Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in

Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.


Continue Reading

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently transmitted HIPAA pre-audit screening surveys to covered entities that may be selected for a second phase of HIPAA compliance audits (Phase 2 Audits). OCR is required to conduct compliance audits of covered entities and business associates under the 2009 Health Information

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective