The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.

Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.


Continue Reading Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR

Since the outbreak of COVID-19, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued various notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, discussed previously. However, OCR issued guidance on May 5, 2020, reminding covered healthcare providers that the HIPAA Privacy Rule remains in force during the COVID-19 public health crisis except as expressly relaxed under OCR’s prior guidance. Specifically, OCR’s most recent guidance addresses the disclosure of patient protected health information (PHI) to the media by allowing the media to film patients in facilities where PHI is accessible.

Continue Reading OCR Warns Providers and Media: Patient Privacy Remains Protected Despite Pandemic

Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

Continue Reading HHS Limited Waiver and Guidance on HIPAA and the Privacy Rule During COVID-19 Pandemic

In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.

In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below.
Continue Reading Small Businesses Are Not Safe from Big HIPAA Liability

There are many laws at the state and federal level that regulate the processing of genetic information.  There may soon be one more.

Earlier this month, the California Senate took up consideration of SB 980, the Genetic Information Privacy Act (“GIPA”), which “would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.”  As the bill itself acknowledges, the California Consumer Privacy Act of 2018 (the “CCPA”) already regulates the processing of biometric information, including DNA.  Other laws such as the federal Genetic Information Nondiscrimination Act of 2008 (“GINA”) and its California counterpart (“CalGINA”) prohibit genetic discrimination.  However, there are four key differences in how the GIPA would treat genetic information as compared to the CCPA: (1) the GIPA would create a requirement to obtain written opt-in consent for any disclosure of genetic information to a third party; (2) limit the use of genetic information to the purpose specifically authorized by the individual to whom it pertains; (3) require destruction of the information as soon as this purpose is achieved; and (4) depending on the circumstances, impose criminal as well as civil liability for violations.


Continue Reading The California Genetic Information Privacy Act: How This Proposed Legislation Fits in the California Privacy Regulation Framework

A recent letter from researchers at the Mayo Clinic to the editor of The New England Journal of Medicine outlined a new challenge in de-identifying, or preserving the de-identified nature of, research and medical records.[1]  The Mayo Clinic researchers described their successful use of commercially available facial recognition software to match the digitally reconstructed images of research subjects’ faces from cranial magnetic resonance imaging (“MRI”) scans with photographs of the subjects.[2]  MRI scans, often considered non-identifiable once metadata (e.g., names and other scan identifiers) are removed, are frequently made publicly available in published studies and databases.  For example, administrators of a national study called the Alzheimer’s Disease Neuroimaging Initiative estimate other researchers have downloaded millions of MRI scans collected in connection with their study.[3]  The Mayo Clinic researchers assert that the digitally reconstructed facial images, paired with individuals’ photographs, could allow the linkage of other private information associated with the scans (e.g., cognitive scores, genetic data, biomarkers, other imaging results and participation in certain studies or trials) to these now-identifiable individuals.[4]

Continue Reading Technology Continues to Outflank Health Information Anonymization

In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.
Continue Reading Unencrypted Mobile Devices Cost Medical Center $3 Million In HIPAA Settlement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe.
Continue Reading Jackson Health System Slammed With $2.15 Million Penalty for Privacy Breaches

Social media posts have become so common and reflexive that people often fire off posts without appropriately considering the consequences.  This can be costly on multiple fronts.  In the health care context, beyond the risk of losing patients (and the revenue they bring), inappropriate posts can result in Health Insurance Portability and Accountability Act (HIPAA) violations.  Indeed, as the Director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has stated, “Social media is not the place for providers to discuss a patient’s care… [doctors] and dentists must think carefully about patient privacy before responding to online reviews.”  Of course, this warning is not limited to dentists; all health care providers should take heed. 
Continue Reading From Yelp to YIKES! Dental Practice’s Social Media Posts Result in $10,000 HIPAA Settlement

In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided a variety of guidance to address the importance of honoring the right of patients to have access to their medical information and not to be over-charged for exercising that right.

Earlier this week, the OCR announced an enforcement action and settlement under its Right of Access Initiative against Bayfront Health St. Petersburg (Bayfront) in Florida. This settlement, the first of its kind under OCR’s initiative to enforce patients’ rights to promptly receive copies of their medical records without being overcharged, has cost Bayfront $85,000. The 480-bed hospital is also required to undertake a corrective action plan that includes a one-year period of monitoring by OCR.
Continue Reading OCR Proves it is Serious About HIPAA’s Right of Access