Tag Archives: Health Information Security

Anthem Settles Data Breach Litigation for Record-Setting $115M

Written by
Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million.  The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people.  The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information. The settlement [...] Read more

HHS/OCR Announces Launch of HIPAA Audit Program Phase 2

Written by
Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist [...] Read more

HHS Issues HIPAA Security Rule Crosswalk with NIST Cybersecurity Framework

Written by
Last week, the HHS Office for Civil Rights (OCR) released a crosswalk between the requirements of the HIPAA Security Rule and the NIST Cybersecurity Framework. The crosswalk – which was developed in conjunction with the National Institute of Standards and Technology (NIST) and the HHS Office of the National Coordinator for Health IT – maps each administrative, physical and technical safeguard standard and implementation specification of the HIPAA Security Rule to the relevant subcategory in the Cybersecurity Framework. HHS notes that, because of the granularity of the NIST Cybersecurity [...] Read more

European Data Protection Supervisor Releases Opinion on Mobile Health

Written by
The European Data Protection Supervisor (“EDPS”), Giovanni Buttarelli, has published an opinion on Mobile Health (“mHealth”); a rapidly evolving sector that stems from the convergence of healthcare and information communication technology.  mHealth includes mobile applications designed to provide health-related services through smart devices by processing personal information about an individual’s health, well-being, and lifestyle. The opinion discusses the growing ubiquity of mHealth, which in large part is due to the proliferation of smartphones and wearable computing devices.  [...] Read more

Paula Stannard Authors Bloomberg BNA Article on Business Associates HIPAA Compliance

Written by
Paula Stannard, one of the practice leaders of the firm’s HIPAA Privacy & Security Team authored, “Business Associates’ HIPAA Compliance: Should Covered Entities Be Concerned?” in Bloomberg BNA’s Health IT Law & Industry Report. The article discusses why HIPAA covered entities (or business associates) should be concerned about the ability of their business associates (or subcontractor business associates) to comply with the applicable HIPAA requirements, outlines a series of questions to help covered entities determine for which (if any) business associates they may want to [...] Read more

Alston & Bird Health Care Advisory: HIPAA Audit Program Phase 2 Update

Written by
We have previously blogged about the U.S. Department of Health & Human Services HIPAA Audit Program, including the Audit Program pilot (November 30, 2011 and March 7, 2012), the release of the Office for Civil Rights (OCR) audit protocols (June 26, 2012), and the status of phase 2 of the Audit Program (February 26, 2014 and September 16, 2014).  Today, Alston & Bird issued a Health Care ADVISORY on the status of Phase 2 of the HIPAA Audit Program, in which we discuss recent guidance from OCR on the HIPAA Audit Program and its status and provide some basic compliance reminders that may [...] Read more

HIPAA Audit Program Phase 2: Delayed

Written by
A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2. Previous Plans for Phase 2 Earlier this year, OCR had announced that phase 2 of the Audit Program would begin this year and would target specific high risk issues.  It had indicated that, beginning this past summer, it would conduct a pre-audit survey of 800 covered entities and 400 business associates, to determine suitability for the OCR HIPAA Audit Program.  [...] Read more

HHS OIG Releases Report Regarding ONC’s Oversight of Testing and Certification of Electronic Health Records

Written by
The HHS Office of Inspector General (OIG) recently issued a report regarding the Office of the National Coordinator for Health Information Technology’s (ONC) oversight of electronic health record (EHR) testing and certification, “The Office of the National Coordinator for Health Information Technology’s Oversight of the Testing and Certification of Electronic Health Records.” ONC was statutorily established by the Health Information Technology for Economic and Clinical Health (HITECH) Act and is the principal Federal entity responsible for coordinating the effort to implement a nationwide [...] Read more

Angela Burnette and Julia Dempewolf Publish Article On Student Privacy and Preventing Campus Violence

Written by
Angela Burnette, Counsel at Alston & Bird, and Julia Dempewolf, an associate at Alston & Bird, have compiled practical guidance for schools and universities to consider regarding student privacy and the prevention of school violence. Their recent article, published by LexisNexis in Health Care Law Monthly, is entitled “Clarity Instead of Confusion: Available Solutions Under the HIPAA Privacy Rule and FERPA To Prevent Student Violence.” Tragic school shootings, such as at Virginia Tech, Sandy Hook Elementary, and Arapahoe High in Colorado, have heightened public discussions regarding [...] Read more

Transmitting PHI by Email

Written by
Email has become an important mode of communication for business operations, with approximately 100 billion business emails sent in 2013 alone. Included in these messages are patients’ personal and health information, such as test results, diagnoses, and social security numbers. The Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulate the transmission of this sensitive information, known as protected health information (“PHI”), by Covered Entities, and in some circumstances, Business Associates. Covered Entities [...] Read more