privacy | The Health Law Firm Blog

Do You Need A HIPAA Risk Assessment?

By Danielle M. Murray, J.D.

As a health care provider or owner of a health facility, you know about the Health Insurance Portability and Accountability Act (HIPAA) of 1996. You know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. Did you know that you may need a HIPAA Risk Assessment?

If You Are A Health Care Provider You Face an Audit Risk.

The Office for Civil Rights (OCR) is stepping up enforcement around the country of “covered entities” and business associates. OCR auditors will send a letter informing you that within 30 days, they will be in your office reviewing your organization and interviewing your key staff members. If the auditor finds flaws with your office, you will be made aware of them, and then re-reviewed later, if you are not first fined or otherwise sanctioned. It is a very real and likely situation that many practices, facilities, and their business associates will be faced with in the coming months and years.

Frequently, an investigation into HIPAA violations is started due to disgruntled employees, patient complaints, theft or loss of records, security breaches, and improper disclosure.

A HIPAA Risk Assessment is Mandatory by Law.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. Specifically, the regulation says that covered entities must:

[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

To see this regulation in full, go to http://law.justia.com/cfr/title45/45-1.0.1.3.70.3.33.4.html.

Practices Big and Small Can Be Audited.

Large and small practices have been targeted by HIPAA Compliance Audits. UCLA was fined $865,000 because some of its employees improperly peeked into hospitalized celebrities’ medical records. The Alaska Department of Health and Social Services was fined $1,700,000 when a USB hard drive full of protected health information was stolen from an employee’s car. In another case, a specialty physician practice in Arizona was fined $100,000 because it used a public internet calendar to post clinical and surgical appointments.

All of these stories had something in common: they did not conduct a HIPAA risk assessment, they did not implement administrative safeguards, and they were fined a lot of money. Could your practice afford that sort of cost? Not to mention the potential criminal liability that comes with privacy violations.

HIPAA Risk Assessments Are A Pre-Emptive Measure to Limit Sanctions.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions. It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every 6 months.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today.

For more on HIPAA, read our two-part blog. Click here for part one and here for part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts? Is HIPAA working? Not working? Has HIPAA increased the protection of your health information? What could be done to improve it? Please leave any thoughtful comments below.

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:00:38-04:00June 1, 2018|Categories: HIPAA, In the Know, The Health Law Firm Blog|Tags: administrative, civil, compliance, criminal, defense attorney, defense lawyer, doctor, fines, Health Insurance Portability and Accountability Act, hipaa, HIPAA audit protocol, HIPAA compliance, HIPPA audits, license, licensed clinical social worker, licensed mental health counselor, mental health, physician, policy, practice, privacy, psychologist, psychology, risk assessment, sanctions, security|Comments Off

Health Care Professionals Take Note of the New HIPAA Rules

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law, and Lance O. Leider, J.D., The Health Law Firm

With the popularity of electronic health records (EHRs), social media and everything in between, the U.S. Department of Health and Human Services (HHS) has released stronger rules and protections governing patient privacy. On January 17, 2013, the HHS announced the omnibus rule to strengthen the privacy and security protection established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Click here to read the entire 563-page rule.

Now, I can’t say that I’ve read the entire document yet, but I can tell you about the major parts of the omnibus rule, and what it means to you.

It is Your Responsibility to Keep Patient Information Safe.

HHS is expanding the government’s jurisdiction over healthcare providers, health plans and other entities that process health insurance claims to include their contractors and subcontractors with whom providers share protected health information. As the industry embraces new care delivery models, including accountable care organizations (ACOs) and integrated delivery systems, data is exchanged between physicians, hospitals and additional providers to improve care and reduce costs. This all has to be done while keeping patient data safe. According to the HHS, some of the largest breaches involve business associates and not the covered entities themselves.

The government is committed to doing more HIPAA compliance audits and collecting more fines. The fines the government collects will help to fund the audit process. Because of this rule, we will see audits of business associates and their subcontractors, not just covered entities.

Under the new rule, penalties have been increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

The “Wall of Shame” is a Public Display of Breaches.

The changes also improve the Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements by making it clear when breaches must be reported to the Office for Civil Rights (OCR), according to the HHS.

Once reported to the OCR, the breaches are then placed on what is commonly known in the healthcare industry as the “Wall of Shame.” It’s a comprehensive list of privacy breaches each affecting more than 500 people. We’re currently working on a “Wall of Shame” blog, so more on that later.

