Articles and Blogs

Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes... READ MORE

On March 7, 2014, the U.S. Department of Health and Human Services (“HHS”) announced that it reached a settlement with a county in Washington state (the “County”) stemming from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Breach Notification Rules.  The settlement comes after the County reported a... READ MORE

Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the Office for Civil Rights (“OCR”) on an annual basis.  No later than March 1, 2014, covered entities must submit their breaches electronically through OCR’s breach... READ MORE

On December 26, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a Massachusetts dermatology practice (“Physician Practice”) stemming from alleged violations under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The settlement follows an investigation by the HHS Office for Civil Rights (“OCR”) upon... READ MORE

HIPAA Violation Was a Pretext A hospital employee’s violation of patient privacy as protected by HIPAA is a serious matter.  An intentional violation can and should lead to discipline up to and including discharge.  But a case that was decided by the NLRB is an object lesson for health care employers on what is and... READ MORE

On August 14, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a not-for-profit New York health plan (“Health Plan”) stemming from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules. The settlement comes after an HHS Office for Civil Rights... READ MORE

On July 11, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a large national health insurance company (“Company”) stemming from alleged violations under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The HHS Office for Civil Rights (“OCR”) initiated its investigation after the Company... READ MORE

On June 13, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a California medical center (“Medical Center”) stemming from alleged violations under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The settlement follows an investigation by the HHS Office for Civil Rights (“OCR”) that... READ MORE

On Tuesday, May 21, 2013, the Department of Health and Human Services (“HHS”) announced that it had reached a settlement with a State University (“University”) arising out of alleged violations of the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The settlement comes after an HHS Office for Civil... READ MORE

On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”).  Because the Final Rule covers... READ MORE