HIPAA Blog

[ Monday, January 26, 2026 ]

 

OCR Chief Paula Stannard:

My friend and reporter Theresa Defino recently interviewed Paula Stannard, the (new-ish) current Director of HHS' Office for Civil Rights, the HIPAA enforcement agency.  This is Paula's third stint at OCR.  The interview is available here.  

Why do you want to hear what Paula Stannard has to say?

OCR directors are political appointees who change with administrations. As such, CEs and BAs typically like to get to know the OCR director’s goals, priorities and perhaps special interests to align their compliance programs, better safeguard patients’ privacy and avoid enforcement actions.

 Check it out.

Jeff [10:24 AM]

[ Saturday, January 24, 2026 ]

 

Check out OCR's January 2026 Cybersecurity Newsletter.  A link is here.

The tips focus on system hardening, but most of the recommendations are just common sense.

• Patch software
• Remove unneeded software and services
• Enable and configure security settings

Jeff [3:58 PM]

 

"Part 2" Providers: Don't Forget to Update Your NoPPs by February 16.  Are you a "Part 2" provider?  If you don't know, you probably aren't.  "Part 2" refers to 42 CFR Part 2, which is the provision of the Code of Federal Regulations adding specifics to the general confidentiality provisions of 42 USC 290dd-2, requiring hightened confidentiality for the medical records of people seeing substance abuse treatment.  Initially enacted as a part of 1970's Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act, the law was meant to address the concern that people with drug abuse problems would not seek help out of fear that their treatment information would be used against them by law enforcement. The statute's provisions are very general; hence the regulations seek to flesh them out. The Part 2 rules existed before HIPAA, and are a sort of "super-HIPAA" level of protection for those particularly-sensitive medical records.

The regulations did not change over the years, while changes in the way medical records are kept, transferred, and used have changed dramatically, so HHS recently has made changes.  The regulations only apply to federally funded or supported substance use disorder providers.  Most of them know who they are.

And if you are one, be aware that you need to add some specific references to those Part 2 rules into your NoPP.  If it doesn't already say so, your NoPP should specifically say that you are subject Part 2.  Additionally, in the NoPP descriptions of (i) permitted disclosures for treatment, payment, and healthcare operations, and (ii) disclosures for which authorization is not required, you should add language indicating that the PHI you disclose imay not be used in legal proceedings against the patient except with consent or a court order.  Finally, Part 2 organizations that intend to use PHI for fundraising must give patients the clear opportunity to opt out of such fundraising.  

Finally, if the Part 2 provider is involved in a Organized Health Care Arrangement, the OHCA's NoPP must contain the provisions required to be included in the Part 2 provider's NoPP.

Jeff [3:53 PM]

[ Tuesday, January 06, 2026 ]

 

A Couple of Articles on Healthcare Data Breaches for 2025:  
Jeff [9:15 AM]

[ Monday, December 01, 2025 ]

 

The Evolving Threat of Ransomware in Healthcare: Attackers are getting faster, and ransomware software is getting trickier and cheaper, but healthcare organizations are getting better at stopping attacks before encryption occurs.  However, attackers are shifting their focus toward an extortion-only model: they don't encrypt your data, but they do access and copy PHI and threaten to release it unless the demand is paid.

Healthcare organizations still need to step up their game and keep defenses high.  Encryption in motion and at rest is still the best cure, as is training and perimeter testing.

Jeff [8:49 AM]

[ Tuesday, November 25, 2025 ]

 

It's not just healthcare providers who suffer data breaches: I've been keeping up a stack of law firm data breaches, meaning to write a post on them.  But I've decided there's really not much to say, other than to note that a data breach can happen to anyone, and anyone who suffers a breach runs a decent likelihood to get sued by any individuals who might plausibly have been damaged by the breach in one way or another.  

This is far from an exhaustive list, but it's a start:

The big boys: Kirkland & Ellis, Orrick Herrington & Sutcliffe, Jones Day, Grubman Shire Meiselas & Sacks, and Bryan Cave Leighton Paisner

Adamson Ahdoot (CA)

Brown Paindiris & Scott (CT)

Wacks Law Group (NJ)

Hill Farrer (CA)

Daniels Group (CO)

Cohen Cleary (MA)

Kelley Drye (NY)

Eckert Seamans (PA)

Riley Pope & Laney (SC)

Jeff [5:08 PM]

 

 Healthcare wins again: Once again, the healthcare industry was the most affected industry when it came to data breaches in 2024.  Many reasons: the amount of personal information; the sensitivity, utility, and value of the information; the many different financial crimes that the information can help (identity theft, insurance fraud, ransom); the large and varied number of data-holders, threat vectors, and levels of IT sophistication; the varied levels of security and protection; etc.

Hat tip: Wade Emmert.

(Should've posted this earlier, sorry!)

Jeff [8:48 AM]

[ Wednesday, September 10, 2025 ]

 

HHS' OCR, Asst. Secretary for Health Policy Release Latest Version of Security Risk Analysis Tool: If you've followed HIPAA much, you are aware that Security Rule compliance has always lagged Privacy Rule compliance.  At least part of this is because Privacy Rule requirements are much more of a one-size-fits-all regime, whereas Security Rule compliance requires a lot of individual customization.  It's easier to just do what you are told ("give everybody a NoPP") versus having to decide what to do ("consider the risks associated with failure to properly warn patients about potential data uses and provide appropriate advice and guidance to them").

To assist HIPAA covered entities and business associates, OCR, NIST, and ONCHIT combined to produce a very useful (but somewhat cumbersome) "security risk analysis tool" that covered entities can use to conduct a risk analysis, determine what their HIPAA and other data security risks are, and craft safeguards that are appropriate for their operations.  You can't know what you need to fix or protect unless you've done a risk analysis, and this is a good starting point if you don't have any other idea where to start.

Failure to conduct an appropriate security risk analysis is one of the most common, if not THE most common, cited area of failure when OCR issues a fine for a HIPAA violation.  Additionally, last year OCR announced a specific new effort, similar to its enforcement focus on patients' right to access, to target covered entities and business associates that failed to conduct a proper risk analysis. 

