The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach
PHI
Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).
Continue Reading Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital
HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals
Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.…
Continue Reading HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals
OCR Issues Guidance About Media Access to Health Care Facilities
…
Continue Reading OCR Issues Guidance About Media Access to Health Care Facilities
U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus
The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.
Continue Reading U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus
OIG Audit Finds that Majority of Part D Providers Surveyed Used E1 Transactions for Potentially Inappropriate Purposes
The Centers for Medicare and Medicaid Services (CMS) requested an audit by the Office of Inspector General (OIG) of Medicare Part D eligibility verification transactions (E1) transactions. The OIG recently released its report which found that the majority of the providers evaluated used E1 transactions for some inappropriate purpose other than to bill for a prescription or to determine drug coverage billing order.
What are E1 transactions and why is this information disturbing?
Continue Reading OIG Audit Finds that Majority of Part D Providers Surveyed Used E1 Transactions for Potentially Inappropriate Purposes
OCR Comments on Recent Ciox Case Vacating Certain Omnibus Rule Regulations and Guidance Relating to Fees for Providing Patient Records
The U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) issued an Important Notice Regarding Individuals’ Right of Access to Health Records through its email list serve on January 29, 2020. In the Notice, OCR addressed the recent memorandum Opinion issued in Ciox Health v. Azar, et al, No. 18-cv-00040 (D.D.C. January 23, 2020).
In that case, Ciox Health, LLC, a specialized medical records provider, had challenged certain provisions of the 2013 Omnibus Rule, including provisions pertaining to what can be charged for delivering records containing protected health information (PHI). One cited issue was whether the limitations on fees for these services applied only to requests for PHI that are made by the patient, for use by the patient (the Patient Rate), or whether the limitations also applied to PHI to be delivered to third parties.
Continue Reading OCR Comments on Recent Ciox Case Vacating Certain Omnibus Rule Regulations and Guidance Relating to Fees for Providing Patient Records
Jackson Health System Fined by OCR
The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.
According to the OCR, Jackson notified the OCR in 2013 that paper records of 256 patients’ personal health information (PHI) located in three boxes were lost in 2012. It thereafter reported in 2016 that the loss was actually 1,436 patient records.…
For First Time Ever, Government Brings HIPAA Enforcement Action Alleging Violations of Right to Access Medical Records
On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response…
OCR Issues Five New HIPAA FAQs on Health Information Apps
On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers.
The new FAQs are available here under the Header “Access Right, Apps and APIs.”…