Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

ShopRite Settles with New Jersey AG for Data Breach

New Jersey Attorney General (AG) Gurbir S. Grewal announced on November 2, 2020, that his office has settled with ShopRite’s parent company, Wakefern Food Corp. (Wakefern) and two of its supermarket entities for $235,000 for a data breach that occurred in 2016.

According to the press release, the AG alleged that Wakefern violated HIPAA and the New Jersey Consumer Fraud Act (CFA) by “failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers” in its Kingston and Millville ShopRite stores.…

Warning to Hospitals of Imminent Threat Released by U.S. Government

On October 27, 2020, the FBI and the Department of Homeland Security (DHS) warned the health care industry about “an imminent cybercrime threat to U.S. hospitals and healthcare providers.”

According to the warning, which was shared during a conference call, the government has received “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The information was being shared with participants so that they can take timely precautions to protect their networks from the threat.…

Data Breach Regulatory Settlements Update

Regulatory bodies are upping the ante when it comes to settling with companies that have suffered data breaches. In addition to the below settlements, see also the settlement between the OCR and Dignity Health.

Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement

On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a 2014 data breach that exposed personal information of approximately 6.1 million …

HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals

Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.…

OCR Settles Five Investigations Under Right of Access Initiative

The Office for Civil Rights (OCR) announced yesterday that it has settled five investigations in its HIPAA Rights to Access Initiative (Initiative), which it announced would be an enforcement priority for it starting in 2019. The Initiative is “to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.”

The addition of the five recent settlements brings the total to seven for OCR’s enforcement of the Initiative. The OCR’s press release states that the recent settlement involve five entities: Housing Works, …

CMS Extends Timeline for Finalizing Changes to Physician Self-Referral (Stark) Law Regulations to August 2021

On August 24, 2020, the Centers for Medicare & Medicaid Services (CMS) announced an “extension of the timeline” for publication of a final rule addressing changes to the Physician Self-Referral Law (or Stark Law) regulations.  In its announcement, CMS set a new deadline of August 31, 2021 for publication of a final rule.…

Health Care Providers Continue to Be Hit with Ransomware and Phishing

It doesn’t matter in which  state you are located, how many patients you treat, what kind of medicine you practice or how many employees you have, if you are a health care provider, you are being targeted and hackers are successful in victimizing you.

That’s my take on the recent Becker’s Health IT article that lists 66 healthcare providers around the country that have suffered a cyber-attack in the form of malware, ransomware or a phishing attack in the first six months of 2020. Although we know that health care …

HHS Issues Guidance for Providers on Soliciting COVID-19 Blood and Plasma Donations

On June 12, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued timely HIPAA guidance (Guidance) regarding solicitations of blood and plasma donations from recovered COVID-19 patients.

In the Guidance, OCR affirms that health care providers can use patient information to identify patients that have recovered from COVID-19 to provide information about how they may donate plasma or blood with COVID-19 antibodies to support treatment of other patients with COVID-19. OCR explains that this use of protected health information would be permissible …

OCR Issues Guidance About Media Access to Health Care Facilities

These days, news stations are frequently running stories concerning people being treated for COVID-19, the providers working tirelessly to care for them, and politicians visiting health care facilities for a first-hand look at the crisis. In response to the media interest, the Office for Civil Rights (OCR) issued guidance on May 5, 2020 to healthcare providers answering the question “Does the COVID-19 Public Health Emergency alter the HIPAA Privacy Rule’s restrictions on disclosures of protected health information to the media?” The guidance reminds them “that the HIPAA Privacy Rule does …

Connecticut Governor Expands Health Care Workforce, Access to Telehealth Services and Issues Other Important Health Care Updates in New Executive Orders

Connecticut Governor Ned Lamont recently issued four new executive orders to address the COVID-19 state of emergency (Executive Orders 7CC – 7FF) that contain provisions relevant to health care providers and facilities in the state.  Among other things, the Executive Orders (i) expand access to telehealth services, (ii) expand the available health care workforce, (iii) increase current reporting requirements for long-term care facilities, (iv) allow the Commissioner of the Department of Social Services (DSS) to scale back certain Medicaid program requirements, and (v) update requirements related to out-of-network emergency billing.  …

HHS Waives HIPAA Penalties for Operation of a Community-Based COVID-19 Testing Site

