HIPAA Security Rule

The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.

  • In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
  • In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.

Continue Reading HHS Announces More HIPAA Enforcement Actions

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement action should put business associates

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.
Continue Reading OCR Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. 

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.Continue Reading Two HIPAA Settlements Follow Stolen Laptops

Recently, the Office of Inspector General (OIG) at HHS released a report on the HIPAA enforcement efforts of HHS’s Office for Civil Rights (OCR).  Specifically, the OIG looked at whether OCR’s efforts to enforce HIPAA’s Security Rule were adequate.  The OIG’s findings may lead to increased enforcement efforts by OCR. 

Background on the Security Rule

On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules. 

Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected health information (PHI).  WellPoint’s breach report, submitted in June 2010, indicated that security weaknesses in an online application database had left the electronic PHI of approximately 612,402 individuals accessible to unauthorized individuals online. 

HHS’s investigation indicated that:

  • From October 2009 to March 2010, WellPoint did not adequately implement policies and procedures for authorizing access to electronic PHI in the online application consistent with the HIPAA Security Rule;
  • WellPoint did not perform a sufficient technical evaluation following a software upgrade related to authentication safeguards for the online application;
  • For the same five-month period, WellPoint did not implement technology to verify that persons or entities seeking access to the application were who they claimed to be; and
  • For that same period, WellPoint impermissibly disclosed the electronic PHI (including names, dates of birth, Social Security numbers, and health information) of approximately 612,402 individuals whose information was maintained in the application.

Continue Reading HHS Announces $1.7 Million HIPAA Settlement With WellPoint

On June 11, the Department of Health and Human Services released an unofficial version of all of the HIPAA regulatory standards in one document.  The combined regulation text includes the following HIPAA standards:

  • Transactions and Code Set Standards
  • Identifier Standards
  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Breach Notification Rule

The document reflects the changes in

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.Continue Reading HITECH Update # 7: New HIPAA Requirements for Business Associates and Their Subcontractors

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule addresses several changes to business associate agreements as a result of the new obligations imposed upon business associates by HITECH.

Continue Reading HITECH Update # 6: New Requirements for Business Associate Agreements

By Anna Kraus

The U.S. Department of Health and Human Services has issued its long-awaited final omnibus rule modifying the privacy, security, enforcement, and breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rule is based on statutory changes under the Health Information Technology for Economic and Clinical Health