U.S. Department of Health and Human Services

A Single Stolen, Unencrypted Laptop Can Cost Entities Millions of Dollars

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security , , , , , ,

laptop encryptionEarlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Both settlements stem from the entity’s reports to OCR of the thefts of unencrypted laptops containing electronic protected health information (ePHI) even though one of the laptops was password protected.

First, on March 16, 2016, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle potential violations of the HIPAA Privacy and Security Rules after a laptop containing the ePHI of 9,497 individuals was stolen from the vehicle of one of its contractors in July 2011.

OCR’s subsequent investigation determined that North Memorial failed to enter into a business associate agreement with this contractor, as required under the HIPAA Privacy and Security Rules.  The investigation also discovered that North Memorial failed to conduct an organization-wide risk analysis to address all of the risks and vulnerabilities to its ePHI.  OCR concluded Continue reading

New HIPAA Exception Allows Covered Entities to Report Behavioral Health Considerations Applicable to Possessing a Firearm

Margaret Young Levi Privacy & Security , , , , , , , , ,

gun rangeAs of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”).  The Department of Health & Human Services (“HHS”) amended the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to allow such reporting by health care providers who are a “covered entity” under HIPAA and who are: state agencies; designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a “mental health prohibitor”; or serve as repositories of information for NICS reporting purposes.  The Final Rule that makes this amendment to HIPAA was published in the Federal Register on January 6, 2016: click here.

Before this amendment, health care providers who are “covered entities” under HIPAA could report information to the NICS only if:

(1) the health care provider had designated itself as a “hybrid entity” where the Privacy Rule would apply only to the entity’s functions that are subject to Continue reading

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , , , , ,

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading