Health Law Gurus

Health Law Gurus

Health Law: News,
Commentary & Insights

Category Archives: Privacy

Subscribe to Privacy RSS Feed

BEWARE OF THE MAN-IN-THE-MIDDLE: Malicious Eavesdroppers on the Internet

Posted in Compliance Issues, Cybersecurity, Privacy, Security, Technology
Imagine this: Dr. Primary is treating Patty Patient for substance abuse and emails Patty Patient’s protected health information (PHI) to a treatment clinic. Before the email arrives at the clinic, it is intercepted by a third party, Evan Eavesdropper, who publishes the PHI on the internet.  Evan Eavesdropper also decides to alter the PHI in… Continue Reading

Time is of the Essence When Reporting a Breach of PHI

Posted in Business Associates, Covered Entities, HIPAA, Privacy, Security
The failure to timely report a breach of unsecured protected health information (PHI) has cost Presence Health (one of the largest health systems in Illinois) almost half of a million dollars. Earlier this month, Presence Health agreed to pay $475,000 and enter into a corrective action plan (CAP) with the Office for Civil Rights (OCR)… Continue Reading

20 Years of HIPAA – Where We’ve Been and Where We’re Going

Posted in Guest Contributor, HIPAA, Privacy, Security
On August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law by President Bill Clinton. The original purpose of the Act, which amended the Internal Revenue Code of 1986, was to improve the portability and continuity of health insurance coverage, combat waste, fraud, and abuse, promote the use… Continue Reading

Record-Breaking HIPAA Settlement Sends Strong Message to Covered Entities

Posted in Covered Entities, HIPAA, Privacy, Security
This month marked the largest HIPAA settlement to-date for a single entity. Advocate Health Care Network (“Advocate”) agreed to pay $5.5 million and adopt a corrective action plan after an investigation by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) revealed that Advocate’s widespread noncompliance with the requirements of HIPAA affected… Continue Reading

HIPAA Compliance Is a Health Care Entity’s Secret Weapon in Preventing and Combating Ransomware Attacks

Posted in Business Associates, Covered Entities, Cybersecurity, HIPAA, Privacy, Security
One of the fastest growing areas of cybercrime is ransomware. Ransomware is a type of malicious software that encrypts data and makes it inaccessible to authorized users. The hackers who orchestrate ransomware attacks demand that authorized users pay a ransom in order to obtain the key to decrypt their data. Payment is generally required to… Continue Reading

Protected Health Information: Providers Must Proceed with Caution

Posted in HIPAA, Medical Records, Mental Health Procedures Act, Pennsylvania, Privacy, Security
Medical records are a powerful weapon in the courtroom. They may reveal the extent of an individual’s injury in a personal injury case or substantiate the severity of an individual’s mental illness when that mental illness is being used as a defense. However, while using medical records in litigation can be a dream come true… Continue Reading

Spring Showers Bring HIPAA Breaches

Posted in Business Associates, Covered Entities, HIPAA, Privacy, Security
OCR has announced several recent settlement agreements to resolve violations of the Health Insurance Portability and Accountability Act (“HIPAA”). These settlement amounts range from $25,000 to $3.9 million dollars and illustrate a range of mistakes that health care providers make with respect to their HIPAA compliance. This post briefly summarizes OCR’s findings with respect to… Continue Reading

Ask the Health Law Gurus™: What Is a Civil Monetary Penalty and How Is It Different from an OCR Settlement?

Posted in Ask the Health Law Gurus™, Business Associates, Covered Entities, HIPAA, Privacy, Security
The Health Law Gurus™ are here to help you stay current on issues and breaking news in health law. To help you stay up-to-date, we are excited to announce our new segment, “Ask the Health Law Gurus™.” Each month, we will select a reader’s question and answer it here, on the Health Law Gurus™ blog.… Continue Reading

Historic Moment: Husband Reports Wife’s HIPAA Violation Triggering Six Figure Penalty Against Employer

Posted in Covered Entities, HIPAA, Privacy, Security
For the second time in history, the Office for Civil Rights (“OCR”) has imposed a civil monetary penalty (“CMP”) against a covered entity for violations of the Health Insurance and Portability Act (“HIPAA”). Lincare, Inc., a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, is required to pay a $239,800 CMP… Continue Reading

Are Wearable Devices a Privacy Nightmare?

Posted in Privacy, Security, Technology
Wearable devices, such as fitness trackers and smart watches, have taken the United States technology industry by storm. In the past three years, there has been a 500% increase in the number of fitness bands and activity trackers sold. The research firm Market and Market predicts that the industry will continue to grow at unprecedented… Continue Reading

High Cost of HIPAA Violations Demonstrated in $3.5 Million Settlement

Posted in Business Associates, Covered Entities, HIPAA, HITECH, Privacy, Security
Triple-S Management Corporation (“Triple-S”), on behalf of its wholly-owned subsidiaries, Triple-S Salud, Inc., Triple-C, Inc., and Triple-S Advantage, Inc., has agreed to pay $3.5 million as part of a Resolution Agreement with the Department of Health and Human Services Office of Civil Rights (“OCR”) (“Resolution Agreement”). The Resolution Agreement settled all potential liabilities related to… Continue Reading

Hospital’s Turkey Dinner Is $850,000 Fine for Failure to Secure Mobile Medical Devices