OCR has now issued an updated tool, version 3.6, which is available here.

Jeff [8:49 AM]

[ Thursday, August 28, 2025 ]

 

OCR Named Enforcement Agency for Part 2: When HIPAA was first passed, the Privacy Rule was to be enforced by the Office for Civil Rights within HHS, and the rest of HIPAA was to be enforced by CMS.  I'm not sure why that bifurcation happened, but a few years later HHS decided that OCR should be the enforcement agency for all of HIPAA.

Yesterday, HHS announced that OCR is now the enforcement agency for the federal privacy rules relating to substance abuse treatment facilities.  Known in the industry as "Part 2" (because the rules are in Part 2 of Title 42 of the Code of Federal Regulations), it's basically a set of "super-HIPAA" medical record privacy laws applicable to certain providers in the substance abuse field.  Those rules were generally enforced by the Department of Justice or HHS overall.  However, now, OCR will enforce Part 2.  Which actually kinda makes sense.  I doubt there will be a lot of change in how things work, but its good to have all the healthcare privacy enforcement under consistent management.

Jeff [10:44 AM]

[ Friday, August 01, 2025 ]

 

Costs of a Data Breach: According to an IBM study, for the year ended February 2025, an average healthcare data breach costs almost $7.5 million.  Healthcare leads all industries in having the most expensive breaches, and the longest time before breaches are discovered.  
Jeff [7:53 AM]

[ Monday, July 14, 2025 ]

 

400 Large Breaches so far in 2025: HHS has announced that during the first six months of 2025, there were 400 "large" breaches (500 or more individuals affected) added to the HHS "Wall of Shame."  
Jeff [9:20 AM]

[ Tuesday, July 08, 2025 ]

 

Let's catch up on some recent HIPAA enforcement actions:

Deer Oaks, a HIPAA covered healthcare provider that provides behavioral health services primarily to residents in nursing homes and other facilities, misconfigured its IT systems to allow discharge summaries of 35 patients to be accessible online.  A few months later, Deer Oaks suffered a ransomware attack that affected the PHI of 171871 patients.  The hacker demanded a ransom payment, but it's not clear if Deer Oaks paid or not.  Deer Oaks did report the incidents to OCR, and as part of its investigation, OCR determined that Deer Oaks didn't do an effective risk assessment (shocking, no?). Ultimately, in July 2025 OCR fined Deer Oaks $225,000 and implemented a 2-year monitored corrective action plan.

BayCare Health System in Florida reached a settlement with OCR in May 2025 regarding complaints about impermissible access to its electronic PHI.  It seems a former staffer at a physician practice was able to get access to the BayCare medical record system, and sent a BayCare patient copies of her medical records (along with a video showing the hacker scrolling through her computerized records).  OCR found that BayCare's policies and procedures weren't sufficient, and specifically that BayCare did not audit system activity sufficiently.  In addition to 2 years of monitoring, BayCare was fined $800,000.  At least OCR didn't point out a failure to conduct a risk assessment (although the monitoring plan specified the performance of a new risk assessment).  

Also in May 2205, OCR settled a ransomware incident with Comstar, a Massachusetts ambulance billing and collection company.  Business Associates must do risk assessments too, and Comstar didn't.  When a hacker got into the system and encrypted the PHI of over 500,000 people, OCR determined that the lack of a risk assessment contributed to the incident.  Two years of monitoring and $75,000 were the result.  Risk analysis, policies and procedures, audit controls, system activity review, encryption and training all would help.

In July 2025, OCR settled another ransomware case, this time involving a Syracuse (NY) ambulatory eye surgery center.  PYSA ransomware was used to encrypt the PHI of about 25,000 patients, and OCR determined that the ASC had never conducted a risk assessment.  In addition to a $250,000 fine, the ASC will certainly be doing a risk assessment -- and other HIPAA activities during its 2-year monitoring plan. 

Jeff [7:38 PM]

[ Friday, June 20, 2025 ]

 

Finally!! Biden Administration's HIPAA Abortion Stupidity Negated: As I previously wrote about at length, the asinine Biden Administration HIPAA abortion regulation has been overturned by a Federal judge in Texas.  The judge said the regulations were clearly intended to provide special protections for "politically favored procedures," which is a power HIPAA does not grant to HHS.  
Jeff [7:25 AM]

[ Monday, May 26, 2025 ]

 

Happy Memorial Day!

Sorry I've not posted in forever, and when I do it's few and far between, but it has been a very busy spring and when I've had time, I didn't think about the blog.  But here's a compilation of stuff that's happened since the beginning of the year (and a few things from the end of last year):

• Access cases: Oregon Health & Science University got tagged with one of the biggest fines for failing to provide a patient with access to his/her PHI, paying $200,000.  It was OCR's 53rd enforcement case for an access violation.  Apparently, the matter involved a business associate of OHSU.  However, the bigger take-away is that this was the second time OCR had to get involved in an access issue between OHSU and the same patient; the first time, OCR issued "guidance," which is basically when OCR decides that the covered entity screwed up but can get away with a warning if they fix the issue.  When the patient filed a second complaint, OCR decided that a harsher punishment was necessary.
• Risk Analysis Initiative: In addition to a special focus on the right of access, OCR has started specifically directing investigations and issuing fines where covered entities fail to conduct a security risk assessment (SRA), as required by the Security Rule.  As any HIPAAcrat knows, lack of a good SRA is a factor in almost every major HIPAA breach (along with a lack of good policies and procedures).  However, instead of simply listing it as an element of the offense resulting in the fine, OCR is now specifically calling them out.  And recently called out was wellness plan provider Health Fitness, which suffered 4 breaches in a 3-month period due to exposures of PHI on its website.  Health Fitness had to enter into a corrective action plan and was fined $227,816,likely in part because they discovered the software problem 4 months before the breaches started.
• Risk Analysis Initiative: Another risk analysis issue befell Northeast Radiology in NY and CT (I guess they do CTs in CT).  This was the 5th enforcement action specifically targeting SRA failure.  NERAD left their PACS server exposed, at least partly due to the failure to do a good SRA, and the PHI of almost 300,000 patients was breached.  NETAD entered into a corrective action plan and paid a fine of $350,000.
• Ransomware: OCR fined Guam Memorial Hospital $25,000 due to a ransomware attack.  5000 patients were affected, and the investigation uncovered multiple failures by GMHA, including the usual littany: lack of a comprehensive risk assessment, poor risk management, lack of policies, lack of training, and a failure to audit access logs.  OCR also fined Comprehensive Neurology of NYC $25,000 for its ransomware event.  It marks the 12th ransomware settlement and 8th settlement in the risk analysis initiative.

Jeff [11:55 AM]

[ Wednesday, May 21, 2025 ]

 

Kettering Health (Ohio) Ransomware Event: Kettering Health, which operates 9 hospitals and a handful of other sites in and around Dayton, Ohio, has reported a ransomware event that happened May 20, preventing elective procedures.  The hospitals' emergency rooms continued to be open.  

It's unclear at this point whether data was lost to the hackers, but the hackers apparently claim they have and will release data unless their ransom demands are met.

Jeff [7:07 AM]

[ Friday, March 21, 2025 ]

 

Email As a Data Breach Vector: Almost 200 healthcare organizations suffered a cyberbreach involving their email systems over the last year.  Phishing is probably the biggest type of incident, mainly those that allow hackers to gain credentials and thus establish email rules that allow for data theft and potentially insertion of ransomware.  

Tightening systems helps, but even the best systems can be hacked if the users/gatekeepers simply let the hackers in or give them the keys.

Jeff [8:39 AM]

[ Friday, March 14, 2025 ]

 

Information-blocking news: EMR company must allow client's BAs to access PHI: I must admit I haven't been following this at all, but it's an interesting bit of news from the intersection of HIPAA privacy and 21st Century Cures Act interoperability.  As you know, HIPAA tries to put the brakes on data sharing, while the Cures Act tries to increase data sharing.  In this case, Real Time Medical, a health analytics company with a lot of nursing home clients, is suing Point Click Care, an EMR provider (that also provides other health data transmission services), to get access to those nursing homes' PHI. PCC is prohibiting RTM from accessing the data, even though the nursing homes are RTM's clients.  

So far, the court has sided with RTM, calling PCC's actions data-blocking that's prohibited by the Cures Act.  

I haven't dug into the case much, but from 30,000 feet, that sounds right -- if RTM is a business associate of the owner of the PHI, then the EMR company should NOT block that access.

Jeff [9:39 AM]

 

PE-owned healthcare entities need to improve cybersecurity: I hate to say it, but at this point cybersecurity protections are more important than regular HIPAA blocking-and-tackling.  And apparently, private equity backed healthcare companies are worse than others, which is in many ways surprising.  Solid cybersecurity shouldn't be a heavy lift for nimble, tech-related companies, and most PE portfolios these days seem to be heavy into new tech.  That should be a recipe for leading-edge cybersecurity, but apparently not.

Jeff [9:30 AM]

[ Friday, February 21, 2025 ]

 

Warby Parker Pays $1.5 to Settle HIPAA Violation
Jeff [8:51 AM]

[ Tuesday, January 28, 2025 ]

 

Change Healthcare's Breach Victim Count Reaches 190,000,000.  US population is about 340 million, which means the breach affected about 56% of the US population.  So, if you're an American, it's more likely than not that your PHI was exposed in the Change breach.  

A few months ago, a ransomware negotiator mentioned something to a client of mine that was a bit of a revelation.  We were discussing the question of whether a breach victim can ever prove damages from a breach without some very specific evidence, such as the breach being a personal attack (an estranged spouse obtains the information and uses it in some obvious way to leverage a big divorce settlement payment) or the hacker deliberately using stolen data to blackmail a victim.  If a covered entity suffers a breach and one of the victims of the breach suffers identity theft, can the victim prove that it was the breach in question that exposed his/her data, or might the data have been exposed in a different breach?  The more breaches there are, the more difficult it will be for victims to prove causation.

The Change Healthcare breach might re-write the rules here: if I fail to protect your data and you get harmed, can you prove that my exposure of your data caused the harm, if your data was already exposed on the dark web?

Jeff [8:18 AM]

[ Tuesday, January 21, 2025 ]

 

Texas Health and Human Services Commission Suffers HIPAA Breach: If you haven't figured it out yet, anyone with health data is potentially susceptible to a data breach, and that includes governmental entities.  The Texas Health and Human Services Commission, which oversees health and welfare programs in the state (including state Medicaid), reported recently that in November 2024, bad employees at the agency improperly accessed information of about 61,000 individuals.  The employees have been fired and law enforcement authorities are investigating.  

It is not clear if HHSC has reported the incident to OCR; it may be that the breach is not a HIPAA breach at all, but rather a breach of SNAP (i.e., food stamp) card information. That may make sense, if the bad employees were looking to skim funds off of the accounts of food stamp recipients (which, of course, changes "bad" to something much worse -- stealing from the poorest folks should get you a special circle of hell or something).

Jeff [10:05 AM]

[ Thursday, January 09, 2025 ]

 

PHI Deletion Nets $337,750 Fine: This is a bit of an odd one: a Florida HIPAA business associate, USR Holdings, discovered that an unauthorized third party had access to its database for 3-4 months and deleted PHI of 2903 people.  The normal problems were there: failure to conduct a risk assessment, no risk management plan, no system activity review, and no backups.  The result was a $337,750 fine and a 2-year monitoring plan.

Here's the resolution agreement.

