Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks. Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity.
Continue Reading OCR Urges Private Sector to Beef Up Ransomware Protections
Recently, the National Institute of Standards and Technology (NIST) requested comments to its Resource Guide for implementing the HIPAA Security Rule. (i.e., SP 800-66). This Guide, first released in 2008, summarizes the HIPAA Security Rule standards and explains the structure and organization of the Security Rule.
Continue Reading NIST Plans to Update HIPAA Security Guidance – Asks for Comments
Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.
Continue Reading What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?
The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the Department of Health and Human Services must periodically conduct of covered entities and business associates for compliance with the requirements of HIPAA and the HITECH Privacy, Security, and Breach Notification Rules. There are many practical take-aways for businesses from the OCR’s report.
Continue Reading Learning from the Mistakes of Others: OCR Releases Audit Report
HHS recently announced that it will not impose penalties if business associates disclose protected health information relating to COVID-19 during the public health emergency period. This waiver, announced in a Notification of Enforcement Discretion, applies if the disclosure is for public health and health oversight activities. It will apply, the Office for Civil Rights at HHS explained, even if their business associate agreement with covered entities does not specifically allow for such disclosure if two things hold true. First, that the disclosure or use is made in “good faith” for public health activities and health oversight activities. Second, that the BA informs the covered entity within ten days after the use or disclosure occurs. Examples provided by HHS include BA notifications to public health authorities, such as the CDC, health departments and CMS.
Continue Reading HHS Relaxes Restrictions on Certain PHI Disclosures During COVID-19 Public Health Emergency
The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.
Continue Reading HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability
On May 6, 2019, the U.S. Department of Health and Human Services announced that Touchstone Medical Imaging will pay $3 million to settle potential HIPAA violations associated with a breach that exposed more than 300,000 patients’ Protected Health Information. The breach occurred in May 2014. One of Touchstone’s servers allowed uncontrolled access to patients’ PHI. As a result, Touchstone patients’ PHI was visible on the Internet. During its investigation, HHS determined that Touchstone did not thoroughly investigate the breach until several months after it was informed of the breach by law enforcement. HHS also found that the company did not conduct an accurate analysis of potential risks to the confidentiality of its PHI and did not have business associate agreements in place with its vendors.
Continue Reading HHS Announces First HIPAA Breach Settlement of 2019; 300,000 Patients Affected