Tag Archives: OCR

OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic. …

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 …

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.…

OCR Announces Second $85,000 Settlement for Alleged Violations of the Individual Right of Access under HIPAA

On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second “HIPAA Right of Access Initiative” settlement of alleged HIPAA violations.

The HIPAA Right of Access Initiative is a recent effort by OCR to monitor compliance with HIPAA requirements addressing patient rights to prompt access to medical records, in a readily producible format, without being subject to excessive fees. OCR announced its first settlement under the Right of Access Initiative in September 2019 (see our analysis of that settlement here), …

Jackson Health System Fined by OCR

The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According …

For First Time Ever, Government Brings HIPAA Enforcement Action Alleging Violations of Right to Access Medical Records

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response to allegations that it failed to provide a mother with timely access to medical records concerning her unborn child. Under the terms of a resolution agreement, Bayfront agreed to pay $85,000, and enter into a …

OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations

In a development that may – understandably – have been overlooked by many heading into Memorial Day weekend, on May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Fact Sheet on Direct Liability of Business Associates under the Health Insurance Portability and Accountability Act (HIPAA).

The Fact Sheet provides an important reminder to covered entities, business associates, and their counselors regarding the circumstances in which OCR may – and may not – take enforcement actions directly against business associates for …

OCR Issues Five New HIPAA FAQs on Health Information Apps

On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers.

The new FAQs are available here under the Header “Access Right, Apps and APIs.”

In the FAQs, OCR:

  • Emphasizes that an individual’s right to access her/his protected health information (“PHI” or “ePHI”) under HIPAA generally obligates a covered entity to send PHI to a designated app, even if the

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s transition to value-based care models.

In the RFI, OCR requests input on whether and how the HIPAA regulations (i) can be modified to remove regulatory obstacles and burdens to efficient care coordination and …

Advanced Care Hospitalists Settles with OCR for $500,000  for Alleged HIPAA Violations

The Office for Civil Rights has announced that it has settled with Lakeland, Florida based Advanced Care Hospitalists (ACH) for $500,000 for allegations of an impermissible disclosure of protected health information by one of its business associates. ACH provides contract internal medicine physicians to nursing homes and hospitals.

According to the press release, between November 2011 and June 2012, ACH engaged an individual who claimed to be a representative of Doctor’s First Choice Billings, Inc., which provides medical billing services. Although the individual used First Choice’s website and company affiliation, …

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding …

CMS Issues Guidance on Texting Patient Information

On December 28, 2017, the Centers for Medicare and Medicaid Services (CMS) published a memo to state survey agency directors clarifying its position on the use of text messaging among health care providers. In its memo, CMS stated that it does not permit texting of patient orders by health care providers, as texting of patient orders does not comply with the applicable Medicare conditions of participation (COPs), specifically 42 C.F.R. § 489.24. Instead of texting patient orders, CMS states that its preference is for health care providers to either hand-write …

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.…

Recent OCR Settlements

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.

The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and …

LexBlog