Patient Demographics and Marketing.

One part of the final rule also sets new regulations for how patient information can be used for marketing and fundraising. It ensures that such information cannot be sold without a patient’s permission. According to an article in Fierce Healthcare, this provision is a huge win for patient advocates and privacy groups who blast hospitals for mining patient data to target affluent or privately insured patients. Hospitals using health and demographic data from patients’ records to target advertising could be in hot water.

Click here to read the entire Fierce Healthcare article.

If Your are Unsure, Get a HIPAA Risk Assessment.

Since the HIPAA laws have changed, you need to edit your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. A HIPAA risk assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your risk assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today. To learn more on HIPAA risk assessments, click here to read a blog we wrote.

Take a Closer Look at Your Privacy Practices.

Healthcare providers, now is the time to revise your Notice of Privacy. The final rule will be effective on March 26, 2013. Covered entities and their business associates will have until September 21, 2013, to comply.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sound Off.

What do you think about the new HIPAA rules? Do you think these updates were necessary? Do you think it will be difficult for health professionals to comply? Please leave any thoughtful comments below.

Sources:

HHS Press Office. “New Rule Protects Patient Privacy, Secures Health Information.” U.S. Department of Health and Human Services. (January 17, 2013). From: http://www.hhs.gov/news/press/2013pres/01/20130117b.html

Struck, Kathleen. “HIPAA Rules Fortify Patient Privacy.” MedPage Today. (January 21, 2013). From: http://www.medpagetoday.com/PracticeManagement/InformationTechnology/36940

Conn, Joseph. “New Rule: Hospital, Physician Partners Face Penalties for Privacy Leaks.” Modern Healthcare. (January 17, 2013). From: http://www.modernhealthcare.com/article/20130117/NEWS/301179957/new-rule-hospital-physician-partners-face-penalties-for-privacy&utm_source=home&utm_medium=web&utm_campaign=most-popular-box

Caramenico, Alicia. “New HIPAA Rule a Delicate Balance Between Privacy, Sharing.” Fierce Healthcare. (January 18, 2013). From: http://www.fiercehealthcare.com/story/new-hipaa-rule-delicate-balance-between-privacy-sharing/2013-01-18

Authors: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Affinity Health Plan Settles with Government in Photocopier HIPAA Breach Incident Involving Patient Medical Information

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Humans Services (HHS) Office of Civil Rights (OCR), and Affinity Health Plan, Inc. (Affinity), reached a settlement for more than $1.2 million for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to a photocopier previously leased by Affinity. The photocopier had an internal hard drive which stored copies of documents, including medical records, which had been photocopied by Afinity. The photocopier was returned to the leasing company and then later purchased from that same company by CBS Evening News. Apparently CBS Evening News then discovered the medical records on the photocopier hard drive.

According to the HHS, Affinity filed a breach report with the HHS OCR on April 15, 2010. This is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

Affinity is a not-for-profit managed care plan serving the New York metropolitan area.

Alleged Violations Stemmed from Failing to Clear Photocopier Hard Drive.

Affinity was allegedly informed by a representative of CBS Evening News, that as part of an investigation, CBS purchased a photocopier previously leased by Affinity. CBS allegedly informed Affinity that the photocopier still contained medical information on its hard drive. The OCR estimated that up to 344,579 individuals may have been affected by the breach. The OCR’s investigation found that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without deleting the data stored on the hard drives.

Affinity Must Try to Retrieve All Hard Drives in Previously Used Photocopiers.

According to HealthIT Security, on top of the $1,215,780 payment, Affinity must also try to recover all its previously used photocopiers that are still in the custody of the leasing company. Affinity must also conduct a risk analysis of its electronic protected health information for security risks and vulnerabilities.

Click here to read the article from HealthIT Security.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is wiped from the hardware before it is recycled, thrown away or sent back to a leasing agent. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include, for example, photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Office of Civil Rights. “HHS Settles with Health Plan in Photocopier Breach Case.” U.S. Department of Health and Human Services. (August 14, 2013). From: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

Ouellette, Patrick. “OCR, Affinity Health Plan Reach HIPAA Violation Agreement.” HealthIT Security. (August 14, 2013). From: http://healthitsecurity.com/2013/08/14/ocr-affinity-health-plan-reach-hipaa-violation-agreement

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.

