On February 6, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), announced that it had settled a cybersecurity investigation with Montefiore Medical Center (“Montefiore”), a non-profit hospital system based in New York City, for $4.75 million.  As brief background, OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).  Among other things, HIPAA requires that regulated entities take steps to protect the privacy and security of patients’ protected health information (“PHI”).Continue Reading HHS Settles Malicious Insider Cybersecurity Investigation for $4.75 Million

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement action should put business associates

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.
Continue Reading OCR Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released a one-page message from OCR Director Leon Rodriguez encouraging patients to exercise the right to access their medical records. Generally, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) grants patients the right to request and receive a copy

The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World.” In that hearing, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (HHS) and the Department of Justice (DOJ) that “the overall record of [HIPAA] enforcement is simply not satisfactory,” and asked why so few HIPAA complaints are actually prosecuted.  Franken and other panelists also emphasized the need for a final rule to implement the HITECH Act’s amendments to the HIPAA Privacy and Security Rules. 

Franken’s opening statement outlined the benefits of electronic health records, but emphasized that “we need to do more to protect this data and that is what this hearing is all about.”

The first panel included U.S. Attorney Loretta Lynch, who also serves on the Health Care Fraud Working Group of the Attorney General’s Advisory Committee, and Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR).  Both officials underscored their agencies’ commitment to enforcing medical privacy laws through HIPAA’s Privacy and Security Rules and the new HITECH Act.  Lynch testified about recent DOJ efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to substantial fines.Continue Reading Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule