HHS Office for Civil Rights Imposes a Civil Monetary Penalty of $115,200 Against American Medical Response for Failure to Provide Timely Access to Patient Records

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a civil monetary penalty of $115,200 collected against American Medical Response (AMR), a provider of emergency medical services across the United States. The civil monetary penalty was the result of an investigation based on a complaint that AMR had failed to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.

Visit the article webpage to learn more

Update to HHS OCR’s Change Healthcare Cybersecurity Incident FAQ Webpage

On July 19, 2024, Change Healthcare filed a breach report with the HHS Office for Civil Rights (OCR) concerning a ransomware attack that resulted in a breach of protected health information. Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal. Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach. HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report.

Visit the article webpage to learn more

HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of health care services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet.

Visit the article webpage to learn more

OCR Releases Cybersecurity Video: How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks

In recognition of National Cybersecurity Awareness Month, OCR has produced a new video for organizations covered under the HIPAA Rules on how the HIPAA Security Rule can help regulated entities defend against cyber-attacks. The video is available in English and Spanish.

This presentation is intended to educate the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explore how implementation of appropriate HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include:

OCR breach and investigation trend analysis
Common attack vectors
OCR investigations of weaknesses that led to or contributed to breaches
How Security Rule compliance can help regulated entities defend against cyber-attacks

The video presentation may be found on OCR’s YouTube channel at: http://youtube.com/watch?v=VnbBxxyZLc8

HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

Visit the article webpage to learn more

How Sanction Policies Can Support HIPAA Compliance

An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.

Visit the article webpage to learn more

United Healthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has announced a settlement with United Healthcare Insurance Company (“UHIC”), a health insurer that provides insurance coverage to millions of individuals across the U.S., concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. UHIC agreed to implement a corrective action plan and pay $80,000 to resolve this investigation.

Visit the article webpage to learn more

HHS Office for Civil Rights Secures Agreement with Commonwealth of Pennsylvania to Advance the Rights of People in Recovery and Involved in Child Welfare Services

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has entered into a voluntary resolution agreement with the Commonwealth of Pennsylvania through its Department of Human Services (PA DHS), protecting the rights of persons with disabilities, including persons in recovery from substance use disorder, based on Section 504 of the Rehabilitation Act of 1973 (Section 504) and Title II of the Americans with Disabilities Act (ADA). Section 504 covers programs and activities that are conducted by HHS or receiving Federal financial assistance from HHS and protects qualified individuals with disabilities from discrimination on the basis of disability in the provision of benefits and services. Title II of the ADA applies to the services, programs, and activities of all state and local governments, including child welfare agencies and court systems.

Visit the article webpage to learn more

FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule

The Federal Trade Commission today issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached.

Visit the article webpage to learn more.

Eleven enforcement actions uphold patients’ rights under HIPAA

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

Visit the article webpage to learn more.