Tag Archives: OCR

OCR Hits Advanced Care Hospitalists with $500,000 Fine for HIPAA Violations

The Office for Civil Rights has announced that it has fined Lakeland, Florida based Advanced Care Hospitalists (ACH) $500,000 for an impermissible disclosure of protected health information by one of its business associates. ACH provides contract internal medicine physicians to nursing homes and hospitals.

According to the press release, between November of 2011 and June of 2012, ACH engaged an individual who claimed to be a representative of Doctor’s First Choice Billings, Inc. (First Choice), which provides medical billing services. Although the individual used First Choice’s website and company affiliation, …

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding …

CMS Issues Guidance on Texting Patient Information

On December 28, 2017, the Centers for Medicare and Medicaid Services (CMS) published a memo to state survey agency directors clarifying its position on the use of text messaging among health care providers. In its memo, CMS stated that it does not permit texting of patient orders by health care providers, as texting of patient orders does not comply with the applicable Medicare conditions of participation (COPs), specifically 42 C.F.R. § 489.24. Instead of texting patient orders, CMS states that its preference is for health care providers to either hand-write …

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.…

Recent OCR Settlements

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.

The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and …

LexBlog