Office for Civil Rights/OCR

Last Friday, OCR issued a new fact sheet that outlines the ten circumstances where a Business Associate would have direct liability under HIPAA.

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to

On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.

Specifically, OCR has requested comments regarding the following four topics:
Continue Reading

The Upper San Juan Health Service District d/b/a Pagosa Springs Medical Center (“PSMC”), a critical access hospital in Colorado, has agreed to a $111,400 settlement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to resolve a complaint alleging that a former PSMC employee continued to have remote access to

A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law

Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access

As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights,

In its August Cyber Security Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Considerations for Securing Electronic Media and Devices.” In this guidance document, OCR reminds HIPAA covered entities and business associates that they are required, under the HIPAA Security Rule, to implement policies and procedures that: (1)

On August 30, 2018, in honor of the 22nd anniversary of the introduction of HIPAA, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) released a blog post entitled “HIPAA & Health Information Portability: A Foundation for Interoperability.” This

In its July Cybersecurity Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Guidance on Disposing of Electronic Devices and Media,” which reminds HIPAA covered entities and business associates that they are required under the HIPAA Security Rule to dispose of electronic devices and media in a secure manner.