All posts in OCR

HIPAA’s Long Arm — and Why It’s a Good Thing

Daniel Solove
Founder of TeachPrivacy

HIPAA Training

Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement and monetary penalty against a business associate (BA).

Continue Reading

Blogging Highlights 2015: Health Privacy+Security Issues

Daniel Solove
Founder of TeachPrivacy

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security:

Why HIPAA Matters: Medical ID Theft and the
Human Cost of Health Privacy and Security Incidents

care

Continue Reading

New Resource Page: HIPAA Training Requirements FAQ

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Requirements Whiteboard 02

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: HIPAA Training Requirements: FAQ.

Continue Reading

Health Data Security in Crisis, Phase 2 Audits, and Other HIPAA Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Co-authored with Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. We have split the health/HIPAA material from our updates on other topics. To see our updates for other topics, click here.

For a PDF version of this post, and for archived issues of previous posts, click here.

Continue Reading

The Health Data Breach and ID Theft Epidemic

Daniel Solove
Founder of TeachPrivacy

Title image

By Daniel J. Solove

When you go to the hospital, you might worry about catching a staph infection or pneumonia, but you should also worry about contracting a nasty case of medical identity theft. Most people suffer significant harm from medical ID theft, and few are completely cured. This ailment is spreading dramatically as data spurts out of healthcare organizations these days as if from a ruptured aorta.

In January of this year, an article citing U.S. Department of Health and Human Services (HHS) statistics noted that in the past 5 years, there have been roughly 120,000 reported data breaches involving HIPAA protected health information. These breaches have involved more than 31 million individuals.

Continue Reading

Drones, Data Breaches, Cramming, and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

drones and data breaches

by Daniel J. Solove

This post is co-authored with Professor Paul M. Schwartz.

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here.

We became quite busy after the last update, so we’re a bit backlogged. We are catching up on developments late last year and we have a lot of material. We will release the next issue soon, as there is too much material to fit into this issue.

For a PDF version of this post, click here.

Continue Reading

The Most Alarming Fact of the HIPAA Audits

Daniel Solove
Founder of TeachPrivacy

hipaa audits 1

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.

What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.

Continue Reading

The Brave New World of HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

hipaa enforcement

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #4 of a series called Enforcing Privacy and Security Laws.

hhs logoThe Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs.

Continue Reading

6 Lessons from the Costliest HIPAA Settlement to Date

Daniel Solove
Founder of TeachPrivacy

Costliest HIPAA Settlement blog 1

by Daniel J. Solove

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:

Continue Reading

Waking Up the C-Suite to Privacy and Security Risks

Daniel Solove
Founder of TeachPrivacy

waking up the c suite

by Daniel J. Solove

I was recently interviewed in the Journal of AHIMA on how the C-suite is waking up to the new realities of privacy and data security risks. Before the HITECH Act in 2009, HIPAA enforcement was based on a cooperative model where HHS was not punitive in its approach. Now, big fines are being issued. There is auditing. The climate has changed.

Privacy and security risks are quite costly. This is true not just under HIPAA, but also as a general matter. At many organizations, the C-Suite doesn’t fully appreciate the magnitude of the risk. Back about 10 years ago, for many organizations, privacy and security risks were barely on the radar. Now they are recognized for many organizations, but the significance of the risk is often not fully understood or appreciated.

Continue Reading