Data Privacy & Security

The Department of Health and Human Services Office for Civil Rights (OCR) has shown once again that it is willing to enforce HIPAA against business associates, as seen in a recent settlement. The settlement highlights the importance of thorough risk analysis conducted by business associates and covered entities, as required by the HIPAA Security Rule, and serves as an indication that OCR remains ready to exercise its authority to enforce HIPAA’s requirements for business associates. Following the settlement, OCR released a fact sheet that provides guidance for HIPAA compliance and direct liability for business associates.

Recent Settlement

On May 23, 2019, OCR announced a settlement with a business associate relating to a 2015 data breach. The business associate provides software to healthcare providers that allows patients to access and manage their electronic health records through a patient portal. The company has agreed to pay OCR $100,000 to settle potential violations of HIPAA.

In July 2015, the company filed a breach report with OCR following discovery that hackers had used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million individuals. The hackers gained access to a server containing names, addresses, usernames, passwords, and health insurance information. An investigation by OCR revealed that the company did not conduct a comprehensive risk analysis prior to the breach. In addition to a $100,000 settlement with OCR, the company will also undergo a two-year corrective action plan that includes a complete, enterprise-wide risk analysis. As part of the corrective action plan, the company has agreed to:


Continue Reading

A private practice (Practice) comprising three physicians has agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $125,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). While the fine is small compared with OCR’s October announcement of the $16 million settlement with Anthem, it confirms OCR’s ongoing commitment to enforcing HIPAA compliance, regardless of an organization’s size or the number of impacted individuals. Additionally noteworthy is that this enforcement action originated with a civil rights complaint filed by the Connecticut Office of Protection and Advocacy for Persons with Disabilities with the U.S. Attorney’s Office for the District of Connecticut, which initiated a joint investigation into the matter with OCR.

In February 2015, a patient of the Practice contacted a local television station to inform a reporter of a dispute with one of the Practice’s physicians related to the patient’s service animal. When the reporter contacted the physician for comment, the physician responded to the inquiry and, in the process, released the patient’s PHI to the public, even though the Practice’s privacy officer counseled the physician not to respond to the reporter or to respond with “no comment.” OCR determined that the physician’s conversation with the media demonstrated reckless disregard for the patient’s privacy rights, and further found that the Practice failed to take corrective actions or sanction the physician following the impermissible disclosure.


Continue Reading

After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency.

Anthem Settlement

In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after self-reporting a series of cyberattacks that resulted in the largest health information data breach in U.S. history. Notably, the breach included electronic protected health information (ePHI) that Anthem maintained as a business associate acting on behalf of its affiliated health plans, making this week’s enforcement action by OCR one of the few involving a business associate.

In March of 2015, Anthem filed a breach report with OCR informing the agency of its discovery that cyberattackers had gained access to its information and technology (IT) systems through an undetected continuous and targeted cyberattack for the alleged purpose of extracting data. After filing the report, Anthem later discovered that the cyberattackers had infiltrated its IT systems through a phishing scam sent to one of its subsidiaries that was initiated by at least one employee responding to a malicious e-mail.


Continue Reading

A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health

Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This

Late last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.5 million settlement with a large provider of kidney dialysis services (the “Provider”) for multiple violations of the Health Insurance Portability and Accountability Act and its associated regulations (HIPAA).  In early 2013, the Provider filed five separate

encrypted dataAfter roughly seven months since the last announced settlement, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human services has announced a settlement of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The first OCR settlement of 2018 concerns a HIPAA security breach of electronic data. At the same time, a recently announced settlement of a private class action against Aetna highlights the importance of HIPAA privacy and the continuing relevance of paper records.

The settlement concerns 21st Century Oncology, Inc. (21CO), a large oncology practice with treatment centers in 17 states and overseas. In 2015, 21CO was notified by the Federal Bureau of Investigation that its patient records had been compromised and were being sold illegally. In total, the records of 2,213,597 patients were affected. The information breached included names, social security numbers, diagnoses, treatments, and insurance information.


Continue Reading

Last week, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released new guidance related to the sharing of mental health, behavioral health, and substance abuse disorder treatment information. The guidance focuses on how such information may be shared with the patient’s family and other caregivers under the Health Insurance

No two health care companies are alike, but many face similar challenges when managing their data risk. Many of these challenges arise due to the competing desires with which every modern organization now struggles—one between innovation and growth on the one hand and compliance and legal risk on the other.

Specifically, the following five issues are top of mind:

  1. The tension between data growth and analytics and data minimization;
  2. Handling connected devices and mobile apps;
  3. Creating effective cross-functional privacy and security teams;
  4. The data implications of acquisitions; and
  5. Effective and tiered vendor management.

We discuss these issues and offer practical guidance on each.


Continue Reading