After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency. Anthem Settlement In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to…

Recently, the attorneys general of eleven states and the District of Columbia filed suit to challenge the Department of Labor’s (DOL) new association health plan (AHP) regulations (the “AG Litigation”). Although it is unclear at this time whether the AG Litigation will be successful in invalidating the regulations, it creates a potential impediment for a key aspect of the Trump administration’s effort to change the health insurance marketplace. The AHP Regulations An AHP is a…

Last week, the Departments of Treasury, Labor, and Health and Human Services (the “Departments”) issued final regulations to redefine the meaning of “short-term, limited duration insurance” (“short-term insurance”). The controversial regulations are likely to expand the use of this limited form of health insurance among consumers who do not receive coverage through their employers. Background The Affordable Care Act (“ACA”) imposes strict requirements on most individual health insurance coverage. Short-term insurance is exempt from most…

A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken against covered entities and business associates to date have been voluntary settlements, this action came in the form of summary…

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”) and New Jersey state law requires the Medical Group to…

Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This year’s small breach reporting deadline is Thursday, March 1, 2018. Covered Entities must submit their reports of small breaches discovered…

Late last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.5 million settlement with a large provider of kidney dialysis services (the “Provider”) for multiple violations of the Health Insurance Portability and Accountability Act and its associated regulations (HIPAA).  In early 2013, the Provider filed five separate breach reports for incidents that occurred in 2012 and involved several of its facilities.  These breaches involved, among other things,…