Category Archives: HIPAA

Subscribe to HIPAA RSS Feed

OCR Will Increase Focus on Smaller Breaches

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities … Continue Reading

TXT U L8R: Should Your Physician Be Texting Orders?

Many a health lawyer has been struggling with how to communicate the U-turn-laden road of whether hospitals should allow physicians to text orders. The bottom line is: NOT YET. One way to summarize the The Joint Commission’s (TJC) position on texting orders is: Up until 2011: “What is texting?” 2011: “No texting!” May 2016: “You … Continue Reading

New Guidance Released by OCR on Ransomware

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in … Continue Reading

Don’t Expose Your ePHI by Using Vulnerable Third-Party Applications

Covered entities (CEs) and business associates (BAs) beware—third-party application software security vulnerabilities are on the rise, according to the Health & Human Services (HHS) Office for Civil Rights in Action. In June 2016, the HHS Office for Civil Rights in Action published a newsletter reminding HIPAA CEs and BAs about the risks inherent in third-party application … Continue Reading

OCR Provides Educational Tools about Individuals’ Rights to their Health Information Under HIPAA

Covered entities and business associates should expect an increased number of individuals asking about their rights to access their health information given several consumer-friendly tools recently released by the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), and the HHS Office of the National Coordinator for Health IT (ONC). After … Continue Reading

Managing Business Associate Security Incidents: OCR Cyber-Awareness Update

The Department of Health and Human Services Office for Civil Rights (OCR) sent out an email on May 3, 2016 providing the OCR Cyber-Awareness April Monthly Update. This update addresses the fact that, according to OCR, covered entities often believe business associates will not notify them of a breach or cyber attack, and that it … Continue Reading

BREAKING: Data Breach Covered Under Traditional Policy, 4th Circuit Says

Insurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. … Continue Reading

Hospitals Experience an Alarming Rise in Ransomware Attacks This Year

Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, … Continue Reading

OCR Launches Phase Two of HIPAA Audits

On Monday, March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) formally announced the launch of the long-awaited and much anticipated Phase Two HIPAA compliance audits. Phase One of these audits was conducted as a pilot program in 2011 and 2012 on 115 covered entities. The Phase Two … Continue Reading

HHS Modifies HIPAA In An Attempt to Address Gun Violence

On January 6, 2016, the Department of Health and Human Services (HHS) issued a Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to the “Federal … Continue Reading

ERISA Preemption and State Data Breach Notification Laws…Good News?

Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading

HIPAA Settlement Reinforces the Need to Conduct a Risk Analysis

The Office for Civil Rights (OCR) has once again penalized a covered entity for failing to comply with the requirements of the HIPAA Security Rule. On December 14, 2015, the OCR announced that the University of Washington, on behalf of the university’s affiliated covered entity UW Medicine, agreed to a settlement in the amount of … Continue Reading

Did you miss our Employee Privacy Webinar? Watch the replay here!

Legal concerns about employee privacy issues have exploded over the past year. Privacy concerns in the workplace are no longer limited to who has access to an employee’s personnel file, but have expanded to include matters ranging from an employee’s social media activity, criminal conviction history, genetic history, medical information, and background checks. John Barlament … Continue Reading

Healthy reminder: HIPAA rules apply to most workplace wellness programs

Wellness programs are great ways for employers to provide guidance on ways employees can improve their health through fitness, diet and various other means. But oftentimes, employers forget that wellness programs may be an extension of a company’s heath care plan. As such, the Health Insurance Portability and Accountability Act (HIPAA) rules apply equally to … Continue Reading
LexBlog