News
Register for INSPN’s August 3 Meeting — OCR Director Will Present
Register for INSPN's August 3 Meeting — OCR Director Will PresentWe are very excited to announce that Melanie Fontes Rainer, Director of the Office for Civil Rights (OCR) at the US Department of Health and Human Services, will be our lead presenter during the August...
Register for INSPN’s May 4 Quarterly Meeting
Register for INSPN's May 4 Quarterly MeetingDear InSPN Members and Supporters, Please join us on May 4, 2023, for another in-person meeting and bring a guest for free! We had a great turnout for our March meeting and look forward to another productive meeting and...
Register for InSPN’s Quarterly Meeting — March 2, 2023
Register for InSPN's Quarterly Meeting — March 2, 2023Dear InSPN Member and Supporter, Please join us on March 2, 2023, from 8:00 AM - 2:00 PM, for another in-person meeting! We have two confirmed speakers so far: Nick Sturgeon, MSExecutive Director of Information...
Register for InSPN’s November 3rd Quarterly Meeting
Register for InSPN's November 3rd Quarterly MeetingDear InSPN Members and Supporters, Please join us on November 3, 2022, for another in-person meeting!We are excited to offer 3 excellent presentations as well as our vendor fair. State of Indiana Cybersecurity...
Register for InSPN’s August 4 Quarterly Meeting
Register for InSPN's August 4 Quarterly Meeting Dear InSPN Member and Supporter, Join us on August 4, 2022, for our in-person meeting. We look forward to networking and live discussions! We have 3 great presentations: Joseph L. ChaneySpecial Agent, FBI...
Register for InSPN’s May 5th Quarterly Meeting
Register for InSPN's May 5th Quarterly MeetingWe are very excited to have Brian Nussbaum as our keynote speaker. Brian is an assistant professor in the College of Emergency Preparedness, Homeland Security and Cybersecurity at the University at Albany. He focuses on...
Registration is Open for InSPN Quarterly Meeting
Registration is Open for InSPN Quarterly MeetingDear InSPN Member and Supporter, Please plan to join the InSPN board of directors and your peers at our November 4, 2021, hybrid meeting. We will be meeting in person again at our 500 North Meridian conference center, as...
OCR Settlements
April has been a busy month for the OCR. As of the writing of this email, there has been 2 HIPAA settlements for potential violations of the HIPAA Security Rules, and 1 settlement for the potential violation of the Privacy Rules. Potential non-compliance of the...
$5.5 million HIPAA settlement shines light on the importance of audit controls
Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and agreed to implement...
Latest HIPAA enforcement action; updated guidance and FAQ; Privacy Policy Snapshot Challenge
First HIPAA enforcement action for lack of timely breach notification settles for $475,000 Guidance on HIPAA, Same-sex Marriage, and Sharing Information with Patients’ Loved Ones Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status,...
New Fact Sheet on HIPAA and Public Health Permitted Uses and Disclosures
The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released a new Fact Sheet that explains how the HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health...
HIPAA Guidance Focuses on Disclosing PHI for Public Health
Click here to read more
Additional Clarification regarding Phishing Email Alert Audits of Business Associates Are Underway
On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to...
UMass settles potential HIPAA violations following malware infection
The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of...
What Type of Authentication is Right for you?
Over the past years, the healthcare sector has been one of the biggest targets of cybercrime. Some of these cybercrimes resulted in breaches due to weak authentication, which has made healthcare entities take a second look at their safeguards and consider...
ACA Continues to Break Down Barriers to Health Care for All Americans
By. Jocelyn Samuels Director, HHS Office for Civil Rights All across the country, the Affordable Care Act (ACA) is helping to make health care accessible to millions of people. In fact, six years after its passage, 20 million more Americans now have health care...
$2.14 million HIPAA settlement underscores importance of managing security risk
St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were...
Cloud Computing Guidance
With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing, while complying with the HIPAA Rules. In response, the HHS Office...
New FAQ on Availability of PHI Maintained by a Business Associate
OCR has released a new FAQ addressing whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the protected health information maintained by the business associate for or on behalf of the covered entity, clarifying...
HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements
Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The...
Cyber Threat Information-Sharing
From HHS, Office of Civil Rights…. A recent news report indicated that criminal cyberattacks against health care entities have increased up to 125 percent compared to five years ago, and the average consolidated total cost of data breach was $3.8 million, which is a...
OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals
Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of...
Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million
Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving...
Is your Covered Entity or Business Associate Capable of Responding to a CyberSecurity Incident?
Computer security incident response is an important element of an information technology program. It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited,...
