Posts about HIPAA by Professor Daniel J. Solove for his blog at TeachPrivacy, a privacy awareness and security training company.
Quietly, at the end of April, HIPAA was significantly weakened. HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties. This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines. The existing penalty structure under HIPAA […]
These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States. When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of […]
Last year was a record-setting year for HIPAA enforcement. On HHS’s website, OCR has touted its 2018 enforcement: OCR has concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by […]
There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA. An article in Data Breach Today discusses a number of state HIPAA enforcement cases. Here are some of the ones discussed: Massachusetts — $75,000 settlement with McLean Hospital for […]
Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information […]
Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA). According to […]
A study released last month in Jama Open Network entitled Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records demonstrates that compliance with HIPAA’s right to access medical records remains woeful. In the second half of 2017, researchers contacted 83 US hospitals and conducted a simulated patient experience to ask for medical records. […]
Have you ever asked your healthcare provider to send you medical records by email? Most likely, you’ve received the reply: “We can’t do that. We can only fax them to you or provide you with a paper copy.” This answer is wrong. HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides: […]
Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015. A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. […]
This HIPAA cartoon involves the notice of privacy practices (NPP) under HIPAA. HIPAA has a set of detailed requirements for the NPP. See 45 CFR 164.520 for the text of HIPAA’s requirement for NPPs. The biggest challenge regarding privacy notices is that hardly anyone actually reads the notice, and notices are often a chore to read. There is […]