At the very top of Fisher-Titus Medical Center’s website is a link to the Change Healthcare HIPAA notice informing visitors of the last day to register for credit monitoring related to the world’s largest breach, which...more
8/18/2025
/ Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Breach ,
Department of Homeland Security (DHS) ,
Federal Funding ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Security Rule ,
Hospitals ,
New Legislation ,
OCR ,
Popular ,
Regulatory Requirements ,
Risk Management ,
Rural Health Care Providers
A single incident that may have started as a personal vendetta or an extortion threat seven years ago has cost a Florida health care system $800,000, and comes on the heels of an unrelated breach suffered by a different...more
6/18/2025
/ Breach Notification Rule ,
Compliance ,
Corrective Action Plans (CAPs) ,
Covered Entities ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Care Providers ,
Healthcare ,
Healthcare Reform ,
HIPAA Violations ,
Hospitals ,
OCR ,
PHI ,
Privacy Laws ,
Settlement ,
Settlement Agreements
Today, the HHS Office for Civil Rights (OCR) stands shoulder-to-shoulder with the likes of the Office of Inspector General and Office of General Counsel, one of just a dozen or so agencies reporting directly to the secretary....more
4/15/2025
/ Budget Cuts ,
Charter Schools ,
Compliance ,
Cybersecurity ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Enforcement ,
Enforcement Actions ,
Federal Funding ,
Health Care Providers ,
Hiring & Firing ,
Medical School ,
OCR ,
Patient Privacy Rights ,
Patients ,
Privacy Laws ,
Regulatory Requirements ,
Trump Administration
Nearly six years to the day that Warby Parker reported a breach affecting nearly 200,000 individuals, the HHS Office for Civil Rights (OCR) imposed a $1.5 million fine on the eyewear giant. Investigated by OCR under the Biden...more
3/12/2025
/ Business Associates ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
PHI ,
Privacy Laws ,
Trump Administration
Covered entities (CEs) and business associates (BAs) may receive a “discount” for having recognized security practices (RSPs) in place when the HHS Office for Civil Rights (OCR) calculates financial penalties for Security...more
11/14/2024
/ American Hospital Association ,
Business Associates ,
Compliance ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Violations ,
OCR ,
Personal Information ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
Security Rule
Let’s review for a moment.
It’s not a HIPAA violation to be a victim of ransomware.
It’s not a HIPAA violation to pay a ransom.
It’s up to the covered entity (CE) to determine if a security or privacy incident is a...more
10/16/2024
/ Compliance ,
Covered Entities ,
Cyber Attacks ,
Cyber Incident Reporting ,
Data Breach ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Investigations ,
OCR ,
Patients ,
Popular ,
Privacy Laws ,
Ransomware ,
Regulatory Requirements ,
Settlement
Report on Research Compliance 21, no. 9 (September, 2024) -
How many types of falsehoods might sully applications for research funds and the studies they support? Unfortunately, the most recent semiannual report to...more
9/5/2024
/ Academic Misconduct ,
Compliance ,
False Claims Act (FCA) ,
False Reporting ,
Fraud ,
Government Agencies ,
Health Care Providers ,
Healthcare ,
HHS Office of Research Integrity (ORI) ,
Medical Records ,
National Science Foundation ,
OIG ,
Research and Development ,
Settlement
Unleashed on June 27, 2017, NotPetya caused an estimated $10 billion in damages globally, among the costliest ransomware attacks in history. In 2018, the Trump administration—in tandem with the British government—blamed...more
8/21/2024
/ Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cybersecurity ,
Data Protection ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
Malware ,
OCR ,
Patients ,
Privacy Laws ,
Settlement
United Healthcare Group (UHG) CEO Andrew Witty was in a board meeting on Feb. 21 when officials interrupted with the news that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased for $1.3 billion in October...more
5/13/2024
/ Business Associates ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Hackers ,
Health Care Providers ,
Healthcare ,
Legislative Agendas ,
OCR ,
Patients ,
Personal Information ,
Popular ,
Privacy Laws ,
Regulatory Oversight ,
Regulatory Requirements
Organizations typically deal with ransomware attacks out of the public eye, but the massive scale of United Healthcare Group’s (UHG) February breach made that an impossibility. UHG CEO Andrew Witty was recently on the hot...more
5/13/2024
/ Breach Notification Rule ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Healthcare Facilities ,
Incident Response Plans ,
Medical Records ,
Patients ,
Popular ,
Privacy Laws ,
Ransomware
In September 2015, while working in an office on the grounds of Mercy Hospital in Miami, Ivette Maria Portela Martinez learned about an upcoming clinical trial for treatment of symptoms of Clostridium difficile infections and...more
3/27/2024
/ Clinical Trials ,
Criminal Conspiracy ,
Criminal Convictions ,
Criminal Prosecution ,
Department of Justice (DOJ) ,
False Statements ,
Food and Drug Administration (FDA) ,
Health Care Providers ,
Healthcare ,
Investigations ,
Life Sciences ,
Medical Research ,
Pharmaceutical Industry ,
Popular ,
Research and Development ,
Scientific Research ,
Wire Fraud
Although the HHS Office for Civil Rights (OCR) described its recent $4.75 million agreement with a Bronx, New York, hospital as settling a “malicious insider cybersecurity investigation,” the agency considered a total of 11...more
3/12/2024
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Employees ,
Enforcement Actions ,
Health Care Providers ,
Healthcare ,
HIPAA Security Rule ,
HIPAA Violations ,
Hospitals ,
Internal Investigations ,
Popular ,
Risk Assessment ,
Settlement
The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.
