April has been a busy month for the OCR. As of the writing of this email, there has been 2 HIPAA settlements for potential violations of the HIPAA Security Rules, and 1 settlement for the potential violation of the Privacy Rules. Potential non-compliance of the...

Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and agreed to implement...

First HIPAA enforcement action for lack of timely breach notification settles for $475,000 Guidance on HIPAA, Same-sex Marriage, and Sharing Information with Patients’ Loved Ones Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status,...

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released a new Fact Sheet that explains how the HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health...

Click here to read more

On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to...

The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of...

Over the past years, the healthcare sector has been one of the biggest targets of cybercrime. Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider...

By. Jocelyn Samuels Director, HHS Office for Civil Rights All across the country, the Affordable Care Act (ACA) is helping to make health care accessible to millions of people.  In fact, six years after its passage, 20 million more Americans now have health care...

St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were...

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing, while complying with the HIPAA Rules.  In response, the HHS Office...

OCR has released a new FAQ addressing whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the protected health information maintained by the business associate for or on behalf of the covered entity, clarifying...

Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  The...

From HHS, Office of Civil Rights…. A recent news report indicated that criminal cyberattacks against health care entities have increased up to 125 percent compared to five years ago, and the average consolidated total cost of data breach was $3.8 million, which is a...

Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of...

Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving...

Computer security incident response is an important element of an information technology program.  It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited,...

OCR has posted the following information to their website: 1) Guidance for 2016 HIPAA Desk Audits Two weeks ago, covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audits of compliance with the HIPAA...

The University of Mississippi (UM) Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). During the...

Earlier this year, HHS OCR finalized the rule under Section 1557 to advance health equity and reduce health disparities by strengthening protections for some of the populations that have been most vulnerable to discrimination in the health care context.  Section 1557...

Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services...

Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear.   Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program. ...

One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware.  The FBI has reported an...

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected...

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued new guidance to assist long term care facilities in complying with their civil rights responsibilities and obligations under regulations by the HHS Centers for Medicare...

Earlier this year, the HHS Office for Civil Rights (OCR) released comprehensive guidance on the right of individuals under the Health Insurance Portability and Accountability Act (HIPAA) to access and receive copies of their health information.  Providing individuals...

Recently, it has been reported that third-party application software security vulnerabilities are on the rise.  Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices.  For...

Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option of Up to $6.50 is Not a Cap on All Fees for Copies of PHI Earlier this year, OCR released a fact sheet and two sets of Frequently Asked Questions (FAQs) to clarify aspects of individuals’...

Read the Article

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film...

Read more

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health...

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important...

Read the Article

Read the Article

Read the Article

Read the Article

Read the Article

Read the Article

Review the Article

Read the Article

Today, OCR posted new guidance on our mHealth Developer Portal [http://HIPAAQsportal.hhs.gov] to provide scenarios where the Health Insurance Portability and Accountability Act (HIPAA) regulations might apply to mobile health applications.  We hope these new scenarios...

As we begin the New Year, OCR is launching a new Cyber-Awareness initiative to help our regulated community become more knowledgeable about the various security threats and vulnerabilities that currently exist in the healthcare sector; what security measures can be...

Learn more

New Guidance from OCR:  Understanding Individuals’ Right under HIPAA to Access their Health Information By: Jocelyn Samuels, Director, Office for Civil Rights Find the Guidance at:  http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html  ...

The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans.  This right is critical to enabling individuals to take ownership of their health...

Over the past several months, the HHS Office for Civil Rights has undertaken a full redesign of our website. We are thrilled to share with you the new www.hhs.gov/ocr, a more responsive, user-friendly platform. “Our website is a critical component of our outreach,...

Learn More

Learn more

Learn more

BULLETIN – October 5, 2015 OCR has launched a new platform http://HIPAAQsportal.hhs.gov for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy protection. We are experiencing an explosion of technology...

Learn More

Learn More

Learn More

No More ClipBoard Security Breach - July 23, 2015 Notice Learn More

HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications BULLETIN – July 10, 2015 St. Elizabeth’s Medical Center (SEMC) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)...