Filefax, Inc. (“Filefax”), an Illinois company that intimately handled sensitive Personal Health Information (“PHI”), paid $100,000 to the Department of Health and Human Services (“HHS”) to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The payment stemmed from, when still in business, Filefax allegedly improperly disclosing the PHI of approximately 2,150

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or

imagesPA8ET6EQIn our previous post [found here], we explained that, under the Privacy Rule, HIPAA covered entities (health care providers and health plans) must provide individuals and their “personal representatives” with access to the individual’s protected health information. An individual’s personal representative is determined under State law. In this post, we will define

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure.

          In March 2013, the Second Circuit certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was acting outside the scope of her employment (see post). 

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan

On May 29, 2013, the US Departments of Health and Human Services, Labor, and Treasury issued final regulations regarding wellness programs under the Patient Protection and Affordable Care Act (the “ACA”).  Wellness programs are programs offered by employers, or directly by insurance companies to their enrollees, to improve health and promote fitness. The ACA, in

The Office for Civil Rights of the US Department of Health and Human Services, in conjunction with the Workgroup for Electronic Data Interchange (“WEDI”), has announced a series of four free webinars on compliance with the latest Omnibus HIPAA/HITECH final rule, which implements significant changes in the requirements imposed upon health care organizations, providers, and