HIPAA/Privacy & Security

Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

Continue Reading In the Wake of Harvey and Irma, OCR Reminds Providers of HIPAA Rules

Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate

OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks.  As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.

Continue Reading OCR Publishes Checklist and Infographic for Cyber Attack Response

Unbeknownst to many, Congress established the Health Care Industry Cybersecurity Task Force in 2015 to address the health care industry’s cybersecurity challenges. That Task Force–a combination of public and private participants–released a report last week describing U.S. healthcare cybersecurity as being in “critical condition.” This conclusion, while disheartening, shouldn’t be surprising to readers of this blog. We’ve blogged about a range of cybersecurity issues affecting health care, from the potential hacking of medical devices with deadly consequences, to ransomware attacks that threaten to shut down hospitals.  Continue Reading HHS Task Force Says Healthcare Cybersecurity is in “Critical Condition”

Press ReleaseThe U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas.  Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.  In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.

Continue Reading Memorial Hermann’s Use of Patient Name in Press Release Leads to $2.4 Million HIPAA Settlement

By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid.  Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

In July 2015, we posted about the N.Y. Attorney General’s False Claims Act (FCA) settlements with Trinity HomeCare and its related entities, and how the case provided insight into the future of FCA enforcement.  We identified five key trends based on the settlements:

  1. The FCA cases were based on qui tams and pursued by the State Attorney General after federal government declination.
  2. The FCA cases were based on a narrow, single state or regional arrangement, as opposed to allegations of a national scheme or program.
  3. One of the FCA cases was based on conduct about which Trinity had previously been warned.
  4. The FCA cases were based on government billings for specialty drugs.
  5. All parties to the arrangement were named as defendants in the qui tams.

Trinity was already under investigation by the N.Y. Attorney General’s office for its billing of hemophilia drugs (the basis of the first 2015 settlement) when a second qui tam alleged that Trinity submitted false claims in connection with a specialty drug used to treat premature infants at risk for lung disease.  That second qui tam led to the second settlement and now, almost 20 months later, has led to a new Complaint. Continue Reading Five Trends in False Claims Act Enforcement: Take Two