In fact, in 2022, the Government Accountability...more
2/9/2024
/ Centers for Medicare & Medicaid Services (CMS) ,
Compliance ,
Cyber Threats ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
GAO ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI ,
Privacy Laws ,
Risk Assessment ,
Risk Management ,
Risk Mitigation ,
Telehealth
If the penultimate enforcement settlement of 2023 issued by the HHS Office for Civil Rights (OCR) sounds familiar, that’s with good reason. And the last one of the year should ring some bells, too....more
1/17/2024
/ Amended Rules ,
Corrective Action Plans (CAPs) ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Employee Training ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
PHI ,
Policies and Procedures ,
Proposed Regulation ,
Regulatory Reform ,
Right-To-Access ,
Security Risk Assessments ,
Settlement
Report on Patient Privacy 23, no. 12 (December, 2023)
Spring 2020 was a terrifying period in the annals of COVID-19, and New York was at the epicenter. COVID-19 cases, and deaths, already the highest in the nation, were...more
12/8/2023
/ Coronavirus/COVID-19 ,
Corrective Action Plans (CAPs) ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Hospitals ,
Media ,
OCR ,
Patients ,
Personal Information ,
Photographs ,
Prior Authorization ,
Privacy Laws ,
Public Health Emergency ,
Settlement ,
Video
Report on Patient Privacy 23, no. 11 (November, 2023)
Tim DiBona clearly remembers Christmas Eve 2018 when the staff of his small firm—Doctors’ Management Service (DMS)—arrived at their West Bridgewater, Mass., office to...more
11/10/2023
/ Compliance ,
Corrective Action Plans (CAPs) ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Data Recovery ,
Electronic Protected Health Information (ePHI) ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Popular ,
Ransomware ,
Risk Management
Report on Patient Privacy 23, no. 10 (October, 2023)
By 2016, it should have been clear to HIPAA covered entities that a security risk analysis—and corresponding risk management plan—were compliance basics. Yet, a new...more
10/6/2023
/ Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Privacy Laws ,
Risk Assessment ,
Risk Management
Start with a records request. Add a seven months’ wait. Stir in the chaos of the pandemic, with most employees working from home. Blend in a perhaps-neglected post office box. Bake for two-and-a-half years....more
Report on Patient Privacy Volume 23, no 8 (August 2023)
The allegation was shocking and, if true, would devastate the orthopedic surgeon’s reputation.
An online commenter accused him of operating on the wrong arm or...more
8/17/2023
/ Cybersecurity ,
Health Care Providers ,
Healthcare ,
Internet ,
OCR ,
Online Commentary ,
Online Reputation ,
Online Reviews ,
Privacy Concerns ,
Reputation Management ,
Reputational Injury ,
Retaliation ,
Slander
Report on Research Compliance Volume 20, no 8 (August 2023)
With the publication of a rule finalizing financial penalties for grant fraud and related violations of U.S. law, the HHS Office of Inspector General (OIG) has a...more
8/1/2023
/ Department of Health and Human Services (HHS) ,
Enforcement ,
Final Rules ,
Financial Fraud ,
Fines ,
Fraud ,
Fraud and Abuse ,
Grants ,
Health Care Providers ,
Healthcare ,
Information Blocking Rules ,
Medical Research ,
OIG ,
Penalties ,
Research and Development
Report on Patient Privacy Volume 23, no 7 (July 2023)
In two public talks this spring, Melanie Fontes Rainer, director of the HHS Office for Civil Rights (OCR), said completing the 2021 proposed regulation extensively...more
7/17/2023
/ Data Privacy ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Healthcare Reform ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Information Blocking Rules ,
Information Technology ,
Investigations ,
OCR ,
Penalties ,
Proposed Regulation ,
Regulatory Requirements
HIPAA covered entities (CEs) longing for the opportunity to dispense with what some would call the more nettlesome aspects of notices of privacy practices (NPPs) will just have to be patient. For how long, no one is saying....more
5/12/2023
/ Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Reform ,
HIPAA Privacy Rule ,
OCR ,
Patient Privacy Rights ,
PHI ,
Proposed Amendments ,
Proposed Rules ,
Reproductive Healthcare Issues
In some respects, assuring compliance with HIPAA has always been a challenge because many health care providers, particularly physicians, pride themselves on maintaining patient confidentiality—even when they aren’t. Nurses,...more
3/10/2023
/ Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Workers ,
Personally Identifiable Information ,
Policies and Procedures ,
Remote Working ,
Risk Management
Report on Patient Privacy Volume 23, no 2 (February 2023)
When Micky Tripathi’s mom was recently transferred to a rehab facility to recover from a broken hip, the hospital, “right in front of me…printed off her record,...more
2/16/2023
/ Compliance ,
Data Privacy ,
Data Security ,
Data Storage ,
Department of Health and Human Services (HHS) ,
Digital Health ,
Electronic Medical Records ,
Enforcement ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Facilities ,
Hospitals ,
ONC ,
PHI ,
Regulatory Agenda
Report on Patient Privacy 22, no. 10 (October, 2022) -
How about free?
Patients daily face the machinations of getting records from their providers, and health care practices, hospitals and even dentists struggle with...more
10/10/2022
/ Corrective Action Plans (CAPs) ,
Covered Entities ,
Dentists ,
Department of Health and Human Services (HHS) ,
Enforcement Actions ,
Excessive Fees ,
Health Care Providers ,
HIPAA Violations ,
Medical Records ,
OCR ,
PHI ,
Settlement Agreements