On August 18, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST). The announcement continues OCR’s escalating enforcement of the HIPAA...more
8/19/2025
/ Business Associates ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach Notification Rule ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
OCR ,
PHI ,
Ransomware ,
Risk Assessment ,
Risk Management
On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health...more
3/24/2025
/ Business Associates ,
Compliance ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Employee Retirement Income Security Act (ERISA) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
Risk Management
In February, a coalition of healthcare organizations sent a letter to President Donald J. Trump and the U.S. Department of Health and Human Services (HHS) (the Letter), urging the immediate rescission of a proposed update to...more
As the healthcare sector continues to be a top target for cyber criminals, the Office for Civil Rights (OCR) issued proposed updates to the HIPAA Security Rule (scheduled to be published in the Federal Register January 6). It...more
1/2/2025
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Plan Sponsors ,
HITECH Act ,
Incident Response Plans ,
Malware ,
OCR ,
PHI ,
Policies and Procedures ,
Risk Assessment ,
Risk Management
A healthcare provider delivering pain management services in Florida and other states faces a $1.19 million civil monetary penalty from the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR)....more
12/5/2024
/ Civil Monetary Penalty ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Electronic Medical Records ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Independent Contractors ,
OCR ,
Risk Management ,
Security Rule
One of our recent posts discussed the uptick in AI risks reported in SEC filings, as analyzed by Arize AI. There, we highlighted the importance of strong governance for mitigating some of these risks, but we didn’t address...more
9/12/2024
/ Artificial Intelligence ,
Automated Decision Systems (ADS) ,
Cybersecurity ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Fortune 500 ,
Governance Standards ,
Intellectual Property Protection ,
Machine Learning ,
Phishing Scams ,
Popular ,
Risk Assessment ,
Risk Management ,
Securities and Exchange Commission (SEC)
On April 22, 2024, the federal Department of Health and Human Services’ Office for Civil Rights (OCR) announced a final rule enhancing privacy protections relating to reproductive health care. Specifically, the final rule...more
On February 28, 2024, President Biden issued an Executive Order (EO) seeking to protect the sensitive personal data of Americans from potential exploitation by particular countries. The EO acknowledges that access to...more
3/6/2024
/ Artificial Intelligence ,
Cyber Crimes ,
Cybersecurity ,
Data Transfers ,
Department of Health and Human Services (HHS) ,
Department of Veterans Affairs ,
Executive Orders ,
Exploitation ,
National Security ,
Secretary of Defense ,
Sensitive Personal Information
Phishing has long been a favorite tactic for threat actors (hackers) to commence a cyberattack. The rapid expansion of more adaptable and available artificial intelligence (AI) technologies, such as natural language...more
1/5/2024
/ Artificial Intelligence ,
Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Email ,
Employee Training ,
FBI ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Multi-Factor Authentication ,
OCR ,
Phishing Scams ,
Popular ,
Risk Management
As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular topics from 2023....more
12/21/2023
/ Artificial Intelligence ,
California Privacy Rights Act (CPRA) ,
Cybersecurity ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Executive Orders ,
Federal Trade Commission (FTC) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
International Data Transfers ,
Securities and Exchange Commission (SEC) ,
Sensitive Personal Information ,
SHIELD Act ,
UK ,
Workplace Privacy
Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are...more
10/25/2023
/ Cybersecurity ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Popular ,
Privacy Rule ,
Sanctions ,
Security Rule ,
Training ,
Web Tracking ,
Zero Tolerance Policies
The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of...more
7/21/2023
/ Data Privacy ,
Department of Health and Human Services (HHS) ,
Facebook ,
Federal Trade Commission (FTC) ,
Google ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Hospitals ,
OCR ,
PHI ,
Technology ,
Telehealth ,
Web Tracking
Unhappy consumers, including patients, are free to express dissatisfaction with services they receive from providers on popular social media or online review platforms, such as Yelp and Google. At least in the healthcare...more
6/6/2023
/ Corrective Action Plans (CAPs) ,
Department of Health and Human Services (HHS) ,
Google ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mental Health ,
New Jersey ,
OCR ,
Online Reviews ,
PHI ,
Yelp
We have written several times about U.S. Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative.” In its most recent enforcement action under the Initiative, the 44th such...more
Last month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates...more
In response to the United States Supreme Court decision in Dobbs vs. Jackson Women’s Health Organization, President Joe Biden signed an Executive Order on Friday, July 8, 2022, designed to protect access to reproductive...more
7/11/2022
/ Abortion ,
Department of Health and Human Services (HHS) ,
Dobbs v. Jackson Women’s Health Organization ,
Executive Orders ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Joe Biden ,
OCR ,
Patient Privacy Rights ,
Reproductive Healthcare Issues ,
Roe v Wade ,
SCOTUS
As employers consider implementing a vaccine mandate to encourage employees to get vaccinated against COVID-19, we have recently discussed the merits of imposing a “vaccine surcharge” on monthly health insurance premiums for...more
The Federal Trade Commission (“FTC”) recently issued an important policy statement to health apps and other connected devices that collect or use consumers’ health information. The FTC’s policy statement effectively...more
Since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule became effective in 2003, it generally required covered entities to provide patients timely access to their medical records. Of...more
7/23/2021
/ 21st Century Cures Act ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Information Blocking Rules ,
OCR ,
OIG ,
PHI ,
Right-To-Access
For years (and we do mean years), the EEOC has waffled about whether incentives were permissible in connection with a medical inquiry under a voluntary wellness program. Friday, the EEOC issued its most recent pronouncement...more
6/2/2021
/ Adverse Employment Action ,
Affordable Care Act ,
Americans with Disabilities Act (ADA) ,
Anti-Retaliation Provisions ,
Coronavirus/COVID-19 ,
Department of Health and Human Services (HHS) ,
Employer Group Health Plans ,
Equal Employment Opportunity Commission (EEOC) ,
GINA ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Incentives ,
IRS ,
Medical Examinations ,
New Guidance ,
Vaccinations ,
Voluntary Participation ,
Wellness Programs
Individuals and organizations that want to play a role in administering countermeasures to combat a disease or combat a public health emergency, such as COVID-19, worry about the potential legal exposure. The choice to...more
3/10/2021
/ Biden Administration ,
Centers for Disease Control and Prevention (CDC) ,
Coronavirus/COVID-19 ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Immunity ,
Liability ,
Nurses ,
Physicians ,
Public Readiness and Emergency Preparedness Act (PREP Act) ,
Vaccinations
In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business...more
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory stating they have...more
10/30/2020
/ Best Practices ,
Coronavirus/COVID-19 ,
Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Department of Health and Human Services (HHS) ,
FBI ,
Multi-Factor Authentication ,
Passwords ,
Ransomware ,
Remote Desktop Protocols ,
TTP
When providers, health plans, business associates, and even patients and plan participants think of the HIPAA privacy and security rules (‘HIPAA Rules”), they seem to be more focused on the privacy and security aspects of the...more
Roger Severino, Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), provides advice for HIPAA covered health care providers:
"When informed of potential HIPAA...more