Jeff [1:08 PM]

 

9th Ransomware Case: Virtual Private Network Solutions:  HHS has entered into a settlement agreement with a HIPAA business associate who was hit with a ransomware attack in 2021 that resulted in the encryption of PHI.  VPN Solutions provides data hosting and cloud services to HIPAA covered entities, and in October of 2021 was hit by a ransomware attack that resulted in encryption of data, including PHI of some covered entity clients.  There does not appear to have been any exfiltration of data, and this it is unclear whether this incident is really a "breach" under HIPAA (it may be a violation due because it was a failure of "accessibility," but not a "breach").  However, VPN Solutions reported it.  OCR's investigation discovered (surprise!) VPN Solutions had not done a sufficient risk assessment.  VPM Solutions agreed to pay a $90,000 fine, implement a corrective action plan, and agree to one year of OCR monitoring.

Resolution agreement can be found here.

Jeff [12:57 PM]

 

OCR's January 2025 "Dear Colleague" letter (slightly off-topic): As you know, the Office for Civil Rights is the HIPAA enforcement agency; but HIPAA is not all that OCR does, it also is responsible for enforcing anti-discrimination provisions of health-related laws and HHS rules, such as the notorious Section 1557 of the Affordable Care Act.  And being a hyper-politicized department of still-current hyper-political executive administration (it seems to be in an internal competition with the Department of Education and the FTC to see who can be the most progressive/left-wing), it currently interprets those rules in a hyper-partisan fashion.

NOTE, importantly, this characterization does not apply to the HIPAA enforcement side of OCR, perhaps because HIPAA doesn't have the same capacity for partisan regulatory crusading as the general "civil rights" mandate of the rest of the office (although the partisanship does seep in where abortion is in play).  So, I note that this comment is really OFF TOPIC for a HIPAA blog, but it's something that the healthcare industry needs to know about anyway.

On January 7, OCR issued a "Dear Colleague" letter outlining OCR's regulatory interpretation of how to apply Section 1557 and Section 405 of the Rehabilitation Act of 1973. This is not a regulation; regulations require the ability of the public to comment and complain.  But when the regulatory tell you this is what they think the law requires, you don't have to believe them or do what they say, but you damn well better be prepared to spend a lot of money defending yourself from the regulatory process they can put you through.  "The process is the punishment."

The letter starts out by pointing out how doctors hate people with disabilities, because "large proportions of practicing physicians hold biased or stigmatized perceptions of people with disabilities, perceiving them to have a lower quality of life because of their disabilities."   So you know where it's coming from.

It then goes on to address a handful of areas where potential discriminatory practices might come into play:

1. Medical Treatment Decisions: Treatment can't be limited or denied "based on biases or stereotypes about the patient’s disability, judgments that the qualified individual will be a burden on others due to their disability, or on the belief that the life of a person with a disability has lesser value than the life of a person without a disability."  But how can you tell if the judgment is based on a bias or stereotype versus an actual statistical probability (people with a certain disability are more or less likely to have a particular condition or respond in a particular way to a particular treatment, but are also socially prejudged for that condition or response)?  There's obvious overlap there.
2. Value Assessment Methodologies: OCR states that the Rehabilitation Act "prohibits recipients from using any value measure, assessment, or tool that discounts the value of life extension on the basis of disability. . . ."  And Section 1557 states that "covered entities may not discriminate on the basis of disability in their health programs or activities through the use of patient care decision support tools."  Fair enough, but what if the disability is highly likely to result in a shortened life span for the individual?  
3. Accessibility of Kiosks: providers who have self-service kiosks must make sure that they are accessible to people with disabilities (access when sitting or standing, audio/visual access aids, etc.) and must have alternate methods (with the same access, convenience, and confidentiality as the kiosks).  Other than making the kiosk less accessible to a non-disabled person, it seems that any alternate method will never be as accessible or convenient, and the methods that would make it more accessible or convenient would likely result in less confidentiality.
4. Web Content and Mobile App Accessibility: providers with 15 or employees must make sure their web content and mobile applications are compliant with Web Content and Accessibility Guidelines (WCAG) 2.1 AA by May 11, 2026; providers with fewer than fifteen employees have until May 10, 2027.
5. Medical Diagnostic Equipment: Sets standards for how much of your diagnostic equipment is "accessible" to the disabled (for example, a provider who weighs patients may need to purchase a wheelchair-accessible scale).
6. Other Provisions: Providers need access to sign language interpreters or braille content.  Care settings must be as "integrated" as possible (I assume this is a reference to racial integration, but the letter is unclear).  

Jeff [12:49 PM]

[ Wednesday, January 08, 2025 ]

 

HHS Issues 8th Fine Related to Ransomware:  Elgon Information Systems has agreed to an $80,000 settlement with OCR in relation to a ransomware event it suffered in March of 2023.  It's the 8th overall ransomware settlement, and the 2nd under OCR's new "risk analysis initiative," which, like the focus on patient access, shows that OCR is selecting specific HIPAA problem areas on which to focus its investigation.  While open firewall ports was the specific cause of the incident, that's just the sort of thing a good risk analysis would correct.

Lack of a good risk analysis, along with lack of sufficient policies and procedures, is the most common finding in OCR settlement agreements.

The resolution agreement is here.

Jeff [8:57 AM]

[ Monday, December 30, 2024 ]

 

Recent OCR Enforcement Actions:  I've been pretty lazy on the blogging front lately, and let a bunch of items stack up, particularly noting the various enforcement actions of OCR.  Now that it's end of year and I'm clearing out some old emails, let me post to a few.

First, OCR continues to make hay with relatively small fines against covered entities that fail to quickly and fully provide access to patients who ask for their PHI.  Why do they fail or delay?  Sometimes confusion, sometimes bad bureaucracy, but often it's because they want to punish a patient for failing to pay or finding another provider.  Those are bad reasons, and if you do so, you should be punished.  And why are the fines small?  It's usually not a systemic problem (the way a breach shows that a covered entity has overall poor HIPAA hygiene), and it often also involves smaller covered entities who don't have the financial wherewithal to pay 6-figure settlements.

Other settlements involve the big issues: breaches, ransomware, overall HIPAA failures.  

Anyway, here are some recent ones.

