Expanding Their Arsenal: Criminal Prosecution of HIPAA Breaches on the Rise

Over the past year, the Office of Civil Rights (“OCR”) has taken a more aggressive stance in enforcing the provisions of the Health Insurance Portability and Accountability Act (HIPAA).  The largest settlement for a data breach to date was just announced earlier this year between OCR and New York Presbyterian Hospital and Columbia University. However, […]

Congress Questions ONC’s Authority to Pursue Health IT Safety Center

The House of Representatives has grown increasingly skeptical of the Office of the National Coordinator for Health Information (“ONC”) and its plans to expand its programming and reach.  House members have questioned whether the ONC has the authority to make changes it has recently proposed. In a June 3, 2014, letter to the Office of […]

“I Might Be Injured, Someday…Maybe?” Courts Question Plaintiffs’ Standing in HIPAA Breach Suits Alleging Future Harm

Illinois courts have now dismissed two class action law suits against Advocate Health and Hospitals Corporation (“Advocate”), stemming from a July 2013 breach of personal health information (“PHI”) when four unencrypted laptop computers were stolen from Advocate’s administrative offices.  The computers collectively contained the PHI, including names, addresses, dates of birth, Social Security Numbers, diagnoses, […]

FTC Seeks Changes to Protect Consumer Health Information

The Federal Trade Commission (“FTC”) is urging Congress to ensure the data brokerage industry becomes more transparent and accountable, which could change the way consumers’ personal, health-related information is gathered and shared.  These recommendations may change the landscape of the HIPAA regulations to better ensure protection of sensitive health information. On May 27, 2014, the […]

HIPAA Violation Settlement for Failure to Establish Breach Notification Policies and Procedures

A Massachusetts dermatology practice, APDerm, has agree to make a $150,000 payment and enter into a corrective action plan with the U.S. Department of Health and Human Services’ Office for Civil Rights in order to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules.  According to HHS, this is the first settlement entered […]

WellPoint Pays $1.7 Million to Resolve Alleged HIPAA Violations

The managed care company WellPoint Inc. has reached a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. WellPoint agreed to pay $1.7 million in connection with this settlement. […]

HIPAA Final Rule Posted

This afternoon, the Department of Health and Human Services posted a long-awaited, 563-page omnibus final rule under HIPAA, which will be published in the Federal Register on January 25, 2013, and which makes a variety of modifications to HIPAA’s Privacy, Security, Breach Notification, and Enforcement Rules.  According to the executive summary of the rule, these modifications are […]

HIPAA Enforcement for Breach Involving Less than 500 Patients

The U.S. Department of Health and Human Services (HHS) initiated a compliance investigation after the Hospice of North Idaho (HONI) reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen. Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), if […]

The danger of unencrypted protected health information: 55,000 patients’ PHI exposed.

An Indianapolis oncology group has disclosed that data concerning about 55,000 patients was stored on a stolen laptop computer.  A backup copy of the Cancer Care Group’s server was stored on the computer, which was stolen from a locked car.  Among the data stored on the device were patient names, addresses, Social Security Numbers, medical […]

When HIPAA Investigations Broaden To Scrutinize Unrelated Business Practices: The Settlement between the State of Minnesota and Accretive Health

Prosecutions involving breaches of protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”) are becoming more frequent; we have noted recent civil settlements involving providers in Massachusetts and Alaska, as well as a criminal prosecution in California.  The latest prosecution, and resulting settlement, illustrates a new twist: the focus of a data […]