protected health information

On September 17, the Department of Health and Human Services (HHS) announced a settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI) for alleged violations of the HIPAA Security Rule.  Under the Resolution Agreement, MEEI agreed to pay $1.5 million to HHS and take corrective action to improve its policies and procedures to ensure compliance with HIPAA.Continue Reading HHS Announces $1.5 Million HIPAA Settlement with Massachusetts Provider

Earlier this month, the federal district court in Minnesota dismissed a lawsuit brought earlier this year by the Minnesota Attorney General (AG) against Accretive Health, Inc., a business associate of hospitals, after the parties reached a settlement.  In the lawsuit, which we previously discussed here, the Minnesota AG alleged that the company violated various provisions of HIPAA as well as Minnesota privacy and consumer protection law.

Accretive Health had contracted with two Minnesota hospitals, primarily to perform services related to debt collection and “care coordination” services.  Through these services, Accretive required access to protected health information of the hospitals’ patients, and thus was acting as a  business associate under HIPAA.  The Minnesota AG’s case was notable because it was the first time that an enforcement action had been brought against a HIPAA business associate since the enactment of the HITECH Act in 2009, which imposed direct obligations on business associates to comply with certain HIPAA requirements, including breach notification and provisions of the HIPAA Security Rule.

The Minnesota AG’s HIPAA-related allegations arose out of a data breach, when the laptop of an Accretive Health employee was stolen out of his rental car.  The laptop contained protected health information of approximately 24,000 patients, including individually identifiable information and whether the patient had any one of 22 health conditions.  While the laptop was password protected, the data was not encrypted.  The complaint alleged that Accretive Health violated eight separate provisions of HIPAA.Continue Reading Court Dismisses Minnesota AG’s HIPAA Enforcement Action Against Business Associate Following Settlement

By Anna Kraus

The Department of Health and Human Services (HHS) has posted on its website the protocol for the HIPAA audits required under the HITECH Act.  Section 13411 of the HITECH Act requires HHS to provide for periodic audits to ensure that covered entities and business associates are in compliance with the HIPAA standards

By Anna Kraus

The Department of Health and Human Services (HHS) announced yesterday that the Alaska Department of Health and Social Services, Alaska’s State Medicaid agency (Alaska Medicaid), has agreed to pay $1.7 million to HHS to settle potential violations of the HIPAA Security Rule.  This is HHS’s first HIPAA enforcement action against a State agency, and HHS stated in the press release that it “expect[s] organizations to comply with their obligations under [the HIPAA rules] regardless of whether they are private or public entities.”

HHS’s Office for Civil Rights (OCR) began investigating Alaska Medicaid after receiving a breach report from the agency in October 2009.  The report indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a computer technician employed by the State.  HHS subsequently determined through its investigation that Alaska Medicaid had not complied with HIPAA Security Rule requirements to:

  • complete a risk analysis;
  • implement sufficient risk management measures;
  • complete security training for its workforce members;
  • implement device and media controls; and
  • address device and media encryption.

Continue Reading Alaska Medicaid Agrees to Pay $1.7 Million to Settle HIPAA Security Case

By Anna Kraus

The long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act has been delayed once again.  Although the rule was expected by July, the Office of Management and Budget (OMB) has updated its website to note that the review period for the rule has been extended.

OMB had received the rule from the Department of Health and Human Services (HHS) on March 24, 2012, and was expected to complete its review within 90 days, as required by Executive Order 12866.   According to the OMB website, however, the 90-day review period “may be extended indefinitely by the head of the rulemaking agency; alternatively, the OMB Director may extend the review period on a one-time basis for no more than 30 days.”  It is not known whether HHS or OMB extended the review period for the HIPAA/HITECH Rule.Continue Reading OMB Extends Review of HIPAA/HITECH Rule

By Anna Kraus

The Department of Health and Human Services (HHS) announced on Tuesday that Phoenix Cardiac Surgery, P.C. (Phoenix) agreed to pay $100,000 and implement a corrective action plan to come into full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  HHS had been investigating the Arizona physician practice for potential violations of the HIPAA Privacy and Security Rules.

The investigation began when HHS received a report that Phoenix was posting clinical and surgical appointments for patients on an Internet-based calendar that was accessible by the public.  Upon further investigation, HHS determined that the physician practice had, among other things, failed to:

  • implement appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI)
  • identify a security officer and conduct the risk assessment required by the HIPAA Security Rule
  • enter into business associate agreements with its Internet-based calendar provider and Internet-based public e-mail provider
  • document that it trained any employees on HIPAA policies and procedures

Continue Reading HHS Settles HIPAA Case With Heart Surgery Center

The U.S. Department of Health and Human Services (HHS) is currently accepting comments on a proposed rule that would amend regulations under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Under the HIPAA Privacy Rule, individuals have the right of access to their protected

By Anna Kraus

In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security.  In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight).  We will delve into the second report in a forthcoming post.

The OIG’s Nationwide Rollup Review found that oversight by the Centers for Medicare & Medicaid Services (CMS) had been insufficient to ensure that hospitals and other covered entities have effectively implemented the HIPAA Security Rule.  Specifically, the OIG noted that although CMS had performed a limited number of covered entity compliance reviews, these reviews tended to be reactive rather than proactive.  According to the OIG, CMS relied primarily on education efforts and voluntary compliance to enforce the Security Rule rather than developing a structured compliance review process.

CMS was initially delegated authority to enforce compliance with the Security Rule in 2003 and published a final Security Rule that year.  Enforcement authority was subsequently transferred to the HHS Office for Civil Rights (OCR) in 2009.  OCR reports that it has a process in place to conduct proactive compliance reviews even in the absence of specific complaints.  However, the OIG appeared to question this assertion, stating that OCR had not produced evidence of reviews targeted at entities which had not been specifically flagged for scrutiny.  The OIG concluded by recommending that OCR continue the compliance review process begun by CMS and ensure that it provides for reviews in the absence of complaints.Continue Reading OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced Tuesday that it has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Maryland (Cignet) violated the HIPAA Privacy Rule.  HHS imposed a $4.3 million civil money penalty on Cignet for the violations—the first civil money penalty ever issued by HHS for violations of the Privacy Rule.

The civil money penalty imposed on Cignet is based on the new violation categories and increased penalty amounts established under the HITECH Act, which we reported on previously.  In a Notice of Proposed Determination issued on October 20, 2010, OCR found that:

  • Between September 2009 and October 2009, Cignet failed to provide 41 individuals with timely access to copies of protected health information (PHI) about them in the designated record sets maintained by Cignet, in violation of 45 C.F.R. § 164.524.
  • From March 2009 through April 2010, Cignet failed to cooperate with OCR’s investigation of 27 complaints regarding Cignet’s noncompliance described above, in violation of 45 C.F.R. § 160.310(b).

Continue Reading HHS Imposes $4.3 Million Civil Money Penalty for HIPAA Privacy Violations