Search results for: hipaa

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency.
Continue Reading HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency

On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act categorizes violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in four tiers based on the violators’ level of culpability for the violation: the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1); the violation was due to reasonable cause, and not willful neglect (Tier 2); the violation was due to willful neglect that is timely corrected (Tier 3); and the violation was due to willful neglect that is not timely corrected (Tier 4).

The maximum penalty per violation for all four tiers was previously $1.5 million.  HHS’s new policy states that the annual penalty limit for Tier 1 violations has now been decreased from $1.5 million to $25,000.  The new annual penalty limits for Tier 2 and 3 violations are now $100,000 and $250,000, respectively.  The penalty limit for Tier 4 violations will remain at $1.5 million.
Continue Reading HHS Updates Maximum Annual Penalty Limits for Some HIPAA Violations

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an
Continue Reading HHS Clarifies HIPAA Liability for EHR System Developers that Transfer Data to Health Apps

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA”) enforcement activity.   Enforcement actions in 2018 resulted in the assessment of  $28.7 million in civil money penalties.  Enforcement activity focused primarily
Continue Reading All-Time Record Year for HIPAA Enforcement

The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.

  • In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
  • In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.

Continue Reading HHS Announces More HIPAA Enforcement Actions

A new post over on Covington’s eHealth blog discusses HIPAA-related provisions in the Twenty-First Century Cures Act, signed by President Obama on December 13.   These provisions direct HHS to consider HIPAA’s effects on mental health treatment and the availability of health data for research purposes.  Read the full post here
Continue Reading Twenty-First Century Cures Act Includes HIPAA Provisions

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement
Continue Reading Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.
Continue Reading OCR Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS).  We previously discussed the proposed rule here.

Background:  The NICS, maintained by the Federal Bureau of Investigation (FBI), is the national database used to conduct background checks on persons who may be disqualified from receiving firearms based on federal or state law.  Federal law identifies several categories of potential disqualifiers, known as “prohibitors” including a federal mental health prohibitor.  By statute, the federal mental health prohibitor applies to individuals who have been committed to a mental institution or adjudicated as a mental defective.  The Department of Justice has promulgated regulations that defines these categories to include the following individuals:

  • individuals committed to a mental institution for reasons such as mental illness or drug use;
  • individuals found incompetent to stand trial or not guilty by reason of insanity, or
  • individuals who have been otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

However, there is currently no federal law that requires state agencies to report data to the NICS, including the identity of individuals who are subject to the mental health prohibitor.  HHS believes that HIPAA poses a potential barrier to such reporting. Under current law, HIPAA only permits covered entities (e.g., state mental health agencies) to disclose such information to the NICS in limited circumstances: when the entity is a “hybrid” entity under HIPAA (and the Privacy Rule does not apply to these functions) or when state law otherwise requires disclosure, and thus disclosure is permitted under HIPAA’s “required by law” category.
Continue Reading HHS Issues Final Rule on HIPAA and Firearm Background Check Reporting