PRIVACY + SECURITY BLOG

News, Developments, and Insights

HIPAA Enforcement: Employee Access and BAAs Matter

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information […]

Largest COPPA Penalty Ever – NY AG Settles with Oath (Formerly AOL)

On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (formerly known as AOL), for violating the Children’s Online Privacy Protection Act (COPPA). This is the largest penalty in a COPPA enforcement case in U.S. history.

Vendor Management Matters: HIPAA Enforcement for $500K for Lack of a Business Associate Agreement

Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).  According to […]

Speaking at the FTC Hearing on Data Security on December 12

12/13/18 Update: Here is the video from the session described below. On Wednesday, December 12, 2018, I’ll be speaking at the Data Security hearing, part of the FTC Hearings on Competition and Consumer Protection in the 21st Century.  My panel begins at 1:00 PM: The U.S. Approach to Consumer Data Security Wednesday, December 12, 2018 from […]

Yes, HIPAA Requires Medical Records to Be Emailed to Patients if Requested

Have you ever asked your healthcare provider to send you medical records by email?  Most likely, you’ve received the reply: “We can’t do that.  We can only fax them to you or provide you with a paper copy.”  This answer is wrong. HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides: […]

The Persistent Problems with Access to Records Under HIPAA

A study released last month in Jama Open Network entitled Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records demonstrates that compliance with HIPAA’s right to access medical records remains woeful.  In the second half of 2017, researchers contacted 83 US hospitals and conducted a simulated patient experience to ask for medical records. […]

HIPAA Enforcement Case – Allergy Associates

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. […]

Key EDPB (European Data Protection Board) Documents for GDPR

The EDPB (European Data Protection Board) was created by the EU Data Protection Directive in 1996.  Its purpose is to provide advice, opinions, and guidance about data protection.  The EDPB (European Data Protection Board) is composed of a representative from each EU member state. Below are some of the most important guidelines to be issued […]

The Mail Machine Ate My Thumb Drive

In the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail.  The file contained Social Security information and other financial data. Seriously? The envelope arrived without the USB drive. The firm contacted the post office. […]