On April 9, 2020 the Department of Health & Human Services Office for Civil Rights (OCR) issued another Notification that it will exercise its enforcement discretion and not impose penalties for HIPAA violations in connection with good faith participation in the operation of COVID-19 testing sites during the COVID-19 emergency.…

CARES Act Provides Vital Financial Support for Health Care Providers on COVID-19 Front Lines

On March 27, Congress enacted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act, or the Act), Public Law 116-136, a trillion-dollar stimulus bill intended to provide financial assistance to individuals and business affected by the COVID-19 pandemic.  The Act contains a broad range of measures intended to bolster the economy in the midst of the COVID-19 pandemic.  Unsurprisingly, a central focus of the Act is the provision of relief and support for hospitals and health care providers on the front lines of the COVID-19 pandemic.  This article …

OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic. …

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 …

Federal Government Significantly Expands Telehealth Reimbursement During COVID-19 Public Health Emergency

On March 17, the Trump Administration announced expanded reimbursement for clinicians providing telehealth services for Medicare beneficiaries during the COVID-19 Public Health Emergency. The Centers for Medicare and Medicaid Services (CMS) published an announcement, a fact sheet and Frequently Asked Questions.  To further facilitate telehealth services, the Office for Civil Rights (OCR) issued a notification describing certain technologies that would be permitted to be used for telehealth without being subject to penalties under the Health Insurance Portability and Accountability Act regulations (HIPAA). In addition, the Office of Inspector …

HHS Issues Section 1135 Waiver, and CMS Issues Blanket Waivers of Health Care Laws, in Response to Coronavirus (COVID-19) Emergency

Following the President’s proclamation on March 13 that the COVID-19 outbreak constitutes a national emergency, Secretary of the Department of Health and Human Services (HHS) Alex Azar issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (full text available here) that waives or modifies certain health care laws and regulations in connection with the COVID-19 pandemic.  This “1135 Waiver” applies nationwide and took effect on March 15 at 6:00 p.m., but its applicability is retroactive to March 1, 2020.  The 1135 Waiver applies …

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.…

OIG Audit Finds that Majority of Part D Providers Surveyed Used E1 Transactions for Potentially Inappropriate Purposes

The Centers for Medicare and Medicaid Services (CMS) requested an audit by the Office of Inspector General (OIG) of Medicare Part D eligibility verification transactions (E1) transactions. The OIG recently released its report which found that the majority of the providers evaluated used E1 transactions for some inappropriate purpose other than to bill for a prescription or to determine drug coverage billing order.

What are E1 transactions and why is this information disturbing?…

Jackson Health System Fined by OCR

The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According …

HHS Proposes Changes to Permit Donation of Cybersecurity Technology

On October 17, 2019, the Department of Health and Human Services (HHS) published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe-harbors and exceptions to the Physician Self-Referral (PSR) Law, known commonly as the Stark Law (AKS proposed rule available here; PSR proposed rule available here). In an earlier blog post, we described each of the proposed rules. Among the proposed changes are a new safe harbor/exception that would generally permit entities to donate certain cybersecurity technology and related services to physicians, subject to compliance with …

Spurred by Opioid Crisis, Government Proposes Additional Changes to Substance Use Disorder Confidentiality Regulations to Facilitate Provision of Coordinated Care

On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated care” for individuals with SUD.…

Allscripts Announces $145 Million Preliminary Settlement with DOJ Related to an Investigation of Practice Fusion, a Recently Acquired EHR Company

In its second quarter Securities Exchange Commission (SEC) filing, Allscripts addressed its announced agreement in principle with the Department of Justice (DOJ) to resolve investigations into certain alleged practices of Practice Fusion, an electronic health records (EHR) vendor acquired by Allscripts in February 2018 for $100 million. Allscripts indicated the agreement is still subject to further negotiation and government approval, and would likely include additional non-monetary terms, including a deferred prosecution agreement, if a finalized settlement is reached.…

SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements

On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”…

CMS Announces Pilot Program for Clinicians to View Claims Data of Medicare Beneficiaries

On July 30, 2019, the Centers for Medicare & Medicaid Services (CMS) announced “Data at the Point of Care” (DPC), a pilot program that will provide clinicians with access to claims data. The pilot program follows on the heels of the recently proposed Interoperability and Patient Access Proposed Rule, which would require regulated health plans to make patient data available through an application programming interface (API). These actions are also part of the MyHealthEData initiative spearheaded by the White House Office of American Innovation.…

LexBlog