Dermatology Practice Settles with Government After Stolen USB Drive Results in HIPAA Breach

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and Adult & Pediatric Dermatology (APDerm), reached a $150,000 settlement for privacy and security violations of the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations related to an unencrypted USB drive that was stolen. The thumb drive contained the protected health information (PHI) of around 2,200 patients, according to a press release posted December 26, 2013, on the HHS website.

According to the HHS, this is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To read the entire press release from the HHS, click here.

APDerm delivers dermatology services to patients in Massachusetts and New Hampshire.

Alleged Violations Stemmed from Stolen, Unencrypted USB Drive.

According to the HHS, the OCR initiated its investigation after being tipped off that an unencrypted thumb drive containing the PHI of about 2,200 patients was stolen from a vehicle of an APDerm staff member. According to Healthcare IT News the thumb drive was never recovered.

The investigation allegedly revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of it security management process. It’s also alleged that APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train staff members.

According to Healthcare IT News, the settlement also includes a corrective action plan (CAP). The CAP requires the dermatology company to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. Click here to read the entire article on Healthcare IT News.

Warning to HIPAA Covered Entities Regarding Risk Assessments.

This settlement is an important reminder about equipment designed to retain electronic information. HIPAA covered entities are responsible for making sure all personal information is protected. Entities are also required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have safeguards in place to protect this information.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply do not have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Be Sensitive to Technical Equipment Containing Internal Memory.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them, selling them or trading them in on newer models.

To read a previous blog on Affinity Health Plan settling with government in photocopier HIPAA breach incident, click here.

Practical Tips.

The following are some lessons learned from this case. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work cite. If you need to work on it remotely, use a secure, encrypted internet connection to access your work data base. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What do you think of this settlement? Does your office and/or practice have an annual security risk assessment? Do you think risk analyses are important? Please leave any thoughtful comments below.

Sources:

Millard, Mike. “Lost Thumb Drive Leads to $150K Fine.” Healthcare IT News. (December 30, 2013). From: http://www.healthcareitnews.com/news/lost-thumb-drive-leads-150k-fine

U.S. Department of Health and Human Services “Dermatology Practice Settles Potential HIPAA Violations.” HHS.gov. (December 26, 2013). From: http://www.hhs.gov/news/press/2013pres/12/20131226a.html

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:54-04:00June 1, 2018|Categories: HIPAA, Hitech Act, The Health Law Firm Blog|Tags: corrective action plan (CAP), data security, defense attorney, defense lawyer, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

Data Breach at Colorado Hospital Highlights IT Security Risks

By Lance O. Leider, J.D., The Health Law Firm

A small rural hospital in Glenwood Springs, Colorado, has identified a virus on its computer network that had captured and stored screen shots of protected health information in a hidden file system. The hidden folder was created on Sept. 23, 2013, but was not discovered until Jan. 23, 2014. The breach identified at least 5,400 individual patients whose information was compromised.

According to Healthcare IT News, among the stolen data was patient names, addresses, dates of birth, telephone numbers, Social Security numbers, credit card information, and admission and discharge dates.

Hospital officials have been unable to determine how the virus was loaded onto the hospital network, according to Healthcare IT News. Consequently, officials believe that there is “very high” probability that the data had been accessed by an outside entity.

To read the entire article from Healthcare IT News, click here.

Take Steps to Secure Your Network.

Breaches of this kind are not solely confined to hospitals and large providers. In fact, it may be that this hospital was targeted because it was a smaller provider in a rural area with easier access to its systems.

Viruses like the one in question could be loaded onto systems as a result of an outside attack (think hackers) or through inside means like a flash drive or deliberately opening an infected e-mail.

It is imperative that a Health Insurance Portability and Accountability Act (HIPAA) covered entity have an effective cyber security plan. Make sure that you have up-to-date anti-virus software and that your computers are secure from access by unauthorized personnel like cleaning crews or patients and their families. Also, meet with your IT professional to discuss security measures you can put in place such as restricting access and accessibility to certain files or the ability to download programs and applications to essential staff only.

Hacked data represents a growing share of HIPAA breaches. It is imperative that covered entities ensure their compliance with HIPAA to avoid any sanctions by the Office for Civil Rights (OCR). To date, the OCR has collected in excess of $18 million in fines and penalties for failures to secure patient information.

Get a Risk Assessment.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs), please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Do you think it is likely that this hospital was targeted because it was a smaller provider in a rural area? Do you think a HIPAA risk assessment could have helped this practice avoid a breach? Please leave any thoughtful comments below.