Posted in HIPAA, HITECH, Prescription Drugs and Medical Devices, Privacy, Security
Just before Thanksgiving, Lahey Hospital and Medical Center (“Lahey”), a non-profit teaching hospital located in Burlington, Massachusetts, agreed to pay $850,000 for a breach of unsecured electronic protected health information (“ePHI”). Lahey will also be required to implement a corrective action plan. The breach occurred in 2011 when an unencrypted laptop was stolen from an… Continue Reading

Medical Devices a Target for Online Hackers

Posted in Cybersecurity, Prescription Drugs and Medical Devices, Privacy, Security, Technology
In the past few years, medical devices have become a major target for online criminals. Not only are medical devices considered to be one of the easiest and most vulnerable points of entry into a health care enterprise, they are one of the most difficult areas to remediate even when an attack has been identified.… Continue Reading

OCR Audits to Begin in 2016

Posted in Business Associates, Covered Entities, HIPAA, HITECH, Privacy, Security
Beginning in 2016, the United States Department of Health and Human Services’ Office for Civil Rights (OCR) will conduct another round of audits to gauge compliance with privacy provisions in the Health Insurance Portability and Accountability Act (HIPAA). This announcement comes in the wake of criticism leveled against OCR for inconsistencies enforcing the HIPAA Rules.… Continue Reading

Controversial Cybersecurity Information Sharing Act Passes in Senate

Posted in Cybersecurity, Legislation, Privacy, Security
This week, the Senate passed a cybersecurity bill, called the Cybersecurity Information Sharing Act of 2015 (the “CISA”), by a vote of 74 to 21. With the Senate’s vote, the bill is one step closer to becoming law. The CISA authorizes the Director of National Intelligence, the Department of Homeland Security, the Department of Defense,… Continue Reading

Physician Group Practice Pays $750,000 for Breach of Unsecured Electronic Protected Health Information on Electronic Device

Posted in Covered Entities, HIPAA, Privacy, Security
Cancer Care Group, P.C. (“CCG”), a radiation oncology physician group practice in Indiana, agreed to pay $750,000 for a breach of unsecured electronic protected health information (“ePHI”). CCG will also implement a corrective action plan. The breach occurred in 2012 when a CCG employee’s unattended laptop bag was stolen from a car. The laptop bag contained… Continue Reading

Hospital Pays $218,400 to OCR for HIPAA Violations

Posted in Compliance Issues, Covered Entities, HIPAA, Privacy, Security
St. Elizabeth’s Medical Center (“SEMC”), a tertiary care hospital in Brighton, Massachusetts, has agreed to pay $218,400 to the Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SEMC will also implement a corrective action plan. The settlement stems from a 2012 complaint to… Continue Reading

Revised Guidance for Privacy and Security of Electronic Health Information Released by Government

Posted in Business Associates, Covered Entities, EHR, HIPAA, Privacy, Security
The Office of the National Coordinator for Health Information Technology (“ONC”) has released a revised Guide to Privacy and Security of Electronic Health Information (the “Guide”), which is intended to be a resource for small and medium-sized health care providers, health IT and other information technology professionals, and business associates regarding federal health information privacy… Continue Reading

Pharmacy Pays $125,000 for Failure to Properly Dispose of Paper Records

Posted in Compliance Issues, Covered Entities, HIPAA, Privacy, Security
Cornell Prescription Pharmacy (“CPP”), a Colorado single-location pharmacy, has agreed to pay $125,000 to the United States Department of Health and Human Services, Office for Civil Rights to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). CPP will also adopt a two-year corrective action plan. The settlement is the… Continue Reading

Premera Blue Cross Targeted by Hackers – 11 Million Individuals Compromised

Posted in Cybersecurity, HIPAA, Privacy, Security
Premera Blue Cross (“Premera”) announced this week that it has been the target of a sophisticated cybersecurity attack in which the information of approximately 11 million individuals has been compromised. This announcement comes on the heels of the cybersecurity attack against health insurer Anthem, Inc., which affected approximately 80 million individuals.… Continue Reading

Millions Affected by Hackers’ Attack on Health Insurer Anthem, Inc.

Posted in Compliance Issues, Health Insurance, Privacy, Technology
“Anthem was the target of a very sophisticated external cyber attack,” announced Joseph Swedish, Anthem’s President and CEO. Anthem, Inc., formerly known as WellPoint, Inc., is one of the largest health insurance companies in the United States. The exact number of affected individuals is still unknown, but initial estimates indicate that tens of millions of… Continue Reading

IS YOUR MOBILE HEALTH APP HIPAA COMPLIANT?

Posted in HIPAA, Privacy, Technology
Mobile health apps (also known as mHealth apps) are increasingly popular with consumers. As of 2014, there were more than 100,000 mobile health apps available on iOS and Android platforms, and total revenue from mobile health apps is expected to increase to $26 billion by the end of 2017, according to a research2guidance report. Mobile… Continue Reading

News from the Health Law Gurus™: Week of January 11, 2015

Posted in Affordable Care Act (ACA), Business Associates, Covered Entities, HIPAA, Legislation, Privacy, Uncategorized
News from the Health Law Gurus™ is a weekly summary of notable health law news from around the country with helpful links to related content. Check back every week for the latest health law news stories. Top Five Resolutions for Covered Entities and Business Associates in 2015 – The New Year is here. It is… Continue Reading