Business Associates Beware! OCR Means Business

In June 2016, OCR entered into its first settlement agreement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), for potential violations of the HIPAA Laws by failing to protect electronic protected health information (“EPHI”) of nursing home residents. The smartphone of a CHCS employee was stolen and contained EPHI. The smartphone was not password protected, and the EPHI was unencrypted. The EPHI of more than 400 residents included social security numbers, diagnostic and treatment information, medications, and the names of family members and legal guardians. OCR determined that CHCS had failed to perform a HIPAA Security Risk Assessment and implement a risk management plan regarding compliance with the HIPAA Laws, and that CHCS didn’t have policies and procedures as required under the HIPAA Security Rule. The settlement included a penalty of $650,000 and a corrective action plan for two years, which will be monitored by OCR….beware

Analysis of Health Care Data Breach Litigation Trends

Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits.  The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood.

In many, if not most, class action lawsuits that involve the loss of PHI, plaintiffs have been unable to prove that they have standing to seek recovery. Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach…..

hcbreachlitigationtrends

Exploring the Causes of Healthcare Data Breaches

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1  The information provided to HHS provides organizations with a high level of insight concerning the types of breaches that occur in the healthcare industries.

The data collected by HHS concerning breaches affecting 500 or more individuals in 2014 shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing more publicized hacking events….

causeshcdatabreach

Understanding The Responsibilities and Liabilities of Business Associates at a Glance (2015)

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of “Business Associates” and their responsibilities and liabilities.  Pursuant to HITECH and HIPAA Business Associates are required to . . .

Business Associates_At A Glance

Healthcare Data Breach Enforcements and Fines At A Glance (2015)

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005 . . .Healthcare DB_Enforcements_At A Glance

 

Healthcare Breach Litigation At A Glance (2015)

Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits.   The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood . . .

Healthcare DB_Litigation_At A Glance_1

State Level Enforcement and Fines for Health Data Breaches At A Glance (2015)

It does not appear that enforcing HIPAA’s data breach notification requirements is a priority for most AGs, due to the low number of actions brought under the statute. Connecticut, Vermont, Minnesota, and Indiana have each brought one action. Massachusetts is the only state that has brought more than one action . . .Healthcare DB_State_Fines_At A Glance

 

The Causes of Healthcare Breaches At A Glance (2015)

The data collected by HHS concerning breaches shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing the more publicized hacking events.  Almost 40% of breaches still relate to the theft of hardware . . .

CausesofHealthBreachesAtAGlance