• October 21, 2024: OCR fines Gums Dental Care, a solo practice, $70,000 for failing to give a patient access to PHI.
• October 31, 2024: OCR settles with Plastic Surgery Associates of South Dakota, levying a $500,000 fine for a ransomware attack and breach that affected over 10,000 patients.  A brute force attack was successful, and the hackers encrypted 9 workstations and 2 servers, which the medical practice could not restore from backup.  The "usual suspect" problems were there: lack of a good risk analysis, insufficient security measures, lack of system activity auditing, and insufficient policies and procedures.
• November 1, 2024: OCR fines Oklahoma's Bryan County Ambulance Authority $90,000 for its failures in connection with a ransomware cybersecurity hack that encrypted the files of over 14,000 patients.  Lack of a good risk analysis and risk management plan was the primary cause.
• November 19, 2024: OCR fines Rio Hondo (CA) Community Mental Health Center $100,00 for a 7-month delay in providing a patient with access to his/her records.
• December 2, 2024: OCR fines Holy Redeemer Hospital $35,581 for improperly providing a patient's employer with too much of the patient's reproductive health information.  It appears that the patient had a test done and wanted the hospital to report the results of the test to the patient's employer, but the hospital mistakenly provided a lot more information, perhaps the patient's entire file regarding the matter in question.  OCR's hyper-politicization regarding abortion and "reproductive health" information, combined with the small (and odd) amount of the fine, might be a clue to what's really going on here.
• December 4, 2024: BOOM! OCR fines Gulf Coast Pain Consultants $1,190,000 for failing to prevent a former contractor from accessing about 35,000 patient records.  The former contractor was using the records to file false Medicare claims.  In addition to failing to cut off the former contractor's access, GCPC's errors included insufficient risk analysis and lack of system activity review.
• December 6, 2024: Children's Hospital of Colorado pays about $550,000 to settle HIPAA claims relating to several email phishing breaches affecting about 11,000 patients' data.  Lack of MFA and employees sharing their passwords contributed to the success of the attacks.  CHC's sins included lack of employee training and (of course) lack of a sufficient risk analysis.
• December 10: OCR and Immediata Health Group (a health care clearinghouse) enter into a $250,000 settlement over Immediata's failure to secure PHI of about 1.5 million people, which was available online.  The situation also apparently resulted in Immediata settling with 33 states regarding the matter.  Lack of a risk analysis and lack of system activity review were determined to be a part of the cause.

Jeff [3:31 PM]

 

Biden Administration Proposes New Cybersecurity Requirements for Healthcare Organizations: Encryption and network compliance checks are included in the proposed revisions to the HIPAA Security Rule.  The rule is presented as a fix to the current epidemic of healthcare data breaches.  Expected cost to the industry: $15 billion over the first 5 years.

If this rule, which was published December 27 and is in its required 60-day comment period, survives the next Administration, I'll give you a better digest of what it contains.  

Jeff [8:45 AM]

[ Monday, December 23, 2024 ]

 

Ascension breach affects 5.6 million: Ascension Health's May 2024 ransomware incident may have compromised PHI of 5.6 million people, according to the company's report to the Maine AG.

Jeff [8:22 AM]

[ Tuesday, December 17, 2024 ]

 

 OCR and Abortion: If you're wondering if OCR is going to try to jump into enforcement actions of the soon-to-be-implemented (and likely soon-to-be-rescinded) reproductive health data rule, you should be aware that OCR has already fined a health system $35K for improperly disclosing a patient's reproductive health PHI.  The patient authorized the release of a single test result to her employer, but the hospital mistakenly disclosed her whole record.  

Jeff [7:10 AM]

[ Wednesday, December 11, 2024 ]

 

The Blinding, Amazing Stupidity of Xavier Becerra's HHS.  

OK, there are plenty examples of this, but the one I'm wrestling with right now is so frustratingly idiotic, and an example of all the problems that happen when a governmental department is run as a virtue-signaling platitude operation rather than a serious governmental agency serving its constituents, the public.  It is all the more frustrating that it comes while so many people are questioning the competence or credentials of Trump's cabinet selections, while ignoring the utter incompetence of Xavier Becerra.

I speak, of course, of the Biden Administration's so-called "HIPAA Privacy Rule to Support Reproductive Health Care Privacy," which was published in final form on June 25, 2024.  Let's be honest, this rule change is solely about one thing: the impotent, petulant cry of the pro-abortion lobby at the Supreme Court's decision in the Dobbs Case, which threw out the social experiment that was Roe v. Wade and returned the question of whether abortion should be legal or not to the legislatures of the various states or, if it chooses, Congress.  

I don't care which way you come down on the abortion debate.  There are intellectually (and societally) consistent rationales on both sides.  But it is not a matter that 9 lawyers, not matter how smart, should decide for the other 330 million of us.  It is a matter best dealt with by the democratic process.  And I will fight you on that.

Back to the matter at hand.  A little background:

Texas passed a law, the Texas Heartbeat Act, in 2021 (i.e., pre-Dobbs), which outlawed abortions once a fetal heartbeat is detectible.  The statute has a peculiar provision: state officials are prohibited from enforcing it, but private citizens may do so.  This prevented abortion-rights groups like Planned Parenthood from suing Texas state officials to have the law deemed unconstitutional under Roe (and Casey's "undue burden" test).  (The Texas statute that was the subject of the Roe decision, which is effectively a total ban on abortions, was never repealed by the legislature, despite being declared unconstitutional by the Roe court; thus, it was still on the books to be "resuscitated" after Dobbs overturned Roe.)  

The Heartbeat Act also prohibits anyone from "assisting" any post-heartbeat abortion; theoretically, this could mean that a private citizen could sue a company that offers to assist Texas woman who want to travel to another state to receive a post-heartbeat abortion, claiming that they are providing the assistance in Texas, where it is illegal.  The Texas Attorney General in fact sent threatening letters to some large employers in the state in an effort to prevent them from offering abortion travel assistance as an employee benefit.

Rather than stay out of the fray, the Biden Administration jumped in with both left feet.  This regulation would have single-handedly destroyed any basis for Chevron deference: if governmental agencies are capable of drafting something as stupid, incoherent, and unwieldy as the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, they should not only not get deference, those challenging the regulations should get the benefit of the doubt.

