Skip to main content
Keeping you afloat admidst the rising sea of regulations

New OCR HIPAA Audit Protocol Can Assist Providers with Preparing for Phase 2 Audits

As previously discussed on this blog (see here and here), the Office for Civil Rights (OCR) recently began its second round of audits of covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (the “Phase 2” audits).  Notably absent from the launch of Phase 2 was the release of the updated audit protocol th

Heading for the Breaches: California Recommends Data Security Measures

The California Office of the Attorney General (OAG) recently released a report detailing a comprehensive analysis of the data breaches reported to the OAG between 2012 and 2015. Fifty million records of Californians were reportedly breached during those four years. The report acknowledges that security is a challenging endeavor for organizations, but points out that many of the breaches reported could have been prevented by taking reasonable security measures. The report provides the following key recommendations for businesses:

Secure Yourself: NIST Releases Final Version of the Cryptographic Standards and Guidelines Development Process

Covered entities and business associates subject to HIPAA Security Rule are closer to getting a benchmark for encryption standards with the release of the Standards and Guidelines Development Process in late March by the National Institute of Standards and Technology (NIST).

Stricter European Privacy Rules: Think Twice Before Marketing Health Care Goods and Services Across the Atlantic

On April 14, 2016, the European Union formally adopted a new scheme – known as the EU General Data Protection Regulation (GDPR) – to protect the personal data of European residents. The GDPR will enter into force in May 2018, replacing the EU Data Protection Directive 95/46/EC.  The GDPR is significantly more onerous than the Directive, seeking to enhance data privacy protections for Europeans. US health care organizations processing Europeans’ personal data should start preparing now for compliance. 

How Providers Can Prepare For Round 2 Of HIPAA Audits

*This article was originally published on Law360. To view online, click here. 

Are You Safe? Providers Struggle to Contend with Surge in Ransomware Attacks

In the wake of the recent ransomware attack on Hollywood Presbyterian Medical Center (discussed here), news reports have emerged that at least three more medical centers and a large health care system have been the victims of these attacks. Ransomware is a type of computer attack in which a computer virus encrypts computer files, preventing users from accessing the files until a ransom is paid.  

Providers Prepare: OCR Launches Second Round of HIPAA Audits

On March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced it was beginning its next round of audits of covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (the “Phase 2” audits). OCR’s audit program is designed to help OCR assess the HIPAA compliance efforts of the full range of entities covered by the HIPAA regulations.

SAMHSA Proposes First Revisions to Substance Abuse Medical Record Privacy Rules in Almost Three Decades

On Tuesday, February 9, 2016, the Substance Abuse and Mental Health Services Administration (SAMHSA) published proposed revisions to the rules governing the confidentiality of substance abuse treatment records found in 42 C.F.R. Part 2. The rules apply to any federally assisted drug or alcohol abuse program (as defined by the regulations) (each a Part 2 Program). These proposed changes mark the first time the regulations have been subject to revision since 1987.

Administrative Law Judge Upholds Imposition of Civil Penalties on Health Care Provider for HIPAA Violations

In a recent decision, a US Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) agreed with the HHS Office of Civil Rights (OCR) that Lincare, Inc. d/b/a United Medical had violated HIPAA. The ALJ also sustained OCR’s imposition of a civil money penalty (CMP) of $239,800 on Lincare.

Ransomware Attack on California Hospital Puts Providers on Alert for New Threats to Health Information

While management at hospitals and other health care providers has long been aware of the need to implement computer security policies to comply with HIPAA’s requirements for protecting sensitive patient information, cybersecurity may have rocketed to the top of management’s priority list in the wake of the recent cyberattack on Hollywood Presbyterian Medical Center (HPMC) that left the hospital unable to access some of its computer systems for ten days.