Updates to the HHS Office for Civil Rights Webpages: HIPAA Audit Guidance & FAQ on HIPAA and Unique Device Identifiers
OCR has posted the following information to their website: 1) Guidance for 2016 HIPAA Desk Audits Two weeks ago, covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audits of compliance with the HIPAA...
Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center
The University of Mississippi (UM) Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). During the...
HHS OCR Offers New Materials for Covered Entities
Earlier this year, HHS OCR finalized the rule under Section 1557 to advance health equity and reduce health disparities by strengthening protections for some of the populations that have been most vulnerable to discrimination in the health care context. Section 1557...
Widespread HIPAA Vulnerabilities result in $2.7 million settlement with Oregon Health & Science University
Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services...
OCR’s Phase Two HIPAA Audits Have Begun
Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear. Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program. ...
Your Money or Your PHI: New Guidance on Ransomware
One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware. The FBI has reported an...
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected...
Guidance and Resources for Long Term Care Facilities
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued new guidance to assist long term care facilities in complying with their civil rights responsibilities and obligations under regulations by the HHS Centers for Medicare...
New Consumer Tools Explain HIPAA Right to Access Health Information
Earlier this year, the HHS Office for Civil Rights (OCR) released comprehensive guidance on the right of individuals under the Health Insurance Portability and Accountability Act (HIPAA) to access and receive copies of their health information. Providing individuals...
What’s in Your Third-Party Application Software?
Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices. For...
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option of Up to $6.50 is Not a Cap on All Fees for Copies of PHI
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option of Up to $6.50 is Not a Cap on All Fees for Copies of PHI Earlier this year, OCR released a fact sheet and two sets of Frequently Asked Questions (FAQs) to clarify aspects of individuals’...
OCR Cyber-Awareness Monthly Update
Read the Article
Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital
Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film...
King’s Daughters’ Health (Madison, Indiana) suffers ransomware attack
Read more
$750,000 settlement highlights the need for HIPAA business associate agreements
Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health...
OCR Launches Phase 2 of HIPAA Audit Program
As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. Audits are an important...
Stolen Premier Healthcare laptop returned; no evidence of data breach
Read the Article
OCR Cyber-Awareness Monthly Update
Read the Article
Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement
Read the Article
$1.55 million settlement underscores the importance of executing HIPAA business associate agreements
Read the Article
OCR releases new HIPAA guidance to reiterate patients’ right to access health information and clarify appropriate fees for copies
Read the Article
HIPAA Audits: A Progress Report – Devin McGraw interview
Read the Article
Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework
Review the Article
Physical therapy provider settles violations that it impermissibly disclosed patient information
Read the Article
OCR Adds New Health App Use Scenarios to Developer Portal
Today, OCR posted new guidance on our mHealth Developer Portal [http://HIPAAQsportal.hhs.gov] to provide scenarios where the Health Insurance Portability and Accountability Act (HIPAA) regulations might apply to mobile health applications. We hope these new scenarios...
OCR Launches A New Cyber-Awareness Initiative
As we begin the New Year, OCR is launching a new Cyber-Awareness initiative to help our regulated community become more knowledgeable about the various security threats and vulnerabilities that currently exist in the healthcare sector; what security measures can be...
Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800
Learn more
New Guidance from OCR: Understanding Individuals’ Right under HIPAA to Access their Health Information
New Guidance from OCR: Understanding Individuals’ Right under HIPAA to Access their Health Information By: Jocelyn Samuels, Director, Office for Civil Rights Find the Guidance at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html ...
Understanding Individuals’ Right under HIPAA to Access their Health Information
The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. This right is critical to enabling individuals to take ownership of their health...
OCR Launches Newly Redesigned Website!
Over the past several months, the HHS Office for Civil Rights has undertaken a full redesign of our website. We are thrilled to share with you the new www.hhs.gov/ocr, a more responsive, user-friendly platform. “Our website is a critical component of our outreach,...
$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis
Learn More
Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement
Learn more
Lahey Hospital And Medical Center Settles Lawsuit With HHS Over HIPAA Non-Compliance
Learn more
OCR invites Developers to ask questions about HIPAA Privacy and Security
BULLETIN – October 5, 2015 OCR has launched a new platform http://HIPAAQsportal.hhs.gov for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy protection. We are experiencing an explosion of technology...
OIG report indicating OCR should do more to enforce HIPAA
Learn More
OIG Says Phase Two of HIPAA Audits Coming Soon
Learn More
Comcast Settles California Privacy Breach for $33M
Learn More
No More ClipBoard Security Breach
No More ClipBoard Security Breach - July 23, 2015 Notice Learn More
HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications BULLETIN – July 10, 2015 St. Elizabeth’s Medical Center (SEMC) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)...