Photo of Stephanie Willis

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes,

On Monday, the HHS Office of Civil Rights (OCR) released its third resolution and settlement agreement in as many weeks.  The $750,000 settlement with the University of Washington Medicine (“UWM”) is yet another citing the alleged failure to conduct an enterprise-wide risk analysis as required by the HIPAA Security Rule.  As part of the settlement,

The day before Thanksgiving, the HHS Office of Civil Rights (OCR) announced its first settlement involving a reported data breach implicating security of medical devices used in the hospital setting. OCR’s $850,000 settlement and resolution agreement with Lahey Hospital and Medical Center (LHMC) stem from the theft of a laptop workstation used to operate and produce images from a portable CT scanner from an unlocked treatment room on August 11, 2011.

Consistent with OCR’s past practice, OCR launched in-depth investigations that uncovered additional alleged HIPAA Security Rule violations following LHMC’s required breach reports to OCR. As part of its resolution agreement, LHMC agreed to update its security policies and procedures and comply with extensive training and reporting requirements conditions of a corrective action plan for two years.

The LHMC resolution is especially noteworthy for several reasons. At the outset, it is the first OCR resolution specifically involving a medical device in a hospital setting, as opposed to ePHI that hospitals store in EMRs/EHRs. Second, the number of individuals affected was relatively low compared to other incidents with comparably large settlements (only 600 people), which shows OCR is focused equally on large and small incidents.


Continue Reading

Smaller health care practices and providers now have another reason to bookmark the website of the Office of the National Coordinator for Health Information Technology (ONC).  Yesterday, the ONC published Version 2.0 of its “Guide to Privacy and Security of Electronic Health Information” (the Guide).  Overall, the 62-page Guide provides health care providers with “plain English” explanations of their privacy and security-related obligations under the Health Insurance Portability and Accountability Act (HIPAA) and in relation to the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs).  Of note, this version of the Guide addresses:
Continue Reading

Beginning August 1, 2015, New Jersey health insurers must encrypt personal information maintained on their computer systems and transmitted through public networks, or face civil penalties and fines under the state’s newly enacted Senate Bill No. 562 (“SB 562”). While SB 562’s requirements will have broad applicability to a wide range of “end user computer