PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The M.D. Anderson Case and the Future of HIPAA Enforcement

HIPAA Enforcement MD Anderson Case 02

The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2021), the 5th Circuit struck down a fine and enforcement […]

A Major Move to Weaken HIPAA

HIPAA Penalties Reduced

Quietly, at the end of April, HIPAA was significantly weakened.  HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.  This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines. The existing penalty structure under HIPAA […]

The Persistent Problems with Access to Records Under HIPAA

HIPAA Access to Medical Records

A study released last month in Jama Open Network entitled Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records demonstrates that compliance with HIPAA’s right to access medical records remains woeful.  In the second half of 2017, researchers contacted 83 US hospitals and conducted a simulated patient experience to ask for medical records. […]

Yes, HIPAA Requires Medical Records to Be Emailed to Patients if Requested

Email Medical Records

Have you ever asked your healthcare provider to send you medical records by email?  Most likely, you’ve received the reply: “We can’t do that.  We can only fax them to you or provide you with a paper copy.”  This answer is wrong. HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides: […]

HIPAA Whiteboard and HIPAA Interactive Whiteboard

HIPAA Whiteboard

Recently, I created two new HIPAA training resources. HIPAA Whiteboard I created a 1-page visual summary of HIPAA, which I call the HIPAA Whiteboard.  The idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes. […]

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

HIPAA Enforcement

At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties.  In 2016, the total in penalties was roughly the same amount but from 15 organizations. Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from […]

Is a Ransomware Attack a HIPAA Data Breach?

Ransomware - Security Awareness Training

As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS). A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice.  Although most of […]

Is HIPAA Enforcement Too Lax?

By Daniel J. Solove ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading. A Sustained and Vigorous Critique of OCR HIPAA Enforcement A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through […]

Blogging Highlights 2015: Health Privacy+Security Issues

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security: Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents