HITECH Act Compliance : Technology Law Source

Home > HITECH Act Compliance >

HHS imposes 7 Figure Fine for Breach of HIPAA; Soon to be the Norm?

Posted on February 23, 2011 by Jeremy Logsdon

In case you missed the OCR announcement late yesterday afternoon, the Department of Health and Human Services announced that it was imposing a civil money penalty of $4.3 million dollars against Cignet Health for various violations of HIPAA. These penalties were based upon the violation categories and increased penalty amounts authorized by the HITECH Act; discussed further here. The violations stemmed in part from Cignet's failure to provide 41 patients access to their own medical records as required under 45 C.F.R. § 164.524. In addition to the huge amount of the fine, according the HHS, this action marks the first civil money penalty issued by HHS for HIPAA Privacy Rule violations. This action could indicate a renewed push by HHS to enforce violations of HIPAA and utilize its heightened penalty schedule and enhanced enforcement powers provided under the HITECH Act. Could this be the new norm for HIPAA enforcement? Only time will tell.

Tags: HIPAA Compliance, HITECH Act Compliance

HHS Requests Information on TPO Accounting of Disclosures

Posted on May 17, 2010 by Jeremy Logsdon

The Office of Civil Rights for the Department of Health and Human Services (HHS) recently requested comments related to its upcoming rulemaking under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. HITECH expands the current HIPAA Privacy Rule requirement that a covered entity provide individuals with a right to receive an accounting of certain disclosures of the individual's protected health information to certain parties. Currently, under HIPAA, a covered entity is not obligated to provide an accounting of disclosures if such disclosures were in furtherance of treatment, payment, or health care operations (TPO). HITECH eliminated these exemptions by requiring covered entities to account for TPO disclosures if such disclosures are made through an electronic health record.

Tags: HIPAA Compliance, HITECH Act Compliance

Government Agencies Enforce HITECH Act Regulations

Posted on March 3, 2010 by Jeremy Logsdon

As of February 22, 2010, the Department of Health and Human Services ("HHS") began enforcement of data breach notification requirements explained in the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

Enacted as a part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, modifies the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") substantially by, among other things, requiring covered entities to provide notification to individuals whose protected health information has been compromised, used, or disclosed without authorization, or otherwise fails to comply with HIPAA.

(For more information, see our law alert (PDF) published 08/21/09 and provides a general overview of the HITECH Act and its changes to HIPAA.)

In its "Breach Notification for Unsecured Protected Health; Information Interim Final Rule" issued August 24, 2009, HHS stated that it will begin imposing sanctions on February 22, 2010 against covered entities failing to comply with the HITECH Act requirements, although, HHS also states that it expects covered entities already to be in compliance with HITECH and HHS’s regulations. HHS enforcement implicates all health care providers, health plans, business associates, and others that use, access, or disclose protected health information.

Additionally, HITECH includes enhanced enforcement provisions such as:

an increased scale of fines for noncompliance up to $1,500,000;
the authorization to state Attorneys General to bring actions on behalf of state residents to enforce violations of HIPAA; and
expanded applicability of various portions of HIPAA directly to business associates.

All affected entities should adopt and implement breach notification policies and procedures to ensure their appropriate response to data breach events and also to mitigate any potential harm that may result from such a breach. Porter Wright has broad experience advising clients in the areas of privacy and HIPAA compliance and is capable of counseling affected entities through the HIPAA breach notification process.

Tags: HITECH Act Compliance, Health and Human Services

Technology Law Source
Porter Wright Morris & Arthur LLP

Cincinnati 250 East Fifth Street
Suite 2200
Cincinnati, OH 45202-5118
Phone: 513-381-4700
Toll Free: 800-582-5813
Fax: 513-421-0991

Cleveland 925 Euclid Avenue
Suite 1700
Cleveland, OH 44115-1483
Phone: 216-443-9000
Toll Free: 800-824-1980
Fax: 216-443-9011

Columbus Huntington Center
41 South High Street
Columbus, OH 43215-6194
Phone: 614-227-2000
Toll Free: 800-533-2794
Fax: 614-227-2100

Dayton One Dayton Centre
Suite 1600
One South Main Street
Dayton, OH 45402-2028
Phone: 937-449-6810
Toll Free: 800-533-4434
Fax: 937-449-6820

Naples 9132 Strada Place
Third Floor
Naples, FL 34108-2683
Phone: 239-593-2900
Toll Free: 800-876-7962
Fax: 239-593-2990

Washington, D.C. 1919 Pennsylvania Avenue
NW, Suite 500
Washington, DC 20006-3434
Phone: 202-778-3000
Toll Free: 800-456-7962
Fax: 202-778-3063

Porter Wright Morris & Arthur LLP offers this blog for general informational purposes only. The content of this blog is not intended as legal advice for any purpose, and you should not consider it as such advice or as a legal opinion on any matters. The information provided herein is subject to change without notice, and you may not rely upon any such information with regard to a particular matter or set of facts. Further, the use of the blog does not create, and is not intended to create, any attorney-client relationship between you and Porter Wright Morris & Arthur LLP or any individual lawyer in the firm. No such relationship will be considered to have been formed until we have had an opportunity to resolve any conflict of interest issues and have advised you, in writing, of the nature and scope of the legal services to be provided. Unless we establish an attorney-client relationship with you with regard to the particular matter, we will not treat any information that you may send to us, or submit as a comment to a blog article or entry, as confidential or privileged, and any unsolicited communications may be disclosed to other persons without regard to confidentiality considerations. Use of the blog is at your own risk, and the site is provided without warranty of any kind. We make no warranties of any kind regarding the accuracy or completeness of any information on this blog, and we make no representations regarding whether such information is reliable, up-to-date, or applicable to any particular situation. Porter Wright Morris & Arthur LLP expressly disclaims all liability for actions taken or not taken based on any or all of the contents of this blog, or for any damages resulting from your viewing and use of this blog.

LexBlog Lawyer Blogs and Law Firm Blog Design

Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

Published By
Porter Wright

Mapping the evolving legal landscape

HHS imposes 7 Figure Fine for Breach of HIPAA; Soon to be the Norm?

HHS Requests Information on TPO Accounting of Disclosures

Government Agencies Enforce HITECH Act Regulations

Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

Published By Porter Wright

Mapping the evolving legal landscape

HHS imposes 7 Figure Fine for Breach of HIPAA; Soon to be the Norm?

HHS Requests Information on TPO Accounting of Disclosures

Government Agencies Enforce HITECH Act Regulations

Published By
Porter Wright