Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure.

Earlier this month, EDNY Judge Joanna Seybert examined the elements of Aggravated Identify Theft in an interesting context: a motion to unseal grand jury minutes in a health care fraud prosecution, United States v. Cwibeker

Defendants were charged with billing Medicare for fictitious or non-compensable treatments of residents of assisted living facilities.  Defendants would

On November 10, 2014, the US Department of Health and Human Services released its investigation report regarding the death of actress and comedian Joan Rivers.  The report, called a “Statement of Deficiencies and Plan of Correction”, highlights numerous mistakes and violations made by Yorkville Endoscopy, the treating facility where Ms. Rivers died (Ms. Rivers

          In March 2013, the Second Circuit certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was acting outside the scope of her employment (see post). 

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan

The Office for Civil Rights of the US Department of Health and Human Services, in conjunction with the Workgroup for Electronic Data Interchange (“WEDI”), has announced a series of four free webinars on compliance with the latest Omnibus HIPAA/HITECH final rule, which implements significant changes in the requirements imposed upon health care organizations, providers, and

In  last week’s decision in Doe v. Guthrie Clinic, Ltd. the Second Circuit Court of Appeals certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was

On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.  

The US Department of Health and Human Services Office of Civil Rights (“OCR”) recently released its HIPAA audit protocol.  Audits of HIPAA compliance were mandated by the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amended many parts of HIPAA and included breach notification requirements.

The OCR conducted a number of