Articles and Blogs

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $300,640 settlement and corrective action plan with a dermatology provider over the improper disposal of protected health information (“PHI”). Background In May of 2021, the dermatology provider reported a breach to OCR when empty specimen containers with PHI on... READ MORE

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a research university (“University”) which has agreed to pay $875,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules, as well as to take corrective action after an unauthorized third party gained... READ MORE

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a dental practice (“Practice”) which has agreed to pay $62,500 to settle potential violations of the HIPAA Privacy Rule, as well as to take corrective action after impermissibly disclosing patient PHI to a political campaign manager... READ MORE

A North Carolina dental practice (“Practice”) has been fined $50,000 following a Notice of Final Determination regarding a violation of the HIPAA Privacy Rule. In the Notice of Proposed Determination, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) stated that a patient visited the Practice in 2013 and... READ MORE

New cyber incident reporting requirements are forthcoming from the Cybersecurity and Infrastructure Security Agency. Part of the just-signed Consolidated Appropriations Act of 2022 (H.R. 2471) that we wrote about here, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) gives covered entities 72 hours to report to the Agency that a covered... READ MORE

The Information Blocking Rule (45 CFR part 171) is only a month into effect, and improved access to medical records, particularly concurrent delivery of lab results to the provider and patient and increased access to provider notes through patient portals, already has led to scrutiny of accurate encounter notes and complicated patient satisfaction issues... READ MORE

On January 19, 2021, OCR announced that it will exercise its discretion in enforcing the HIPAA Privacy, Security and Breach Notification Rules by not imposing penalties for noncompliance with those requirements against covered entities who are health care providers or their business associates in connection with the use of online or web-based scheduling applications... READ MORE

Following a Notice of Enforcement Discretion (“NED”) issued earlier this year (discussed in our previous article here), the Office for Civil Rights (“OCR”) has issued detailed guidance addressing the sharing of protected health information (“PHI”) through health information exchanges (“HIEs”) for public health activities of a public health authority (“PHA”). An HIE enables participants... READ MORE

On December 2, 2020, both the Health and Human Services Office of Inspector General (“OIG”) and Centers for Medicare & Medicaid Services (“CMS”) issued final rules amending the Anti‑Kickback Statute safe harbor and Physician Self-Referral Law (Stark) exception for EHR donations (“EHR Donation Rules”), as well as a new safe harbor and exception for... READ MORE

On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the Department of Health and Human Services (“HHS”) coauthored an urgent cybersecurity advisory (the “CISA Alert”) describing the tactics, techniques and procedures (“TTPs”) used by cybercriminals against targets in the Healthcare and Public Health Sector (“HPH”)... READ MORE