 breach involving an unencrypted stolen laptop triggered the investigation. OCR found HIPAA Security Rule violations and the lack of a business associate agreement with its parent corporation, which reported the 2017 breach.

Second HIPAA Enforcement Action of 2020 Announced

Today, the Office for Civil Rights (OCR) announced a $25,000 settlement with a small federally qualified health center (FQHC) for systemic HIPAA Security Rule violations. Over 9 years ago, the FQHC reported a disclosure of patient information to an unknown email account affecting 1,263 patients. This breach report prompted an investigation revealing a near complete failure to comply with the HIPAA Security Rule.

Telehealth, Privacy and The Three Little Pigs

We learned early in life from the Three Little Pigs that a house made of straw or sticks, while much easier to build, lacks the safety and security of a brick house. This fable’s lesson applies to many scenarios including the recent rapid deployment of telehealth services. While a pandemic, not laziness, caused the hurried telehealth services implementation for many, that’s irrelevant to the big bad wolf (and there is always a big bad wolf). He will come and he will huff, and he will puff, and he will compromise the privacy of patient information in a system without adequate protections.

Rip off the Band-Aid: Time to Scrap the FTC’s Health Breach Notification Rule

The Federal Trade Commission’s Health Breach Notification Rule (HBNR) is a perfect example of a narrowly tailored regulation that only contributes to the cumbersome patchwork of privacy rules in this country without providing any real benefit. In this blog post, I explore the problems with the HBNR and why we should focus instead on creating meaningful, comprehensive privacy legislation.

OCR Issues Guidance Regarding Media Access to Patient Care Areas

It’s now a familiar scene. News coverage regularly includes video footage capturing exhausted healthcare workers, lifeless bodies in hospital beds and COVID-19 treatment areas. OCR reminds healthcare providers that allowing media access to patient care areas without patient authorization violates HIPAA, regardless of the COVID-19 public health emergency. In the past, hospitals have paid millions of dollars in settlements for permitting access without proper authorization and increased enforcement on this issue may be on the horizon.

OCR Announces HIPAA Enforcement Discretion for Make-Shift COVID-19 Testing Sites

In line with its other Notices of Enforcement Discretion, OCR announced today that it will not enforce HIPAA rules against healthcare providers and their business associates for HIPAA violations that occur during the good faith operation of a community-based COVID-19 specimen collection and testing site, such as a mobile, drive-through or walk-up site.

CARES Act Makes Long-Awaited Changes to 42 CFR Part 2’s Information Sharing Rules

The CARES Act made important changes to 42 CFR Part 2 rules by aligning use and disclosure rules more closely with HIPAA. This is an important development and will require some operational tweaks by Part 2 Providers such as obtaining initial consent and ensuring the use of a Notice of Privacy Practices.