Articles and Blogs

On December 8, 2014, the Department of Health and Human Services (“HHS”) announced that it had reached a settlement with a nonprofit, community mental health care provider (“Provider”) arising out of alleged violations of the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The settlement comes after an HHS... READ MORE

The Indiana Court of Appeals recently issued an opinion in the case of Walgreen Co. vs Hinchy that could permanently alter the landscape for employer liability for HIPAA violations committed by employees.  Health care providers should be aware of this case and take actions to limit their exposure to this type of liability. Background... READ MORE

On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained... READ MORE

Governor Scott Walker recently signed into law the HIPAA Harmonization – Mental Health Care Coordination Act (2013 WI Act 238, the “Act”).  The Act is intended to alleviate barriers to coordination of care for patients receiving mental health treatment by aligning aspects of Wisconsin’s mental health privacy laws with the Federal Health Insurance Portability... READ MORE

OCR Chief Regional Counsel for Region V, Jerome Meites, has warned that enforcement activity over the past year will “pale in comparison” to the next 12 months. While Mr. Meites was not specific as to this pronouncement being limited to Region V, it may be important to note that Region V covers Illinois, Indiana,... READ MORE

On May 8, 2014, the Department of Health and Human Services (“HHS”) announced that it had reached settlements with two health care organizations arising from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.  The settlements result from the organizations’ failure to secure thousands of patients’ electronic protected... READ MORE

On April 22, 2014, the Department of Health and Human Services (“HHS”) announced that it reached settlements with two covered entities arising from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.  Both settlements involve the theft of unencrypted laptops and follow investigations in which the Office for... READ MORE

Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes... READ MORE

On March 7, 2014, the U.S. Department of Health and Human Services (“HHS”) announced that it reached a settlement with a county in Washington state (the “County”) stemming from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Breach Notification Rules.  The settlement comes after the County reported a... READ MORE

Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the Office for Civil Rights (“OCR”) on an annual basis.  No later than March 1, 2014, covered entities must submit their breaches electronically through OCR’s breach... READ MORE