Basically, the new rule (i) prohibits uses and disclosures that could possibly be used to conduct any type of investigation into someone seeking, obtaining, or facilitating reproductive care (extremely broadly defined); (ii) requires covered entities to get an attestation prior to making any use or disclosure for health oversight, legal proceedings, law enforcement, or to coroners/medical examiners if the use or disclosure might touch on reproductive care (again, broadly defined), and (iii) requires specific reference in every Notice of Privacy Practices to specifically reference the prohibition in (i) and the attestation in (ii).

How bad is this?  Let me count the ways:

• The rule addresses "reproductive health," rather than abortion.  All of the provisions apply where someone (patient, provider, third party) is "seeking, obtaining, providing, or facilitating reproductive care."  The definition of "reproductive care" is extremely broad: "health care . . . that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes."  It applies to men, women, and children of all ages (erectile dysfunction fits; a hysterectomy on a post-menopausal woman fits, even though the woman can no longer reproduce, because it relates to the reproductive system; cholesterol screening fits, because you could die from atherosclerosis, and your death would "affect" your reproductive system, since it would die with you; and pediatric services could potentially "relate" to the reproductive system under a similar analysis).  If the regulation drafters were honest, they could have made the rule applicable where PHI relating to abortion is sought.  But they didn't.
• The attestation requirement applies to uses, as well as disclosures.  Uses are when the PHI doesn't leave the covered entity; who provides the attestation in that case?  If a physician wants to review a patient's chart (use PHI) to be prepared to defend himself in a deposition, and the PHI relates to reproductive care (which as defined could mean anything), he would have to issue an attestation to himself first.
• The section heading of the attestation requirement says attestations are not required for disclosures to covered entities and business associates, but text isn't limited that way.  It's unclear whether it would be safe to assume that you don't need an attestation from a covered entity or business associate; thus, to be safe, a physician would have to get an attestation from his attorney (in addition to a BAA) before disclosing PHI to him if it relates to reproductive care.  The disclosure is permitted, but the attestation is required.
• The rule adds language to the "Personal Representative" provisions (45 CFR 164.502(g)(5)) that are apparently intended to allow a provider to refuse to treat a parent or other personal representative as such if the provider thinks the parent wants to report his daughter for getting an abortion.  However, as drafted, the language doesn't work in the least.  First, the language is basically indecipherable, as written.  37 years of practicing health law and 25 years of doing HIPAA, and I can't for certain say what this section actually means.  Secondly, 502(g)(5) as previously drafted gives providers the right to refuse to treat the parent as the personal representative if the provider thinks the patient has been abused and treating the parent as the personal representative would endanger the individual.  Sounds good, right?  Well, the new Rule detracts from the ability of the provider to make that determination.   In fact, if the reason the provider thinks the parent is an abuser is because of what the provider has seen from providing reproductive care, the provider CANNOT refuse to treat the parent as the personal representative.
• Section 164.512(c) allows uses and disclosures without authorization to report abuse, neglect, or domestic violence.  In other words, a provider can report child abuse even though the parent/guardian (as personal representative) refuses to authorize the reporting.  However, the new rule changes the section by eliminating the ability of the provider to make the report without authorization if the reason for the report comes from the provision of reproductive care.  For example, if a father brought his 4-year-old daughter to the clinic and she tested positive for Chlamydia, and that's all the evidence there is, the clinic cannot report it as sexual abuse without the authorization of the parent.

Given the awful drafting of this Rule and the confusion regarding its meaning and effect, I can safely say that well over 95% of all healthcare providers will be arguably in violation this Rule as soon as it becomes effective

It does not require mentioning that the decision-makers at HHS will be gone 40 days from now.  The likelihood that this bill will survive in the new administration is extremely low.  And the Texas Attorney General filed suit in September, seeking to have enforcement of the rule enjoined, although the court has not acted yet.

But the stated effective date for all but the Notice of Privacy Practices provisions is December 23, 2024 (less than a month prior to Trump's upcoming inauguration).  Given the lost election, do you think HHS would back off and delay enforcement until the new administration decides to keep it or junk it?

Hell no.  HHS wants all entities subject to HIPAA to have to jump through all of these hoops unnecessarily.  They want covered entities and business associates to require unnecessary attestations, draft unnecessary policies and procedures, and revise their Notices of Privacy Practices for no good reason.  

Finally, I would note that, while noises have been made by the Texas Attorney General and others, I am unaware of anyone actually attempting to enforce the statute that triggered this Rule.  Certainly, I am unaware of anyone anywhere trying to enforce the Heartbeat Act in a manner that this Rule would prevent.  Thus, the cherry on top here, the chef's kiss, is this: this is a solution in search of a problem, a fix for a non-existent calamity.  All of this is entirely unnecessary.

 Is it any wonder everyone hates the government?

Jeff [4:37 PM]

[ Monday, November 18, 2024 ]

 

Ransomware is the Biggest HIPAA Issue Facing the Healthcare Industry: According to a survey recently conducted by Sophos, 67% of all healthcare providers reported a ransomware attack in 2023.  This number increases every year; it's time for the industry to learn how to prevent it.  The mean cost of recovery is $2.5 million.  
Jeff [5:47 PM]

 

Recent Ransomware settlement: 

OK, I've sort of fallen down on the job here keeping the HIPAABlog updated, but I'm going to try to dump a bunch of items that I've been stacking up.  So here goes.

In September, OCR settled with Cascade Eye and Skin Centers (WA) regarding Cascade's HIPAA failures that resulted in Cascade suffering a ransomware event that exposed 291,000 PHI-containing files (it is unclear how many individuals were affected).  OCR cited 2 specific failures on Cascade's part: failure to conduct a proper risk analysis, and failure to have procedures in place to monitor system activity.  Risk analysis is the linchpin of HIPAA security -- if you haven't done it, you don't even know if your security is good.  And monitoring the activity on your information systems can give you an early warning that something is amiss.

