Header graphic for print
Technology Law Source Mapping the evolving legal landscape

Category Archives: HITECH Act Compliance

Subscribe to HITECH Act Compliance RSS Feed

Porter Wright announces 2014 Technology Seminar Series

Posted in Data Breach Notification, Domain Names, gTLDs, HIPAA Compliance, HITECH Act Compliance, Information Technology, Intellectual Property, Porter Wright News, Privacy

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2014 Technology Seminar Series, beginning June 18. This year’s sessions are:

Social media in litigation: a shield and a sword

June 18

The worlds of social media and litigation have collided. Social media evidence is used in employment discrimination lawsuits, in divorce and custody cases, in criminal cases – and intellectual property cases are won and lost based on the information disclosed on social media sites. Like it or not, social media is an aspect of litigation that is here to stay. Sara Jodka, Colleen Marshall and Jay Yurkiw will walk you through how social media affects the way companies prepare for and engage in litigation, including the good, the bad and the ugly. This session will provide guidance about how you can make sure that your company’s social media use will not get the company into hot water. Presenters also will share helpful insights regarding what to do about social media when litigation is filed and identify the biggest social media in litigation hazards.…


Continue Reading →

LabMD joins Wyndham in challenging FTC’s data privacy authority

Posted in HIPAA Compliance, HITECH Act Compliance, Information Technology, Privacy

Section 5 of the Federal Trade Commission Act — the Act that established the FTC in the first place — makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices…” Though the words seem simple enough, its application in today’s world is anything but simple, particularly when you talk about data privacy. Two companies — Wyndham Worldwide Corp. and LabMD Inc. — are publicly, and independently, challenging the FTC’s authority over their data security policies (and subsequent lapses). This post is a quick update about LabMD’s challenge.

In August 2013, the FTC filed an administrative complaint against LabMD, alleging that it lacked appropriate data security and unreasonably exposed the health and personal data of its consumers. LabMD conducts clinical laboratory tests on patients and reports its finding to patients’ health care providers. In performing the needed tests, LabMD typically obtains personal information, including names, addresses, dates of birth, SSNs, bank account or credit card information, laboratory tests, test codes and results, diagnoses, clinical histories, and health insurance company names and policy numbers. LabMD possesses such data for approximately 1 million consumers.

The FTC charged that LabMD “failed to provide reasonable and appropriate security for personal information on its computer networks.” Among other things, the complaint states that LabMD failed to:…


Continue Reading →

HHS imposes 7 Figure Fine for Breach of HIPAA; Soon to be the Norm?

Posted in HIPAA Compliance, HITECH Act Compliance

In case you missed the OCR announcement late yesterday afternoon, the Department of Health and Human Services announced that it was imposing a civil money penalty of $4.3 million dollars against Cignet Health for various violations of HIPAA.   These penalties were based upon the violation categories and increased penalty amounts authorized by the HITECH Act; discussed further here.  The violations stemmed in part from Cignet’s failure to provide 41 patients access to their own medical records as required under 45 C.F.R. § 164.524.   In addition to the huge amount of the fine, according the HHS, this action marks the first civil money penalty issued by HHS for HIPAA Privacy Rule violations.  This action could indicate a renewed push by HHS to enforce violations of HIPAA and utilize its heightened penalty schedule and enhanced enforcement powers provided under the HITECH Act.  Could this be the new norm for HIPAA enforcement?  Only time will tell.…


Continue Reading →

HHS Requests Information on TPO Accounting of Disclosures

Posted in HIPAA Compliance, HITECH Act Compliance

The Office of Civil Rights for the Department of Health and Human Services (HHS) recently requested comments related to its upcoming rulemaking under the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. HITECH expands the current HIPAA Privacy Rule requirement that a covered entity provide individuals with a right to receive an accounting of certain disclosures of the individual’s protected health information to certain parties. Currently, under HIPAA, a covered entity is not obligated to provide an accounting of disclosures if such disclosures were in furtherance of treatment, payment, or health care operations (TPO).  HITECH eliminated these exemptions by requiring covered entities to account for TPO disclosures if such disclosures are made through an electronic health record.…


Continue Reading →

Government Agencies Enforce HITECH Act Regulations

Posted in HITECH Act Compliance

As of February 22, 2010, the Department of Health and Human Services ("HHS") began enforcement of data breach notification requirements explained in the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

Enacted as a part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, modifies the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") substantially by, among other things, requiring covered entities to provide notification to individuals whose protected health information has been compromised, used, or disclosed without authorization, or otherwise fails to comply with HIPAA.

(For more information, see our law alert (PDF) published 08/21/09 and provides a general overview of the HITECH Act and its changes to HIPAA.)

In its "Breach Notification for Unsecured Protected Health; Information Interim Final Rule" issued August 24, 2009, HHS stated that it will begin imposing sanctions on February 22, 2010 against covered entities failing to comply with the HITECH Act requirements, although, HHS also states that it expects covered entities already to be in compliance with HITECH and HHS’s regulations. HHS enforcement implicates all health care providers, health plans, business associates, and others that use, access, or disclose protected health information.

Additionally, HITECH includes enhanced enforcement provisions such as:

  1. an increased scale of fines for noncompliance up to $1,500,000;
  2. the authorization to state Attorneys General to bring actions on behalf of state residents to enforce violations of HIPAA; and
  3. expanded applicability of various portions of HIPAA directly to business associates.

All affected entities should …


Continue Reading →