Sources:

Harvey, Nelson. “Hospital Database Hacked, Patient Info Vulnerable.” Aspen Daily News. (March 15, 2014). From: http://www.aspendailynews.com/section/home/161578

McCann, Erin. “Small-Town Hospital Gets Hacked.” Healthcare IT News. (March 17, 2014). From: http://www.healthcareitnews.com/news/small-town-hospital-gets-hacked

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:55-04:00June 1, 2018|Categories: HIPAA, Hitech Act, In the Know, The Health Law Firm Blog|Tags: data security, defense attorney, defense lawyer, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

HIPAA Fines, Mobile Devices and Risk Assessments: Follow the Steps or Pay the Price

By Lance O. Leider, J.D., The Health Law Firm

Two separate entities have agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1,975,220 in fines collectively. The settlements resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules involving stolen, unencrypted laptops. These two actions shine a light on the significant risk unencrypted laptops and other mobile devices pose to the security of patient information.

To read the press release from the HHS OCR, published on April 22, 2014, click here.

Concentra Received Risk Assessments, But Did Not Act on Findings.

According to the OCR, an investigation of Concentra Health Services, a subsidiary of Humana, was conducted after a laptop was stolen from a Missouri physician therapy center. This investigation revealed that Concentra had previously received multiple risk analyses that stated the company lacked encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information. Concentra’s efforts to remedy the risk were incomplete and inconsistent, leaving patients’ health information vulnerable. Concentra agreed to pay $1,725,220 to settle potential security violations and adopt a corrective action plan.

QCA Investigation.

The QCA Health Plan, Inc., investigation began in February 2012, after an unencrypted laptop containing the medical records of 148 individuals was stolen from an employee’s car. The investigation revealed that QCA failed to comply with multiple requirements of the HIPAA privacy and security rules. According to Modern Healthcare, the company is required to pay $250,000, as well as provide HHS with an updated risk analysis and corresponding risk-management plan.

Click here to read the entire article from Modern Healthcare.

Encrypt Laptops and Other Equipment or Pay the Price.

Encryption is one of your best defenses against incidents. These two settlements highlight the need for all entities to encrypt their laptops and other devices. Failing to do so may put that entity at risk for paying a large fine to the OCR and possible fines for state law violations.

HIPAA-covered entities are responsible for making sure all personal information is protected.

The following are some practical tips to use when handling protected health information. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work site. If you need to work on it remotely, use a secure, encrypted internet connection to access your work database. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Are the laptops and other mobile devices at your practice encrypted? Does your practice regularly perform HIPAA risk assessments? Please leave any thoughtful comments below.

Sources:

Conn, Joseph. “Unencrypted-Laptop Thefts at Center of Recent HIPAA Settlements.” Modern Healthcare. (April 23, 2014). From: http://www.modernhealthcare.com/article/20140423/NEWS/304239945/unencrypted-laptop-thefts-at-center-of-recent-hipaa-settlements

U.S. Department of Health and Human Services Press Office. “Stolen Laptops Lead to Important HIPAA Settlements.” U.S. Department of Health and Human Services. (April 22, 2014). From: http://www.hhs.gov/news/press/2014pres/04/20140422b.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:56-04:00June 1, 2018|Categories: HIPAA, Hitech Act, The Health Law Firm Blog|Tags: corrective action plan (CAP), data security, defense attorney, defense lawyer, encrypted laptop, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, HIPAA violation, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:58-04:00June 1, 2018|Categories: Electronic Health Record, HIPAA, The Health Law Firm Blog|Tags: civil penalties for HIPAA violation, compliance plans, criminal penalties for HIPAA violation, data security, defense attorney, defense lawyer, digital health records, EHR, electronic health records, electronic medical records, EMR, hacking medical records, Health Insurance Portability and Accountability Act, health law firm, hipaa, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA defense attorney, HIPAA lawyer, HIPAA violation, HIPAA violation help, identity theft, medical data, medical records, Patient privacy, patients record, penalties for HIPAA violation, privacy, protected health information (PHI), The Health Law|Comments Off

Breach of HIPAA Privacy Regulations May be a Basis for Negligence Actions

By Shelby Root and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by the Florida Bar in Health Law

Given the advances in information technology, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress as a comprehensive legislative and regulatory scheme to ensure basic protections of patients’ right of privacy regarding their health information. HIPAA, standing alone, does not provide a private right of action. It also preempts contrary state laws. A recent case in the Supreme Court of Connecticut, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014), addressed these issues. The decision answered the question of whether HIPAA preempts state law claims for negligence and negligent infliction of emotional distress against a healthcare provider who released medical records in the course of complying with a subpoena.

