If an entity that offers a personal health record identifies a breach of information in that record, it is required to provide notice to each impacted individual and to the FTC within 60 calendar days of discovery.
Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.
Continue reading “Zombie PHR Breach Rule Rises From the Dead”
Bayfront Health – St. Petersburg (Bayfront) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a $85,000 no-fault settlement agreement and one year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This settlement is the first case in HHS-OCR’s Right of Access Initiative (Initiative). The Initiative was open for public comment between December 2018 and February 2019 and received over 1,000 comments.
Continue reading “Failure to Respect Patient’s Right to Access Health Care Information Leads to HIPAA Settlement”
Touchstone Medical Imaging (Touchstone) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a no-fault settlement and two-year corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
Continue reading “$3 Million Settlement for Exposure of and Latent Response to Exposure of 300,000 Patients’ Protected Health Information”
UMass Memorial Medical Center, Inc., and UMass Memorial Medical Group, Inc. (collectively, UMass) has agreed to pay $230,000 to settle claims alleging that that they violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and various other state patient privacy laws.
Continue reading “Employee’s Illegal Access to Patient Records Results in Data Breach of 15,000 Patients: Hospital System to Pay for Violations”
An error made by a transcription service provider during a software upgrade on Orlando Orthopaedic Center (OOC)’s server in December 2017 has resulted in the exposure of more than 19,000 patients’ protected health information (PHI). PHI stored on OOC’s server from December 2017 until February 2018 – when the breach was finally discovered – was freely exposed over the internet without any authentication. Upon full investigation, patients’ names, social security numbers, dates of birth, insurance information, employer details, and treatment types were deemed accessible.
Continue reading “Business Associate Exposes Protected Health Information of 19,000 Patients”
The Federal Communications Commission (FCC) announced its intention to launch a $100 million pilot program to provide greater access to health care for rural and low-income Americans, as well as veterans, through the use of telehealth last month. The FCC is now moving forward with a Notice of Inquiry (NOI), which will kick off a comment period on the proposed program.
Continue reading “FCC Moves Ahead with Connected Care Pilot Program Notice of Inquiry”