OCR Announces that the Phase 2 HIPAA Audit Program Has Already Started

The HHS Office for Civil Rights (OCR) just announced that its Phase 2 HIPAA audit program has started and that covered entities and business associates are already being contacted. You can find this announcement here. OCR has begun sending emails to verify contact information for various covered entities and business associates and determine which entities […]

N.Y. Appellate Division Upholds Insurance Policy Exclusion for “Five Guys” Data Breach

Today, the New York State Supreme Court, Appellate Division, Third Department issued a decision enforcing an insurer’s exclusion of coverage for “damages arising out of the loss of . . . electronic data,” stemming from a 2011 credit card data breach at certain locations of the Five Guys Burgers & Fries restaurant chain. The decision should prompt businesses, especially […]

Disclosure Of Student Mental Health Records: Teachable Moment From Oregon

This month’s column in the Albany County Bar Association Newsletter reviews the situation that unfolded earlier this year at the University of Oregon.  The university, which had been put on notice of a tort claim by a student in connection with an alleged sexual assault,  controversially obtained the treatment records of the same student from an on-campus […]

A Boston hospital pays when its employees neglect HIPAA

After two investigations by the United States Department of Health and Human Services, Office for Civil Rights (“HHS”), St. Elizabeth’s Medical Center, a Boston-based hospital, has agreed to a Resolution Agreement with HHS. The Resolution Agreement appears to settle two apparently unrelated HIPAA issues at the same facility in 2012 and 2014.

New York Proposes Overhaul of Its Data Breach Statute and a New Data Security Standard in the Wake of Recent Cyber Attacks

The largest data security breaches ever reported have occurred in the last several years. The organizations whose data security systems were compromised in connection with these massive breaches include Anthem, Ebay, Target, Home Depot, JP Morgan Chase, Adobe and now the federal government’s Office of Personnel Management. Not only is the scope of these breaches […]

Expanding Their Arsenal: Criminal Prosecution of HIPAA Breaches on the Rise

Over the past year, the Office of Civil Rights (“OCR”) has taken a more aggressive stance in enforcing the provisions of the Health Insurance Portability and Accountability Act (HIPAA).  The largest settlement for a data breach to date was just announced earlier this year between OCR and New York Presbyterian Hospital and Columbia University. However, […]

Congress Questions ONC’s Authority to Pursue Health IT Safety Center

The House of Representatives has grown increasingly skeptical of the Office of the National Coordinator for Health Information (“ONC”) and its plans to expand its programming and reach.  House members have questioned whether the ONC has the authority to make changes it has recently proposed. In a June 3, 2014, letter to the Office of […]

“I Might Be Injured, Someday…Maybe?” Courts Question Plaintiffs’ Standing in HIPAA Breach Suits Alleging Future Harm

Illinois courts have now dismissed two class action law suits against Advocate Health and Hospitals Corporation (“Advocate”), stemming from a July 2013 breach of personal health information (“PHI”) when four unencrypted laptop computers were stolen from Advocate’s administrative offices.  The computers collectively contained the PHI, including names, addresses, dates of birth, Social Security Numbers, diagnoses, […]

FTC Seeks Changes to Protect Consumer Health Information

The Federal Trade Commission (“FTC”) is urging Congress to ensure the data brokerage industry becomes more transparent and accountable, which could change the way consumers’ personal, health-related information is gathered and shared.  These recommendations may change the landscape of the HIPAA regulations to better ensure protection of sensitive health information. On May 27, 2014, the […]