Federal Law Resources

Administrative Law Judge Dismisses FTC Complaint Against LabMD

Margaret Young Levi Federal Law Resources , , ,

electronic health recordOn November 13, 2015, the Chief Administrative Law Judge (ALJ) for the Federal Trade Commission (FTC) issued an Initial Decision dismissing the FTC’s Complaint against LabMD, Inc. for lack of evidence. The FTC originally issued this Complaint against LabMD in 2013, alleging that the clinical testing laboratory failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks and that this conduct “caused or is likely to cause” substantial consumer injury.

Continue reading

Recent OIG Studies Recommend Tighter Enforcement of the Privacy and Security Rules

Margaret Young Levi Federal Law Resources , , , , , ,

The U.S. Department for Health & Human Services’ Office of Inspector General (OIG) has conducted two recent studies calling for tighter enforcement of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).

OCR Should Strengthen Its Oversight of Covered Entities’
Compliance With the HIPAA Privacy Standards

In the first study, the OIG recommends that the Office of Civil Rights (OCR), the government agency responsible for enforcing covered entities’ compliance with the HIPAA Privacy Standards, should strengthen its oversight of these privacy standards. The OIG reviewed a statistical sample of privacy cases investigated by the OCR from September 2009 through March 2011, surveyed and interviewed OCR staff, reviewed the OCR’s investigation policies, and surveyed providers’ compliance with five selected privacy standards.

Based upon this review, the OIG concluded that OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule. It criticized the OCR’s oversight as “primarily reactive” and suggested they be more Continue reading

THE HIPAA SECURITY RISK ANALYSIS

Margaret Young Levi Electronic Health Records, Eligible Professional Incentives, Federal Law Resources, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use, Physician EMR Stimulus , ,

businessman looking over his glasses with clipboard on hand - frUnder the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security risk analysis is a core objective in the meaningful use requirements of the Medicare and Medicaid electronic health record (“EHR”) incentive programs. These security risk analyses have been Continue reading

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , , , , ,

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading

Federal Government Report on Data Breaches in Health Care

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , ,

government buildingThe U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here.  This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012.  The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates.  The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc. Continue reading