Office for Civil Rights

Subscribe to Office for Civil Rights via RSS

The Office for Civil Rights (OCR) announced yesterday that it has settled five investigations in its HIPAA Rights to Access Initiative (Initiative), which it announced would be an enforcement priority for it starting in 2019. The Initiative is “to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.”

The addition of the five recent settlements brings the total to seven for OCR’s enforcement of the Initiative. The OCR’s press release states that the recent settlement involve five entities: Housing Works, Inc., All Inclusive Medical Services, Inc., Beth Israel Lahey Health Behavioral Sciences and King MD.
Continue Reading OCR Settles Five Investigations Under Right of Access Initiative

On June 12, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued timely HIPAA guidance (Guidance) regarding solicitations of blood and plasma donations from recovered COVID-19 patients.

In the Guidance, OCR affirms that health care providers can use patient information to identify patients that have recovered from COVID-19 to provide information about how they may donate plasma or blood with COVID-19 antibodies to support treatment of other patients with COVID-19. OCR explains that this use of protected health information would be permissible as part of a provider’s health care operations to enable case management of COVID-19 patient populations. OCR also reminds providers that because the activity is a health care operation and not for treatment purposes, HIPAA’s minimum necessary standard applies to any use or disclosure of protected health information in connection with the solicitation of blood or plasma donations.
Continue Reading HHS Issues Guidance for Providers on Soliciting COVID-19 Blood and Plasma Donations

On April 9, 2020 the Department of Health & Human Services Office for Civil Rights (OCR) issued another Notification that it will exercise its enforcement discretion and not impose penalties for HIPAA violations in connection with good faith participation in the operation of COVID-19 testing sites during the COVID-19 emergency.
Continue Reading HHS Waives HIPAA Penalties for Operation of a Community-Based COVID-19 Testing Site

On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in efforts to combat the COVID-19 pandemic.
Continue Reading OCR Issues Additional Guidance on HIPAA for Providers and First Responders on COVID-19 Front Lines

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 pandemic.  HHS has emphasized, however, that the Notification does not allow the use of public-facing communications products, such as Facebook live or other livestreaming applications.
Continue Reading COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s transition to value-based care models.

In the RFI, OCR requests input on whether and how the HIPAA regulations (i) can be modified to remove regulatory obstacles and burdens to efficient care coordination and case management, (ii) may inhibit the transformation to a value-based health care system, and (iii) may be modified to facilitate efficient care coordination and case management, and promote the transformation to value-based care. OCR also solicits comment on four specific proposals for modifying the HIPAA regulations to accomplish some of its stated goals:
Continue Reading OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

The Office for Civil Rights has announced that it has settled with Lakeland, Florida based Advanced Care Hospitalists (ACH) for $500,000 for allegations of an impermissible disclosure of protected health information by one of its business associates. ACH provides contract internal medicine physicians to nursing homes and hospitals.

According to the press release, between November 2011 and June 2012, ACH engaged an individual who claimed to be a representative of Doctor’s First Choice Billings, Inc., which provides medical billing services. Although the individual used First Choice’s website and company affiliation, the owner of First Choice denied that the individual was employed by First Choice, and stated that the services were provided without the knowledge or permission of First Choice.
Continue Reading Advanced Care Hospitalists Settles with OCR for $500,000  for Alleged HIPAA Violations

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding and recycling. OCR’s investigation indicated that Filefax impermissibly disclosed PHI of 2,150 individuals over a two week span in early 2015 by leaving PHI in an unlocked truck in Filefax’s parking lot, or by leaving PHI within medical records sitting outside of Filefax’s business for a third party to collect.
Continue Reading Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.
Continue Reading OCR Issues Reminder on Security Incidents