Skip to content

On March 14, 2021, Connecticut Governor Lamont issued Executive Order 10C (EO 10C), which extends provisions of Public Act 20-2 (PA 20-2), a law passed by the Connecticut legislature in July 2020 that “provided additional flexibility for the delivery of telehealth services and insurance coverage of these services” but was scheduled to expire March 15, 2021. As a result of EO 10C, the provisions of PA 20-2 that were scheduled to expire on March 15 will remain in effect through April 20, 2021, in part to give the state legislature more time to “address the ongoing need for” expanded access to telehealth services.
Continue Reading Connecticut Extends Expansion of Access to Telehealth Services

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).
Continue Reading Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency.  The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.
Continue Reading OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which is one of several rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). According to HHS, the proposed changes are intended to support individuals’ engagement in their health care, remove barriers to coordinated care and case management, and reduce regulatory burdens on the health care industry, while continuing to protect the privacy and security of individuals’ PHI.
Continue Reading HHS Proposes Modifications to the HIPAA Privacy Rule to Enhance Care Coordination and Management and Remove Barriers to Accessing Information

The Office for Civil Rights (OCR) recently settled a tenth case under its right-to-access initiative with California-based Riverside Psychiatric Medical Group (RPMG), for $25,000.

Although a relatively small settlement in the amount paid, it shows that the OCR is taking patients’ requests for access to their medical records seriously, and that no complaint is too small to investigate and enforce.
Continue Reading OCR’s Tenth Right to Access Settlement Is Small but Meaningful

The Office for Civil Rights (OCR) issued a press release on November 12, 2020, announcing that it had settled its eleventh enforcement action in its HIPAA Right-of-Access Initiative. The settlement with Dr. Rajendra Bhayani, an otolaryngologist (ENT) practicing in Regal Park, New York, included a payment of $15,000, a corrective action plan and two years of monitoring by the OCR.
Continue Reading OCR Settles Another Right-of-Access Initiative Case

New Jersey Attorney General (AG) Gurbir S. Grewal announced on November 2, 2020, that his office has settled with ShopRite’s parent company, Wakefern Food Corp. (Wakefern) and two of its supermarket entities for $235,000 for a data breach that occurred in 2016.

According to the press release, the AG alleged that Wakefern violated HIPAA and the New Jersey Consumer Fraud Act (CFA) by “failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers” in its Kingston and Millville ShopRite stores.
Continue Reading ShopRite Settles with New Jersey AG for Data Breach

Continuing with its previous enforcement actions centered on covered entities’ failure to provide patients with access to their health records, the Office for Civil Rights (OCR) announced on October 9, 2020 that it entered into a settlement with Dignity Health, doing business as St. Joseph’s Hospital and Medical Center in Phoenix (St. Joseph’s) for $160,000 for failing to respond to multiple requests of a mother for her son’s records.
Continue Reading Dignity Health Settles with OCR for $160,000 for Failing to Provide Access to Records