The settlement agreement is here.

Jeff [5:40 PM]

[ Friday, October 04, 2024 ]

 

Providence Medical Institute Ransomware Fine: Providence Medical Institute has been fined $240,000 by OCR for HIPAA violations in connection with a ransomware attack that exposed the PHI of over 80,000 individuals.  Interestingly, OCR only noted 2 HIPAA violations warranting the fine: lack of an appropriate BAA, and lack of policy restrictions on the people and programs who can access PHI.  OCR did NOT note a lack of a sufficient risk assessment (but maybe that's implied since a good risk assessment would have noted the access problem and lack of BAAs?).

Jeff [11:55 AM]

[ Monday, September 16, 2024 ]

 

Offshore Outsourcing of Tech Services Can Be Problematic: A few weeks ago, HHS removed two Obamacare enrollment companies from accessing the ACA Marketplace based on concerns that the companies potentially allowed consumers' personal information to be accessed in India. The companies operate the BenefitAlign and TrueCoverage websites, and use an Indian data center.

US privacy law does not generally prohibit the use of offshore companies as business associates, as long as a business associate agreement is in place.  However, even with a BAA in place, HIPAA covered entities still have an obligation to vet their contractors and cannot turn a blind eye to whether their offshore business associates will abide by their BAA obligations.  There's always a question of whether a rogue business associate can be dragged into a US court if they violate the BAA.  

Additionally, some federal and state payment programs (including some state Medicaid programs) specifically limit the ability to use offshore contractors, if they will have access to PHI.  

Some tech companies set up elaborate systems to limit the transmission of PHI outside the US, including systems where theoretically the data never leaves the US and the offshore consultant does not technically receive the data, but is merely able to "see" it from afar (although that seems like a convenient fiction).  Certainly, most legitimate Indian, Philippine, and Pakistani tech companies have elaborate systems in place to ensure that their human staff can't take data with them (employees are not allowed to bring cameras or cell phones into the workspace and are searched coming and going, there are no USB ports or other ways to access the data system, etc.).

It's almost impossible to obtain any tech services where no aspect of the service is done outside the US.  However, you should be aware of these concerns and especially careful if you are bound by Federal Acquisition Regulations or other obligations that might restrict the offshoring of personal data.

Jeff [11:38 AM]

[ Wednesday, August 21, 2024 ]

 

Great Write-Up on OCR's 3rd Ransomware Settlement: Theresa Defino of Report on Patient Privacy has an excellent article on the recently-announced settlement Heritage Valley Health System entered into with OCR.  Heritage Valley got hit by the NotPetya ransomware attack back in 2017 through no real fault of their own -- they used Dictaphone transcription software as part of iChart, and that was the vector of the attack.  Dictaphone had been acquired by Nuance Communications, which aggressively expanded overseas; the ransomware originated in the Ukraine, and entered Heritage Valley's system through a trusted VPN they had with Nuance.  Unfortunately for Heritage Valley, they never signed a new contact with Nuance, so their suit against Nuance was dismissed.  

It's hard to imagine how Heritage Valley could've protected itself and prevented this attack; they had a contract with Dictaphone, but their failure to sign a new agreement with Nuance wasn't the cause of the attack.  Regardless, OCR hit Heritage Valley with the biggest ransomware-related fine yet, almost $1 million.

Jeff [2:59 PM]

[ Thursday, August 01, 2024 ]

 

Baim Institute for Clinical Research Suffers Ransomware event and Data Disclosure: According to this analysis by Safety Detectives, Baim Institute for Clinical Research was a victim of a ransomware event, did not pay the ransom, and some of the data was subsequently posted on the internet.

There are many interesting aspects to this breach.  First, it's unclear whether HIPAA is implicated; Baim is not a covered entity, but it could be a business associate, depending on who it contracts with and provides services to.  To the extent the incident was caused by Baim's lack of sufficient security, it could be a contractual breach by Baim.  The data disclosed contains little that would be PHI, and that which is PHI is not likely to be useful for identity theft, since it only includes very limited information about adverse events, and it's unclear if even patient names are included (age and gender are data points that can remain in de-identified PHI); however, the data could potentially be useful for blackmail, public embarrassment of the study participants, etc.  The disclosed data seems to have 3 value points: (i) reputational damage to Baim by exposing them as potentially bad data stewards; (ii) possible disclosures of Baim's business relationships that a competitor might exploit; and (iii) information about particular studies that could indicate whether a drug in development might be a blockbuster or flop (and therefore potentially affect the stock price of the sponsor).

It is yet one more message to the industry: it's not a question of if, but of when, and if you are not prepared for a ransomware attack, you deserve what you get.  Good backups, good perimeter security, good testing of your systems and staff, and good mapping of your systems can go a long way to preventing most attacks, and allowing you to recover from those lucky dogs that get through.

Good work by Safety Detectives.

Jeff [9:20 AM]

 

OneBlood Blood Donation Center Hit by Ransomware Attack: The blood donation and distribution organization, which supports 350 hospitals across Florida, Georgia and the Carolinas, is suffering disruption of its blood collection efforts due to the attack.  
Jeff [8:35 AM]

[ Wednesday, July 24, 2024 ]

 

2024 Will Be Big:  I have a feeling 2024 will be a record year for data breaches, both in number of breaches overall and the size of the breaches (given the AT&T and Change breachs).

Jeff [8:28 AM]

[ Thursday, July 11, 2024 ]

 

 Change Healthcare Updates its Breach Notice. They added a timeline, apparently, and are going to finally start sending notices to affected individuals.

I expect that most of us will get a letter, since I expect at least 3/4 of all Americans had data passing through Change one way or another.  I am also still expecting a record fine from OCR on this, perhaps 9 figures. 

