2.5 Million Dollar HIPAA Settlement Highlights Three Important HIPAA Lessons

On April 24, 2017, the Office of Civil Rights (OCR) for the Department of Health and Human Services (the entity in charge of enforcing HIPAA) announced a $2.5 million dollar settlement with CardioNet. CardioNet self-reported (as required by the Breach Notification Rule) an incident where an employee’s laptop was stolen from a locked car.  When OCR investigated the incident, it alleged that CardioNet had not completed a sufficient HIPAA “risk analysis” and had not finalized its policies and procedures. Three… Read More >

OCR Phishing Scam: Reminder to Use Caution

On November 28, 2016, the Office for Civil Rights for the Department of Health and Human Services issued an alert notifying providers of a “phishing” email.  According to the alert, the email is being circulated on fake HHS Departmental letterhead under the signature of Jocelyn Samuels, the OCR Director.  Recipients are prompted to click on a link regarding the HIPAA Audit program, however the link takes individuals to a non-governmental website which markets a private firm’s cybersecurity services.  The OCR… Read More >

OCR Announces $650,000 HIPAA Settlement Related to Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI

On June 30, 2016, Department of Health and Human Services’ Office for Civil Rights announced a $650,000 settlement and corrective action plan with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). The press release indicates that CHCS was a business associate of six skilled nursing facilities for which it provided management and information technology services. CHCS experienced a breach when a CHCS-issued employee iPhone was stolen. The press release indicates that the iPhone, which was unencrypted and not… Read More >

New Guidance on HIPAA Access Issues: Flat Fees Aren’t the Only Option

HHS recently released a Frequently Asked Question (FAQ) clarifying prior guidance on fees that covered entities may permissibly charge individuals for access to the individuals’ electronic medical records. The guidance stated that “per page” fees (as may be permissible under state laws) would not be considered “reasonable” pursuant to HIPAA where electronic medical records are at issue and would therefore be impermissible for requests for electronic medical records.  HHS noted that many states have not updated these “per page” fee… Read More >