NuLLFiX

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced today that Elgon Information Systems (Elgon), a Massachusetts-based company providing electronic medical record and billing support services to covered entities, has agreed to an $80,000 settlement for violations of the HIPAA Security Rule. OCR enforces HIPAA's Privacy, Security, and Breach Notification Rules, which outline the responsibilities of covered entities—such as health plans, healthcare clearinghouses, and healthcare providers—and their business associates in safeguarding protected health information (PHI). The HIPAA Security Rule establishes national standards to protect electronic PHI (ePHI) through administrative, physical, and technical safeguards. This settlement [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This follows a complaint to OCR that HIPAA-protected health information was accessible to search engines like Google on the internet. "Health care entities must ensure that patient health information is not left accessible online to anyone with an internet connection," said OCR Director Melanie Fontes Rainer. "Effective cybersecurity requires being proactive and vigilant in identifying risks and [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a civil monetary penalty of $548,265 against Children’s Hospital Colorado for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. These violations were reported in breach reports received in 2017 and 2020, relating to email phishing and cyberattacks. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that covered entities (such as health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the [...]

Today, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC, operating as Clearway Pain Solutions Institute in Florida. This penalty comes in response to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule following a breach report indicating that a former contractor had improperly accessed their electronic records system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that health plans, healthcare clearinghouses, most healthcare providers, and their business associates must [...]

The settlement highlights the importance of safeguarding the privacy of PHI, including reproductive health information. Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, regarding an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violation involved the impermissible disclosure of a female patient’s protected health information, including details related to reproductive health care. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set the standards that covered entities (such as health plans, [...]

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Rio Hondo Community Mental Health Center (“Rio Hondo”) in California. The penalty resolves an investigation into Rio Hondo's failure to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) for a reasonable, cost-based fee. OCR enforces the HIPAA [...]