Thora A. Johnson

Firm/Organization: Venable LLP

Blogs: All About Advertising Law, Health Law | STAT

Latest Articles

Global Privacy and Security by Design Considerations

By Thora A. Johnson, Jami Mills Vibbert & Shannon K. Yavorsky on October 11, 2019

The laws, rules, and regulations regarding privacy and data security are changing throughout the world. In the United States, California recently passed the California Consumer Privacy Act (CCPA), which is due to take effect in 2020. In May 2018, Europe enacted the General Data Protection Regulation (GDPR), which introduced sweeping changes to EU privacy law and contains specific requirements regarding data security and safeguarding information. Brazil and India have respectively passed and proposed privacy laws…

Health Law | STAT

New HIPAA Settlement Is the First under OCR’s Right of Access Initiative

By Thora A. Johnson, Jami Mills Vibbert, Celia E. Van Lenten & Alexander S. Altman on September 18, 2019

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced last week that it entered into a Resolution Agreement with a Florida medical center (“Medical Center”) following allegations that the Medical Center failed to respond to a patient’s request for medical records in a timely fashion and in violation of the patient’s right to access such records under HIPAA. While the $85,000 settlement amount is relatively small in comparison to the…

Health Law | STAT

Recent Settlement with OCR and New OCR Fact Sheet Serve as Reminders That Business Associates Have Direct Liability under HIPAA

By Thora A. Johnson, Jami Mills Vibbert & Judy Kim on June 10, 2019

The Department of Health and Human Services Office for Civil Rights (OCR) has shown once again that it is willing to enforce HIPAA against business associates, as seen in a recent settlement. The settlement highlights the importance of thorough risk analysis conducted by business associates and covered entities, as required by the HIPAA Security Rule, and serves as an indication that OCR remains ready to exercise its authority to enforce HIPAA’s requirements for business associates.…

Health Law | STAT

New Settlement with OCR Reminds Healthcare Companies of the Importance of a Timely and Thorough Investigation of Security Incidents

By Thora A. Johnson, Jami Mills Vibbert & Judy Kim on May 9, 2019

Despite the announcement made last week by the Department of Health and Human Services Office for Civil Rights (OCR) about certain reduced penalty caps under the Health Insurance Portability and Accountability Act (HIPAA), OCR has shown in this week’s settlement that it still plans to vigorously enforce HIPAA. New Maximum Annual Penalty Caps On April 30, 2019, OCR announced in a Notification of Enforcement Discretion new annual penalty caps for identical violations of a requirement…

Health Law | STAT

Small Physician Practice Settles with OCR: Yet Another Reminder of the Perils of Responding to Patient Complaints in a Public Forum

By Thora A. Johnson, Celia E. Van Lenten & Jaclyn A. Machometa on December 5, 2018

A private practice (Practice) comprising three physicians has agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $125,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). While the fine is small compared with OCR’s October announcement of the $16 million settlement with Anthem, it confirms OCR’s ongoing commitment to enforcing HIPAA compliance, regardless of an organization’s size or the number of impacted…

Health Law | STAT

A Busy Week at OCR: The Anthem Settlement, an Updated Security Risk Assessment Tool, and New Priorities for OCR

By Thora A. Johnson, Celia E. Van Lenten & Jaclyn A. Machometa on October 19, 2018

After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency. Anthem Settlement In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to…

Health Law | STAT

New Association Health Plan Rules and What the Recent Attorneys General Lawsuit Means for These New Rules

By Thora A. Johnson, Juliana Reno, Harry I. Atlas & Gregory C. Matisoff on August 21, 2018

Recently, the attorneys general of eleven states and the District of Columbia filed suit to challenge the Department of Labor’s (DOL) new association health plan (AHP) regulations (the “AG Litigation”). Although it is unclear at this time whether the AG Litigation will be successful in invalidating the regulations, it creates a potential impediment for a key aspect of the Trump administration’s effort to change the health insurance marketplace. The AHP Regulations An AHP is a…

Health Law | STAT

Final Regulations on Short-Term, Limited Duration Insurance: What the Regulations Mean for the Individual Insurance Marketplace

By Thora A. Johnson, Juliana Reno & Gregory C. Matisoff on August 14, 2018

Last week, the Departments of Treasury, Labor, and Health and Human Services (the “Departments”) issued final regulations to redefine the meaning of “short-term, limited duration insurance” (“short-term insurance”). The controversial regulations are likely to expand the use of this limited form of health insurance among consumers who do not receive coverage through their employers. Background The Affordable Care Act (“ACA”) imposes strict requirements on most individual health insurance coverage. Short-term insurance is exempt from most…

Health Law | STAT

Lessons Learned from ALJ Summary Judgment Against MD Anderson

By Thora A. Johnson, Celia E. Van Lenten & Jami Mills Vibbert on July 11, 2018

A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While the vast majority of enforcement actions taken against covered entities and business associates to date have been voluntary settlements, this action came in the form of summary…

Health Law | STAT

Medical Group Settles with New Jersey Attorney General for Health Data Privacy Breach Caused by Its Vendor’s Misconfigured FTP Site: Reminder of the Need to Conduct Vendor Due Diligence

By Thora A. Johnson, Brian E. Extein & Jami Mills Vibbert on April 16, 2018

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records. The settlement for violations of the federal Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”) and New Jersey state law requires the Medical Group to…

Thora A. Johnson

Global Privacy and Security by Design Considerations

New HIPAA Settlement Is the First under OCR’s Right of Access Initiative

Recent Settlement with OCR and New OCR Fact Sheet Serve as Reminders That Business Associates Have Direct Liability under HIPAA

New Settlement with OCR Reminds Healthcare Companies of the Importance of a Timely and Thorough Investigation of Security Incidents

Small Physician Practice Settles with OCR: Yet Another Reminder of the Perils of Responding to Patient Complaints in a Public Forum

A Busy Week at OCR: The Anthem Settlement, an Updated Security Risk Assessment Tool, and New Priorities for OCR

New Association Health Plan Rules and What the Recent Attorneys General Lawsuit Means for These New Rules

Final Regulations on Short-Term, Limited Duration Insurance: What the Regulations Mean for the Individual Insurance Marketplace

Lessons Learned from ALJ Summary Judgment Against MD Anderson

Medical Group Settles with New Jersey Attorney General for Health Data Privacy Breach Caused by Its Vendor’s Misconfigured FTP Site: Reminder of the Need to Conduct Vendor Due Diligence

Company

Support

New to the Network