HHS Puts Industry on Notice: OCR is Serious About HIPAA Enforcement

Posted by Jason Greis on March 2, 2011 under Articles | Be the First to Comment

On Feb. 22, 2011, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had issued a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George’s County, MD., the first imposition of a CMP by OCR for a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Two days later, HHS announced that General Hospital Corporation and Massachusetts General Physicians Organization, Inc., collectively referred to as Mass General, agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule. Read More...

FTC Defers Red Flags Rule Enforcement to June 1, 2010

Posted by Jason Greis on November 9, 2009 under Articles | Be the First to Comment

On Oct. 30, 2009, the U.S. Federal Trade Commission (FTC) deferred enforcement of the Red Flags Rule once again, from Nov. 1, 2009 to June 1, 2010, “at the request of Members of Congress.” However, the FTC also acknowledged that earlier that day, the U.S. District Court for the District of Columbia had enjoined the FTC from applying the Red Flags Rule to attorneys. Importantly, the FTC’s deferral does not affect the separate timeline of that legal proceeding and any possible appeals. Nor does this deferral affect other federal agencies’ ongoing enforcement for financial institutions and creditors subject to their oversight. Read More...

HHS Issues Regulations Regarding Notification of Breaches of Unsecured Protected Health Information

Posted by Jason Greis on August 26, 2009 under Articles | Be the First to Comment

On Aug. 24, 2009, the U.S. Department of Health and Human Services (HHS) published interim final regulations (the Rule) governing notification of breaches of unsecured protected health information (PHI) by HIPAA-covered entities and business associates. The Rule is one of several sets of regulations mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on Feb. 17, 2009, as a part of the American Recovery and Reinvestment Act of 2009 (ARRA). The Rule will be effective on Sept. 23, 2009. Read More...

Stimulus Legislation Expands Privacy Regulation for Health Care Businesses

Posted by Jason Greis on March 2, 2009 under Articles | Be the First to Comment

Health care providers and any businesses that provide information technology services for them will be subject to much greater regulation of their information security practices as a result of a major component of the recent economic stimulus legislation. Known as the Health Information Technology for Economic and Clinical Health Act (or the “HITECH Act”), this portion of the federal economic stimulus package is the most expansive modification to the federal privacy and security rules for health-related businesses since the 1996 enactment of HIPAA. Read More...

Federal Stimulus Bill Significantly Expands the Scope of HIPAA’s Privacy and Security Requirements

Posted by Jason Greis on February 24, 2009 under Articles | Be the First to Comment

On February 17, 2009, President Barack Obama signed the American Recovery and Reinvestment Act of 2009 (the “ARRA”), commonly referred to as the federal stimulus bill. The ARRA contains several provisions — intended to promote the use of health information technology — that would significantly expand the scope of the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). These changes, summarized below, include: Read More...