HIPAA | Legal Health Information Exchange

Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

by Helen Oscislawski | May 11, 2020 | Data Breach Laws, Government Enforcement, HIPAA

Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act. On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago

Are Lawsuits for Violations of HIPAA’s Deidentification Standards About to Take Off – and What Can You Do About It?

Are Lawsuits for Violations of HIPAA’s Deidentification Standards About to Take Off – and What Can You Do About It?

by Helen Oscislawski | Apr 30, 2020 | HIPAA, Lawsuits

A recent opinion article published in STAT News explored whether potential litigation is looming surrounding the de-identified data exception in HIPAA. The authors of the article point out that “large volumes of data underpin the development of any AI effort,” which is why companies…

Do I Need a HIPAA Business Associate Agreement?

Do I Need a HIPAA Business Associate Agreement?

by Helen Oscislawski | Apr 5, 2020 | HIPAA, Tools & Resources, Webinars & Education

A HIPAA “Business Associate” is a person, other than a member of the workforce, who creates, receives, maintains or transmits PHI in the performance of services or functions for or on behalf of a Covered Entity. Treatment and Payment disclosures do NOT create a HIPAA BA relationship. Conduits are not HIPAA BAs, but the exception is very narrow. Covered Entities should review each HIPAA BA Agreement is needed, or not.

OCR Permits HIPAA BAs to Share COVID19-related PHI Directly for Public Health and Oversight

OCR Permits HIPAA BAs to Share COVID19-related PHI Directly for Public Health and Oversight

by Helen Oscislawski | Apr 3, 2020 | COVID-19, HIE & HIN, HIPAA

On April 2nd, HHS announced a new “Notification of Enforcement Discretion Under HIPAA to Allow Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19” (published in 85 Fed. Reg 193292 (April 7, 2020)). Government officials...

HIPAA Relaxed during COVID-19 Pandemic

HIPAA Relaxed during COVID-19 Pandemic

by Helen Oscislawski | Mar 22, 2020 | COVID-19, Government Enforcement, HIPAA

The events unfolding with respect to COVID-19 are unprecedented. There is a lot going on, and for those out there on the front lines of health care – like my husband who is an ER doc – I know that your first priority is helping patients and ensuring everyone around you is safe and healthy. ...

“Top 10” List for Security Law Compliance

“Top 10” List for Security Law Compliance

by Helen Oscislawski | May 28, 2015 | HIPAA

“Top 10” List for Security Law Compliance As we bid farewell to late night comedy host David Letterman, I thought it appropriate and timely to give a nod to one of Letterman’s most iconic segments, his “Top 10”, with my own Top 10 list for complying with applicable Security Law: #10. THE HIPAA...

When Do Conduits Cross the HIPAA BA Line?

When Do Conduits Cross the HIPAA BA Line?

by Helen Oscislawski | Jun 3, 2014 | Business Associates, HIPAA

What Is a “Conduit” and When Do They Cross The HIPAA BA Line? [1] As health information organizations (HIOs) start to facilitate secure networked health information exchange (HIE), the question of whether the HIO is or is not a HIPAA business associate (BA) almost always comes up. In the...

Document Disposal Company Responsible for old Patient Records found in Park

by Krystyna Monticello | Jul 22, 2013 | Data Breach Laws, HIPAA

Document Disposal Company Responsible for old Patient Records found in Park Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth (“Texas Health Fort Worth”) earlier this month of a breach of their health information. Only patients seen between...

Lessons from the Idaho State University CAP

by Krystyna Monticello | Jun 13, 2013 | Data Breach Laws, Government Enforcement, HIPAA

Lessons from the Idaho State University CAP Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of...

What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please)

What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please)

by Helen Oscislawski | Mar 4, 2013 | HIPAA, Legislation & Rulemaking

What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please) The HITECH Omnibus Rule clocked-in at 563 pages, and we have read, digested and condensed the nuts and bolts for you here in our February 2013 edition of our Health Law Diagnosis newsletter. But if...

Deciphering the HITECH Omnibus Rule: Business Associates

by Krystyna Monticello | Jan 21, 2013 | HIPAA

Deciphering the HITECH Omnibus Rule: Business Associates Since the HITECH Notice of Proposed Rulemaking (NPRM) was released in July of 2010, covered entities and business associates have been waiting (im)patiently for the Final HITECH Omnibus Rule to be released. As of this past...

FINALLY! HHS Releases the Final HIPAA/HITECH Omnibus Rule.

by Helen Oscislawski | Jan 18, 2013 | HIPAA, Legislation & Rulemaking

FINALLY! HHS Releases the Final HIPAA/HITECH Omnibus Rule. Finally, the long awaited Final Rules are out. The Department of Health and Human Services (HHS) posted the HIPAA/HITECH “Omnibus Rule” on January 17, 2013 at 4:15 pm. You can download a copy here, or go straight to the source...

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

by Krystyna Monticello | Jan 8, 2013 | Government Enforcement, HIPAA

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm. According to an article in the LA Times, Kaiser contracted...

HHS Rings in 2013 with News of Settlement for Small Breach

by Krystyna Monticello | Jan 3, 2013 | Government Enforcement, HIPAA, Meaningful Use & Quality Payment Program

HHS Rings in 2013 with News of Settlement for Small Breach We hope all of our readers had a happy and relaxing holiday season, and we wish you all the best for this New Year! It seems fitting for the first post of the year to revolve around HHS’s announcement of its first breach settlement...

« Older Entries

Next Entries »