Tag Archives: HIPAA

Cybersecurity News and Notes – July 25, 2016

In Case You Missed It: U.S. Major party platforms address cybersecurity.  The two major parties have released their 2016 election platforms, both of which include cybersecurity planks.  The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies. It promises to “build on the Obama… More

HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and Are Likely a Data Breach

On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in recent months. This guidance comes in the wake of a June 20, 2016 “Dear Colleague” letter from HHS Secretary Sylvia Burwell highlighting ransomware issues. The most notable of OCR’s statements is that ransomware attacks often constitute breaches subject to the HIPAA Breach Notification Rule.

Ransomware as Security Incident

OCR’s guidance states that the presence of ransomware on a covered entity’s or business… More

Cybersecurity News & Notes – July 19, 2016

In Case You Missed It: Court certifies class in suit against Apple. On July 15, 2016, U.S. District Judge Jon S. Tigar certified a class of users of the mobile app Path, who allege that Apple facilitated the app’s access their contacts without their knowledge.  In the same decision, Judge Tigar denied certification to a proposed class of consumers who downloaded the app, but never had their contacts uploaded.  Apple and Path are just two defendants named in a consolidated suit relating to questions concerning whether Apple’s mobile operating system, iOS, unlawfully uploads and disseminates users’ personal information (e.g.,… More

Bad News for HIPAA Business Associates: HHS OCR Announces $650,000 Settlement for BA Breach

Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a HIPAA business associate, has agreed to pay the Department of Health and Human Services Office of Civil Rights (“OCR”) $650,000 in connection with a data breach involving the nursing homes to which it provides management and IT services.

The underlying breach occurred in February 2014 (which suggests a significant backlog at OCR in resolving open matters).  The breach itself was relatively insignificant compared to those we often see today involving millions of records:  this was the theft of an unsecured iPhone with health information of 412 nursing home patients.

The… More

OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. 

The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year.  That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics… More

Watch: HIPAA Crimes Webinar – How the New Crime Wave Affects You

Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.

To download a copy of the presentation, click here.

Watch a recording of the webinar:

Top Tips for OCR HIPAA Audit Preparation

Written by Elizabeth Snell | This article was originally published on HealthITSecurity.com 

The recently announced OCR HIPAA audits are not a cause for panic, according to experts, especially of organizations have proper documentation.

With the most recent round of OCR HIPAA audits announced just last month, many healthcare organizations are working to ensure that they are prepared should they be called for investigation.

OCR HIPAA audits will take thorough preparation

While the announcement should not come as a total surprise, several healthcare legal experts explain that covered entities that maintain thorough documentation of… More

HHS OCR Launches Phase 2 of HIPAA Audit Program–So What?

You have seen all the hysterical headlines — “The HIPAA audits are coming, the HIPAA audits are coming….” But when you really think about it, what is the big deal?  If you are a HIPAA covered entity, you surely know by now what you are supposed to be doing.  And you probably have been doing it– so just check around to make sure before you get the dreaded letter from HHS OCR.  And if you are a HIPAA business associate, you are probably a bit behind the covered entities, but again, it’s not a secret what you need… More

Massachusetts Health Information Management Association Winter Meeting: Compliance Beyond HIPAA

On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.”  The presentation slides from the program are available here, and reflect discussion of:

recent HHS OCR guidance on “Individuals’ Right under HIPAA to Access their Health Information 45 CFR §164.524” a new HHS OCR FAQ on EHR incentives and their interaction with HIPAA; amendment of the HIPAA Privacy Rule to address release of mental health information for firearm background checks; charges for copying of records (especially involving attorneys); a new HHS OIG… More

HIPAA Privacy Regulations Amended to Allow Disclosures of Mental Health Information for Firearm Background Checks

On January 4, 2016, the Department of Health and Human Services (HHS) modified the HIPAA Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm.  According to HHS, “This modification better enables the reporting of the identities of prohibited individuals to the background check system and is… More