January 24, 2013
On January 17, 2013, the Department of Health and Human Services (HHS) posted Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules [PDF] (the Final Rule) under the authority of the HITECH Act and the Genetic Information Nondiscrimination Act (GINA), as well as under the general authority of HHS. The Final Rule, scheduled (...) [Read More]
January 17, 2013
The new HIPAA/HITECH rule in an unpublished version was released today and can be found at www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules. Ober’s analysis to come shortly.
January 2, 2013
Today, HHS announced that it entered into the first breach settlement for less than 500 patients. HHS settled for $50,000 with Hospice of North Idaho for violations of the HIPAA Security Rule including a failure to maintain security policies and procedures and maintain secure mobile devices. In June 2010, an unencrypted Hospice of North Idaho laptop was stolen (...) [Read More]
July 26, 2012
Covered Entities and Business Associates may be breathing a little easier lately, after the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made public the detailed audit protocols used by KPMG during the first round of random audits. The protocols contain some surprises, but, at a minimum, their publication ends what (...) [Read More]
July 26, 2012
A recent action by the Connecticut Medical Examining Board (a unit of that state’s Department of Public Health) should serve to remind covered entities and business associates that it is not only the federal government that can act to enforce HIPAA’s privacy requirements. In a consent order dated the 21st of March [PDF] but officially (...) [Read More]
July 24, 2012
In its first enforcement action against a state agency, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled last month with Alaska’s Department of Health and Social Services (DHSS) for HIPAA security violations it reported as required by HITECH. DHSS entered into a settlement agreement and agreed to pay $1,700,000 (...) [Read More]
June 5, 2012
On March 24, 2012, the Department of Health and Human Services (HHS) sent the much-anticipated rule implementing the HITECH Act changes to HIPAA (HITECH Rule) to the Office of Management and Budget (OMB). This starts the clock running on the 90-day period allowed for OMB review. It is expected that, given the scope of the (...) [Read More]
April 24, 2012
On the heels of its $1.5 million settlement with a large payor, Blue Cross Blue Shield of Tennessee, the Department of Health and Human Services Office for Civil Rights (OCR) announced on April 17, 2012, that it settled with a small physician practice for HIPAA safeguard violations. Phoenix Cardiac Surgery, P.C., a practice owned by (...) [Read More]
March 29, 2012
Increased enforcement is a key message from the Department of Health and Human Services Office for Civil Rights (OCR). Since the start of 2012, OCR has publicized settlements with three entities: two of which concerned civil rights violations under section 504 of the Rehabilitation Act and the most recent of which concerned violations of the (...) [Read More]
January 18, 2012
Last summer, the United States Department of Health and Human Services (HHS) sought comments on potential revisions to the Common Rule [PDF] after over two decades of virtually no change. In the advanced notice of proposed rule making [PDF] related to the Common Rule, HHS sought to address concerns about institutional review boards’ (IRBs) (...) [Read More]
