The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: HHS Enforcement

  • From Vol. 4 No.37 (Nov. 7, 2018)

    How to Improve Risk Analysis in the Wake of the Anthem’s Record Settlement

    In the wake of the largest U.S. health care data breach in history, Anthem, Inc., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights, a record settlement for alleged HIPAA violations. In addition to the monetary payment, Anthem agreed to conduct a thorough and accurate risk analysis – a challenge for many organizations. In this article, we discuss the Anthem breach and provide expert insight about avoiding common risk analysis pitfalls, identifying steps organizations in all sectors should take to conduct an effective and compliant assessment, and how to use the assessment report to mitigate risk. See also “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 4 No.20 (Jul. 11, 2018)

    Is Encryption Obligatory? HHS Upholds Texas Hospital $4.3M HIPPA Fine 

    In an appeal that marks the first time the Health and Human Services department has considered the amount of the penalty in addition to the merits of the ruling, HHS has affirmed an OCR order imposing a $4.3 million penalty on the University of Texas MD Anderson Cancer Center (MD Anderson) for HIPAA violations. MD Anderson told The Cybersecurity Law Report that it plans to appeal the ruling. We analyze the case, the penalty, which one expert called “exceptional,” and what companies can learn from it. See also “Lessons From the Continued Uptick in HIPAA Enforcements” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Lessons From the Continued Uptick in HIPAA Enforcements 

    The U.S. Department of Health and Human Services’ Office for Civil Rights has had an active start to 2017. The agency announced resolution agreements with MAPFRE Life Insurance of Puerto Rico and Presence Health as well as a final determination against Children’s Medical Center of Dallas that includes a $3.2 million civil monetary penalty. The actions highlight the need for companies to issue timely breach notifications, complete promised actions, and take swift remedial action to address known vulnerabilities. This article explains the three actions, provides advice on working with HHS, and examines 2017 regulatory expectations. “One thing that’s evident from these and other settlements is that once OCR is doing an investigation, it is not going to look only at the issue in question. It will open the door to a wider assessment of your HIPAA policies and procedures and practices. Once you’re in the spotlight, expect the spotlight to shine more broadly.” Lisa Sotto, a partner at Hunton & Williams, told The Cybersecurity Law Report. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS

    The Department of Health and Human Services’ Office for Civil Rights recently entered into two significant settlements, one with a healthcare insurance company and the other with a hospital, to resolve HIPAA charges.  Triple-S Management Corporation and its relevant subsidiaries agreed to pay a $3.5 million fine and take a series of corrective steps following several breaches involving protected health information.  Lahey Clinic Hospital, Inc. agreed to pay $850,000 and adhere to an action plan following the theft of a device that contained patient electronic protected health information.  Although there are still “a relatively small number of [OCR settlements] each year . . . the penalties have been steadily rising and I expect they will continue to do so,” Robert Belfort, a partner at Manatt, told The Cybersecurity Law Report.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    FTC Weighs In on the Security of Health Care Data on the Cloud

    Like many industries, the health care sector is relying more heavily on new technology to provide digital medical records that are often stored on cloud-based servers and transmitted electronically.  With the technological advances come privacy and security concerns that the FTC is watching closely.  Cora Han, a senior attorney in the Division of Privacy and Identity Protection at the FTC, recently spoke at a meeting of the Health Care Cloud Coalition, a not-for-profit representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector.  Han addressed the FTC’s expectations and enforcement efforts for privacy and security related to cloud-based mobile technology companies in the health care industry.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …