On Monday, the Government Accountability Office (“GAO”) released a report (the “Report”) criticizing the U.S. Department of Health and Human Services (“HHS”) security and privacy guidance and oversight in protecting electronic protected health information (“ePHI”) from cybersecurity attacks. The Report noted that HHS does not adequately address cybersecurity elements outlined by other agencies in published guidance and fails to address how key National Institute of Standards and Technology (“NIST”) cybersecurity framework (“Cybersecurity Framework”) can be implemented in the operations of covered entities and business associates. The GAO claims that the lack of adequate guidance by HHS, leaves health information vulnerable to cybersecurity attacks.
Tag Archives: HIPAA
On August 8th, 2016, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date with Advocate Health Care System (Advocate). Advocate agreed to pay $5.55 million to settle a variety of HIPAA violations. Advocate is the largest health system in Illinois and operates more than 400 sites of care with 12 acute care hospitals. This settlement comes in the wake of a series of recent HIPAA violation settlements and other enforcement activities by OCR, including phase 2 of the HIPAA audit program.
Chairwoman Edith Ramirez of the Federal Trade Commission (FTC) announced the release of new guidance directed towards developers of mobile health apps (the “Guidance”), while speaking today at the International Association of Privacy Professionals (IAPP) conference in Washington, DC. The Guidance is a tool created in collaboration with the FTC, the U.S. Department of Health and Human Services (HHS), and the Food and Drug Administration (FDA) to assist app developers in determining what laws and regulations apply to their products. Continue reading
The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) recently released a “crosswalk” developed with the National Institute of Standards and Technology (NIST) mapping the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the NIST Framework for Improving Critical infrastructure Cybersecurity (the Framework). This crosswalk was developed in order to assist healthcare organizations improve cybersecurity preparedness by using the Framework as a common language. The crosswalk also includes mappings to other commonly used security frameworks.
A U.S. Department of Health and Human Services (HHS) administrative law judge (ALJ) recently sustained an earlier HHS Office of Civil Rights (OCR) decision to impose a civil money penalty (CMP) of $239,800 against Lincare Inc. (Lincare) in connection with HIPAA violations discovered after a breach of patient records. This is only the second time in history that OCR has sought a CMP for Health Insurance Portability and Accountability Act (HIPAA) violations.
Last week, the University of Washington Medicine (UWM), an affiliated covered entity that includes multiple entities such as the University of Washington Medical Center, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $750,000 and implementing a substantial corrective action plan.
Recently, Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital located in Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $850,000 and adopting a robust corrective action plan. Continue reading