Healthcare Privacy News and Events

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of health care services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet.

Visit the article webpage to learn more

In recognition of National Cybersecurity Awareness Month, OCR has produced a new video for organizations covered under the HIPAA Rules on how the HIPAA Security Rule can help regulated entities defend against cyber-attacks. The video is available in English and Spanish.

This presentation is intended to educate the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explore how implementation of appropriate HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include:

• OCR breach and investigation trend analysis
• Common attack vectors
• OCR investigations of weaknesses that led to or contributed to breaches
• How Security Rule compliance can help regulated entities defend against cyber-attacks

The video presentation may be found on OCR’s YouTube channel at: http://youtube.com/watch?v=VnbBxxyZLc8

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

Visit the article webpage to learn more

An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.

Visit the article webpage to learn more

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has announced a settlement with United Healthcare Insurance Company (“UHIC”), a health insurer that provides insurance coverage to millions of individuals across the U.S., concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. UHIC agreed to implement a corrective action plan and pay $80,000 to resolve this investigation.

Visit the article webpage to learn more

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has entered into a voluntary resolution agreement with the Commonwealth of Pennsylvania through its Department of Human Services (PA DHS), protecting the rights of persons with disabilities, including persons in recovery from substance use disorder, based on Section 504 of the Rehabilitation Act of 1973 (Section 504) and Title II of the Americans with Disabilities Act (ADA). Section 504 covers programs and activities that are conducted by HHS or receiving Federal financial assistance from HHS and protects qualified individuals with disabilities from discrimination on the basis of disability in the provision of benefits and services. Title II of the ADA applies to the services, programs, and activities of all state and local governments, including child welfare agencies and court systems.

Visit the article webpage to learn more

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) are cautioning hospitals and telehealth providers about the privacy and security risks related to the use of online tracking technologies that may be integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Tracking technologies are used to collect and analyze information about how users interact with websites or mobile apps. Generally, tracking technologies developed by third parties send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites.

Visit the article webpage to learn more

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced steps voluntarily taken by CVS and Walgreens to improve timely access to medications to support persons with disabilities, women experiencing miscarriages and early pregnancy loss, and those seeking access to contraceptives. OCR received complaints against pharmacies for denying and delaying lawful access to medications, such as methotrexate and misoprostol. Other women filed complaints based on delays in accessing emergency contraceptives. None of the medications were prescribed in violation of State laws banning or restricting abortion or were for the purpose of abortion. All of the medications reported in the complaints were prescribed to women who were experiencing pregnancy loss, have disabilities, or were seeking access to contraceptives.  In the aggregate, the complaints alleged that the pharmacies had delayed or denied filling prescriptions to treat conditions unrelated to abortion, due to the gender or age of the woman who was prescribed the medication. Since Dobbs v. Jackson Women’s Health Organization, women across the country have reported delays in accessing medication for purposes unrelated to abortion. OCR’s action today resolves the complaints against CVS and Walgreens.

Visit the article webpage to learn more

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers.  The settlement involved a data breach, where a network server containing the protected health information of 267 individuals was left unsecure on the internet.  The HIPAA Privacy, Security, and Breach Notification Rules set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

Visit the article webpage to learn more

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecure and accessible on the internet.

Visit the article webpage to learn more