Perspectives on Health Privacy, Security & HIPAA

On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification statute, which becomes effective July 1, 2018.

On December 28, 2017, the Centers for Medicare and Medicaid Services (CMS) issued Survey and Certification Memorandum Number 18-10-ALL to the State Survey Agencies clarifying its position regarding texting health care information by providers.

Earlier this month, the Health Care Industry Cybersecurity Task Force sent to Congress the Report On Improving Cybersecurity in the Health Care Industry.

Earlier today, numerous hospitals operated by Britain’s National Health Service suffered a ransomware event in which hospital computer systems were encrypted, phone lines became inoperable, patients were diverted, and a Bitcoin ransom was demanded.

On Monday, the US Department of Health & Human Services’ Office for Civil Rights announced that CardioNet has entered into a $2.5 million HIPAA settlement.

The Confidentiality of Medical Information Act, permits hospitals and other health care providers to disclose medical information without the patient’s consent for the purposes of reviewing the competence or qualifications of health care professionals or health care services.

For the first time in nearly three decades, the Substance Abuse and Mental Health Services Administration (SAMHSA) has updated the regulations on the confidentiality of substance abuse treatment records found in 42 C.F.R. Part 2.

This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely.

Just before Christmas, The Joint Commission (TJC) published an update clarifying its previous guidance regarding practitioners’ use of text messaging. TJC now says that practitioners may communicate with each other via secure text messaging systems.

Today, the US Department of Health & Human Services’ Office for Civil Rights (OCR) announced that Advocate Health Care Network (Illinois’ largest healthcare system) will pay a record $5.5 million settlement for violating HIPAA.

On June 24, 2016, the non-profit Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the U.S. Department of Health and Human Services (HHS).

Ransomware is old news – it has been around at least since 1989 – but it has only now started to attract widespread attention.

On Monday, July 11, 2016, the Office for Civil Rights (OCR) released a fact sheet with guidance for covered entities and business associates on HIPAA and ransomware.

The Office for Civil Rights (OCR) recently began its second round of audits of covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (the “Phase 2” audits).

Covered entities and business associates subject to HIPAA Security Rule are closer to getting a benchmark for encryption standards with the release of the Standards and Guidelines Development Process in late March by the National Institute of Standards and Technology (NIST).

On March 21, 2016, the US Department of Health and Human Services Office for Civil Rights (OCR) announced it was beginning its next round of audits of covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

These proposed changes to the rules governing the confidentiality of substance abuse treatment records mark the first time the regulations have been subject to revision since 1987.

In a recent decision, a US Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) agreed with the HHS Office of Civil Rights (OCR) that Lincare, Inc. d/b/a United Medical had violated HIPAA.

Cybersecurity may have rocketed to the top of management’s priority list in the wake of the recent cyberattack on Hollywood Presbyterian Medical Center (HPMC) that left the hospital unable to access some of its computer systems for ten days.

Potentially missed among end-of-year and holiday activities, the Office for Civil Rights (OCR) has announced three resolution agreements for violations of the HIPAA Privacy and Security Rules within the past month.

Health care providers and their contractors have been put on notice by the Office for Civil Rights (OCR) that the next round of HIPAA compliance audits will begin in early 2016.  The previous round of HIPAA audits was completed in 2014.

On September 2-3, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) hosted the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security conference.

The US Department of Health and Human Services, Office for Civil Rights announced a new settlement for $750,000 with Cancer Care Group, P.C. to resolve potential violations of the HIPAA Privacy and Security Rules identified as the result of the theft of a laptop and backup media.

On June 10, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights, announced that it had entered into a resolution agreement with St. Elizabeth’s Medical Center, a Massachusetts hospital, to resolve potential HIPAA violations.