The Facts of Byrne v. Avery Center for Obstetrics and Gynecology, P.C.

During May 2004, Byrne started a personal relationship with Andro Mendoza, which lasted four months. At some point during May 2004 and July 12, 2005, the Avery Center provided Byrne with gynecological and obstetrical care and treatment. During the visit she was given the center’s privacy policy regarding protected health information. The policy, and the law, state that a patient’s health information will not be disclosed without their authorization. After Byrne’s relationship with Mendoza ended she instructed the center not to release her medial records to him.

On May 31, 2005, Mendoza filed paternity actions against Byrne. The Avery Center was served with a subpoena requesting its presence, along with Byrne’s medical records, at Probate Court. The center did not alert Byrne of the subpoena, file a motion to quash or appear in court. Instead, it mailed a copy of Byrne’s medical file to the court.

The Supreme Court of Connecticut’s Holding.

The Supreme Court of Connecticut reasoned that the fact a state law that allows an individual to file a civil action to protect their privacy exist does not mean that the law conflicts with the HIPAA penalty provisions. Therefore, the court concluded that HIPAA does not preempt causes of action when they are based on a state common or statutory law due to a healthcare provider’s breach of confidentiality.

The court found that a number of federal and state courts have ruled that a breach of the HIPAA Privacy Rule may be the basis for a breach of a duty of care in state court negligence actions. A patient’s private right of action does not conflict with or complicate healthcare provider’s compliance with HIPAA. In fact, negligence claims in state courts are furthering HIPAA’s goal of deterring wrongful disclosure of patient’s healthcare information. To view a past blog on a HIPAA violation case in California, click here.

Editors’ Comments on Byrne.

This is the latest of several recent cases where state courts have allowed cases to proceed against health care providers who breached the medical confidentiality of their patients, based in part on the HIPAA Privacy Regulations. In this case, the court correctly held that, although HIPAA does not afford a private right of action by itself, it does establish the duty that is owed by a healthcare provider to its patients to protect their medical information. With this duty being established, the plaintiff can then proceed under a straight negligence tort cause of action.

It is also noteworthy that the HIPAA Privacy Regulations are just one source of “evidence” or standards that can be used to establish th duty owed by medical professionals and theories.

This case also helps to put to rest the spurious defense that HIPAA might “preempt” such a cause of action that is brought under state law. We have seen this theory used by defendants just about any time a federal statute or federal regulation might come into play in a tort law suit. The court correctly determined that this defense theory was not valid.

If anything, HIPAA has better defined and strengthened a duty that has been owed to patients by physicians, nurses, health professionals and health facilities since the time of Hippocrates.

Comments?

What are your thoughts on the Supreme Court of Connecticut’s ruling? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and instiuttions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Source:

Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014). From:

http://scholar.google.com/scholar_case?case=6869878125055474806&q=Byrne+v.+Avery+Center+for+Obstetrics+and+Gynecology,+P.C.,+102+A.3d+32+(Conn.+2014)&hl=en&as_sdt=40006

About the Authors: Shelby Root is a summer associate at The Health Law Firm. She is a student at Barry University College of Law in Orlando. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act, HIPAA, HIPAA Privacy Rules, HIPAA compliance, protected health information, patient privacy, patient rights, HIPAA violation, penalties for HIPAA violation, civil penalties for HIPAA violation, privacy, defense attorney, defense lawyer, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.

Do You Need a HIPAA Risk Assessment?

By Danielle M. Murray, J.D.

As a health care provider or owner of a health facility, you know about the Health Insurance Portability and Accountability Act (HIPAA) of 1996. You know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. Did you know that you may need a HIPAA Risk Assessment?

OCR Auditors Are Stepping Up Enforcement.

The Office for Civil Rights (OCR) is stepping up enforcement around the country of “covered entities” and business associates. OCR auditors will send a letter informing you that within 30 days, they will be in your office reviewing your organization and interviewing your key staff members. If the auditor finds flaws with your office, you will be made aware of them, and then re-reviewed later, if you are not first fined or otherwise sanctioned. It is a very real and likely situation that many practices, facilities, and their business associates will be faced with in the coming months and years.

Frequently, an investigation into HIPAA violations is started due to disgruntled employees, patient complaints, theft or loss of records, security breaches, and improper disclosure.

