After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should be suspended or amended.
The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.
The chickens have come home to roost for GoodRx. The FTC has assessed a $1.5 Million penalty against the telehealth and prescription drug discount provider for failing to report unauthorized disclosures as required by the Health Breach Notification Rule.
The Court of Appeals for the Fifth Circuit vacated the $4.3M penalty imposed on M.D. Anderson as arbitrary, capricious and contrary to law.
Yesterday, the period for public comment on the FTC’s Health Breach Notification Rule closed. The FTC’s Health Breach Notification Rule requires vendors of PHRs and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Another area of change to Breach Notification is arising out of the CARES Act which was was enacted into law on March 27, 2020 and is making significant changes 42 C.F.R. Part 2. Among other changes that the CARES Act is introducing, it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2 data in any manner not authorized under Part 2! To date, 42 CFR Part 2 did NOT include an independent obligation to report or notify any agency (i.e., SAMHSA or HHS) of any use or disclosure of Part 2 information which was in violation of 42 CFR Part 2.
A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.
Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act. On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago
Copiers result in .2 million settlement and CAP for Affinity Health Yet another covered entity has been hit with over $1 million to settle potential violations of HIPAA, this time for improper disposal of photocopiers. Last week, OCR announced a settlement had been reached with...
Document Disposal Company Responsible for old Patient Records found in Park Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth (“Texas Health Fort Worth”) earlier this month of a breach of their health information. Only patients seen between...
WellPoint hit with .7 million for Security Weaknesses in Online Application The increasingly heavy-handed OCR announced news yesterday of yet another resolution agreement for HIPAA violations; this time hitting WellPoint Inc., a managed care company, with $1.7 million for an...
Lessons from the Idaho State University CAP Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of...
The .7 Million Flashdrive…Alaska Medicaid Settles HIPAA Violations Even state agencies are not invisible to the all-seeing eye of OCR. The use, and subsequent theft of, an unencrypted flashdrive cost the Alaska Medicaid agency $1.7 million, according to the Office of Civil Rights (OCR)...
Mass. AG Levies 750k Judgment on Hospital for Data Breach Massachusetts Attorney General Martha Coakley announced on May 24, 2012 having reached a settlement agreement with South Shore Hospital for failure to protect personal and confidential health information of over 800,000...
Yet Another Medicaid Breach; Emory Loses Back-up Discs This April appears to have been designated “National Breach” month. In what is the second massive breach of Medicaid data this month, over 200,000 South Carolina Medicaid beneficiaries have been notified of a breach of their health...
Utah Medicaid Claims Data Hacked Affecting Over 24,000 The Utah Department of Health (UDOH) has experienced a data breach of its Medicaid claims data of over 24,000 individuals. The breach was reported to UDOH by the Utah Technology Services Department on Monday, April 2nd, and while...