Tag Archives: HITECH

HHS OCR Cites Faulty Risk Analysis, Lack of Policies in Addition to Breach by Physician Practice

In what may be a sign of things to come, a recent HHS OCR resolution agreement with a dermatology practice cites not only the loss of some 2,200 records on a thumb drive, but the lack of an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” and “[t]he Covered Entity did not … have written policies and procedures and train members of its workforce”; specifically:

(1) The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of… More

HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement

Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.”  A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception, as well as the types of third party payments that are considered “reasonable” under the statute and regulations for making such communications.  In addition, the Secretary has decided not to enforce the… More

HIPAA Unconstitutional? Maybe Not, But New Marketing Regulations Are Coming

You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional.  In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.

Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business.  In particular, HIPAA now requires patient authorizations for its kind of patient reminders.  As described by Adheris:

39.  In the final regulations, HHS excepted from the definition of “marketing” those communications made “[t]o provide refill reminders or otherwise communicate about a… More

$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule

The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the HITECH Act’s Breach Notification Rule.

The investigation started with a notice submitted by BCBST to HHS reporting… More

HHS Fines Cignet Health $4.3 Million for HIPAA Violations

Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule."  The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the… More

HHS Proposes Major Changes to HIPAA Privacy, Security and Enforcement Rules

On July 8, 2010, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“NPRM” or “proposed rule”)1 modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules2 pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5.

HHS Issues a Notice of Proposed Rulemaking to Modify the HIPAA Privacy, Security, and Enforcement Rules

Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted.  The propose changes include:

provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;   establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;   prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information… More