HIPAA

On February 6, the U.S. Department of Health and Human Services (HHS) announced a $4.75 million settlement with Montefiore Medical Center (MMC) for a breach of unsecured electronic protected health information (ePHI). The settlement stems from an internal investigation that found that an employee of the New York hospital system sold patient information to an

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released two resource documents to help healthcare providers explain the privacy and security risks of telehealth to their patients.

The first document, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies

The Federal Trade Commission (FTC) recently issued guidance entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” The guidance points out that while businesses that collect, use, or share consumer health information are (or should be) accustomed to complying with HIPAA and its Privacy

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Manasa Health Center in Kendall Park, New Jersey entered into a Resolution Agreement and Corrective Action Plan to resolve a HIPAA Privacy Rule violation. The psychiatric practice, owned by Dr. Nidagalle Gowda, inexplicably disclosed four patients’ protected health information

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on May 8 that David Mente, a Pittsburgh psychotherapist, has paid $15,000 to settle a violation of the HIPAA Privacy Rule. OCR has been pursuing its so-called Right of Access Initiative since 2019, as previously discussed here.

Incredibly, some healthcare

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on April 11 that the Notifications of Enforcement Discretion issued under HIPAA and the HITECH Act during the federal COVID-19 public health emergency (PHE) will expire when the PHE ends on May 11.

The four Notifications of Enforcement Discretion that will

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on February 2 that Banner Health, a not-for-profit hospital system based in Arizona, has paid $1.25 million in order to settle alleged HIPAA violations in connection with a cyber attack.

The incident occurred in 2016 when a hacker gained access to

I don’t know how to say it any more clearly.  Somehow, medical and dental practices continue to get roped into responding to negative patient reviews on Yelp, Google, or elsewhere online, and posting any identifying information about a patient is a HIPAA violation. It’s protected health information (PHI), even if the patient posted something first.

On December 1, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a Bulletin entitled ”Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates“ that addresses the responsibilities of HIPAA covered entities and business associates (“regulated entities”) when using online tracking technologies. Regulated entities need