HHS-OCR HIPAA Settlement Bulletin Highlights the Potential Impact of Unpatched and Unsupported Software

The Department of Health and Human Services, Office for Civil Rights (OCR) recently released a bulletin outlining the terms of a settlement with Anchorage Community Mental Health Services (ACMHS) over potential violations of the HIPAA Security Rule. According to the bulletin, ACMHS has agreed to “pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.” OCR initiated an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI)… Read More >

ACO Homebound Waiver for Home Health Proposed by CMS

The Medicare Shared Savings Program Accountable Care Organization Proposed Rule published in the Federal Register on December 8, 2014 proposes to allow certain Accountable Care Organizations (ACOs) to waive the “homebound” requirement that is currently a precursor for Medicare beneficiaries to receive the Medicare home health benefit. The purpose of the waiver is to allow certain ACOs to offer home health services to patients where they believe it will keep patients out of the hospital, resulting in reduced overall costs… Read More >

State Court Cases Address Liability for HIPAA Privacy Violations

Several recent state court decisions involving HIPAA privacy violations are raising serious questions regarding liability on behalf of healthcare providers as well as hefty monetary damage awards. While HIPAA itself does not provide a private cause of action for privacy violations, these recent decisions reveal that privacy breaches can form the basis for state law claims brought by patients or customers against healthcare providers. In a recent Connecticut case, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the plaintiff… Read More >

HIPAA and Ebola: OCR Issues Bulletin

In light of the recent Ebola outbreak and other recent events, the Office of Civil Rights (OCR) recently released a bulletin to remind providers of the ways in which the HIPAA Privacy Rule allows Protected Health Information (PHI) to be shared in emergency situations. The bulletin serves as a reminder of the following HIPAA permissible uses and disclosures and exceptions:   The bulletin reminds providers that they can always disclose PHI for treatment purposes including consultations and referrals. Public Health… Read More >