The Law Requires a HIPAA Risk Assessment.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. Specifically, the regulation says that covered entities must:

[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

To see this regulation in full, go to http://law.justia.com/cfr/title45/45-1.0.1.3.70.3.33.4.html.

Can You Afford the Fine?

Large and small practices have been targeted by HIPAA Compliance Audits. UCLA was fined $865,000 because some of its employees improperly peeked into hospitalized celebrities’ medical records. The Alaska Department of Health and Social Services was fined $1,700,000 when a USB hard drive full of protected health information was stolen from an employee’s car. In another case, a specialty physician practice in Arizona was fined $100,000 because it used a public internet calendar to post clinical and surgical appointments.

All of these stories had something in common: they did not conduct a HIPAA risk assessment, they did not implement administrative safeguards, and they were fined a lot of money. Could your practice afford that sort of cost? Not to mention the potential criminal liability that comes with privacy violations.

HIPAA Risk Assessments Can Significantly Reduce Your Exposure to Regulatory and Litigation Sanction.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions. It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every 6 months.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today.

For more on HIPAA, read our two-part blog. Click here for part one and here for part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts? Is HIPAA working? Not working? Has HIPAA increased the protection of your health information? What could be done to improve it? Please leave any thoughtful comments below.

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:01:12-04:00May 15, 2018|Categories: Defense, HIPAA|Tags: administrative, civil, compliance, criminal, defense attorney, defense lawyer, doctor, fines, Health Insurance Portability and Accountability Act, HIPAA audit protocol, HIPAA compliance, HIPPA audits, license, licensed clinical social worker, licensed mental health counselor, mental health, physician, policy, practice, privacy, psychologist, psychology, risk assessment, sanctions, security|3 Comments

Jury Awards Walgreens Customer $1.44 Million Over HIPAA Violation

By Lance O. Leider, J.D., The Health Law Firm and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

An Indiana jury awarded a Walgreens customer $1.44 million on July 26, 2013, over a Health Insurance Portability and Accountability Act (HIPAA) violation, according to the Indianapolis Star. The Walgreens pharmacist was found to have violated the customer’s privacy by looking up and sharing the customer’s prescription history with others. The lawsuit alleged that there was a relationship between the pharmacist, her husband and the husband’s ex-girlfriend (who was the customer). The customer/ex-girlfriend was the plaintiff in the lawsuit.

Click here to read the entire article from the Indianapolis Star.

Details of the Lawsuit.

According to the American Bar Association, the lawsuit alleged the pharmacist was married to the customer’s ex-boyfriend at the time the pharmacist viewed her prescription records. The pharmacist admitted to showing the confidential information to her husband, who shares a child with the customer/plaintiff. In doing this, the pharmacist breeched her statutory and common law duties of confidentiality and privacy.

Click here to read the entire article from the American Bar Association.

Walgreens Found Negligent.

The jury found Walgreens negligent in training and supervising the pharmacist. The pharmacist admitted she was aware of the pharmacy’s privacy policy and knew she was violating it. Walgreens claims the pharmacist has been appropriately disciplined.

Deadline to Comply with Omnibus Rule Close-Are You Ready?

The Department of Health and Humans Services (HHS) released stronger rules and protections governing patient privacy on January 17, 2013. This omnibus rule strengthens the privacy and security protection established under HIPAA. Physicians, hospitals, clinics, health care providers and their business associates need to take into account the corrections as they work to update business associate agreements, policies, practices and training to comply with the rule changes by the September 23, 2013, deadline. To learn more on the omnibus rule changes, click here to read a previous blog.

Be Proactive-Get a HIPAA Risk Assessment.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions. It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts on this HIPAA violation? Do you think Walgreens failed to train and supervise the pharmacist? Please leave any thoughtful comments below.

Sources:

Neil, Martha. “Walgreens Must Pay Customer $1.44M After Pharmacy Shared Her Prescription Records.” American Bar Association. (July 29, 2013). From: http://www.abajournal.com/news/article/jury_says_walgreens_must_pay_1.44m_because_pharmacist_gave_her_husband/

Evans, Tim. “Walgreens Must Pay Woman $1.44 Million Over HIPAA Violation.” Indianapolis Star. (July 26, 2013). From: http://www.indystar.com/article/20130726/NEWS/307260079/

About the Authors: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999. Copyright © 1996-2012 The Health Law Firm. All rights reserved.