Articles and Blogs

On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained... READ MORE

Governor Scott Walker recently signed into law the HIPAA Harmonization – Mental Health Care Coordination Act (2013 WI Act 238, the “Act”).  The Act is intended to alleviate barriers to coordination of care for patients receiving mental health treatment by aligning aspects of Wisconsin’s mental health privacy laws with the Federal Health Insurance Portability... READ MORE

OCR Chief Regional Counsel for Region V, Jerome Meites, has warned that enforcement activity over the past year will “pale in comparison” to the next 12 months. While Mr. Meites was not specific as to this pronouncement being limited to Region V, it may be important to note that Region V covers Illinois, Indiana,... READ MORE

On May 8, 2014, the Department of Health and Human Services (“HHS”) announced that it had reached settlements with two health care organizations arising from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.  The settlements result from the organizations’ failure to secure thousands of patients’ electronic protected... READ MORE

On April 22, 2014, the Department of Health and Human Services (“HHS”) announced that it reached settlements with two covered entities arising from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.  Both settlements involve the theft of unencrypted laptops and follow investigations in which the Office for... READ MORE

Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes... READ MORE

On March 7, 2014, the U.S. Department of Health and Human Services (“HHS”) announced that it reached a settlement with a county in Washington state (the “County”) stemming from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Breach Notification Rules.  The settlement comes after the County reported a... READ MORE

Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the Office for Civil Rights (“OCR”) on an annual basis.  No later than March 1, 2014, covered entities must submit their breaches electronically through OCR’s breach... READ MORE

On December 26, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a Massachusetts dermatology practice (“Physician Practice”) stemming from alleged violations under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The settlement follows an investigation by the HHS Office for Civil Rights (“OCR”) upon... READ MORE

HIPAA Violation Was a Pretext A hospital employee’s violation of patient privacy as protected by HIPAA is a serious matter.  An intentional violation can and should lead to discipline up to and including discharge.  But a case that was decided by the NLRB is an object lesson for health care employers on what is and... READ MORE