Jeff [8:47 AM]

[ Tuesday, July 09, 2024 ]

 

If you're using MOVEit, you should PATCHit first: Lots of folks in the healthcare industry use MOVEit for file transfers; about a year ago, there were a lot of breaches because of a vulnerability in the software.  Well, it appears that there are a couple more.
Jeff [8:53 AM]

[ Tuesday, July 02, 2024 ]

 

Geisinger data breach impacted 1.2 million people: This breach is interesting because it's a disgruntled former employee of a vendor who accessed the data for 2 days, so the spread of it might be more limited than a general hacking attack. 

Jeff [9:51 AM]

 

OCR settles ransomware and cybersecurity investigation involving Heritage Valley Health for $950,000: This is the 3rd settlement of a ransomware incident by OCR and may indicate a focus by OCR specifically on cyberattacks.  OCR cited Heritage Valley for the usual problems, including failure to do a sufficient risk analysis, failure to implement a contingency plan, and failure to implement appropriate HIPAA policies and procedures.

Jeff [9:41 AM]

 

New Social Engineering Schemes Target Healthcare: The FBI and HHS are warning healthcare industry participants warning healthcare industry participants about increased phising and other schemes targeting the healthcare industry.  Ransomware and cyberattacks are up, protect yourself.

Jeff [9:25 AM]

[ Monday, June 24, 2024 ]

 

Federal Court Blocks HHS Rule Prohibiting Use of Web Tracking Technologies Such as Google Pixel:  As you probably know, HHS has issued guidance to HIPAA Covered Entities that they cannot use web-tracking technology if the tech provides any possible PHI to the tech provider.  Most websites have tracking technology; it tells the site owner what pages attract viewers and how they act when they get there (i.e., which buttons they click and how they respond to certain elements on the site).  These allow the site owner to know what's working, what customers are looking for, where they should provide more or less services, etc.  

The problem is that the tech provider usually also wants the data generated by the tracking tech.  The tech provider can use the greater amount of consumer action data to make the technology better, improve their algorithms, etc.  The problem is that the tech providers generally don't sign BAAs; they are not really getting PHI (the information may be entirely random, such as when a student is looking at a site for information on types of clinical treatment for a particular type of cancer).  However, in some instances, such when people with that type of cancer are looking for treatment for themselves, the fact that the person looked up treatment options could be evidence that the person has that condition, which would be PHI.  

In most instances, the websites have Terms of Use and Privacy Policies that note that tracking technologies are used, so website visitors are forewarned of the potential disclosures.  However, those warnings certainly don't meet the requirements of a HIPAA authorization.

There have been class action lawsuits (one even settled with a large payout!) claiming that the use of the technology by a HIPAA-covered Entity is a HIPAA violation because of those instances where it is a person with the condition; the Covered Entity has disclosed that website visitor's PHI (the visitor's IP address linked to the cancer diagnosis) to the technology provider for a non-HIPAA-permitted purpose without a BAA.  

The American Hospital Association sued HHS over the guidance, and a Federal District Court in the Northern District of Texas has ruled that HHS overstepped its legal authorityruled that HHS overstepped its legal authority in attempting to enforce HIPAA in that fashion.  

For now, providers can go back to using trackers, but keep an eye out, HHS might appeal.

Jeff [8:43 AM]

[ Friday, May 24, 2024 ]

 

CentroMed: Lightning Strikes Twice: It's a dumb aphorism that "lightning never strikes twice."  Lightning is always more likely to strike the tallest thing around.  Why have a lightning rod as a defense if not for the fact that you want lightning to strike it rather than some other place?   
Jeff [8:20 AM]

[ Tuesday, May 21, 2024 ]

 

HHS, ARPA-H announce UPGRADE program to automate cybersecurity for healthcare entities: The Advanced Research Projects Agency for Health (a technology funding agency in HHS) has announced that it will put $50 million toward finding ways to enhance and automate cybersecurity in the healthcare arena through a new program called UPGRADE (Universal PatchinG and Remediation for Autonomous DEfense -- yes, like most clinical research trials, it's a tortured acronym).  If they can actually set up a program that sets automatic patching and recognized-security-practices-type policies that the average healthcare entity can easily adopt, that would be great.  I have a feeling that instead they'll produce hour-long videos and 1,000-page white papers that spend WAY too much time rationalizing the agency's people and processes, such that the end product will be a huge waste of time for users.  

We'll see. . . .

Jeff [10:34 AM]

[ Tuesday, May 14, 2024 ]

 

AHA and H-ISAC Issue Black Basta Warning: The American Hospital Association and the Health Information Sharing and Analysis Center (H-ISAC) have jointly issued a warning to health systems about a Russian hacker group known as Black Basta that is specifically attacking the US health sector.  The warning comes on the heels of the Ascension cybersecurity incident that is still snarling that system's ability to provide care.

Grab a printout of your last Security Risk Assessment and look at any cyber-defenses that you are lacking; if there's anything that a hacker could exploit, fix it now (or at least put warning bells and buzzers around it.  If you can't put your hands on your last SRA, you don't have one (basically in violation of HIPAA).  You should also be (i) auditing access and data transfer flows (your staff should be accessing data and you should be moving it around -- transferring to other providers and payors, etc. -- but if people are accessing data they shouldn't, or large data files are being transferred to a Nigerian IP address at 3 am on Saturday, something's probably wrong); (ii) regularly backing up your data to serial, secure, and encrypted data backup sites that are disconnected from the internet; (iii) implementing MFA; (iv) mapping your data systems, which will allow you to close unused data ports and shut down internet access to any parts of your computing environment that don't need it;  implementing encryption where possible; (v) using firewalls and virus scanning tech; and (vi) testing your people and systems to keep your most vulnerable line of defense sharp (penetration testing from the outside in, phish testing and training from the inside out).

If you aren't taking a serious look at your cyber defenses, you'll have no one to blame but yourself if you get caught by one of these bandits.

Jeff [8:38 AM]

[ Monday, May 13, 2024 ]

 

Ascension Hit With Ransomware Attack: The story is still breaking, but Ascension Health was the victim of a cyberattack that affected its EMR and MyChart, in addition to disrupting service at hospital, clinics, and emergency rooms. 

Jeff [8:52 AM]

[ Thursday, May 02, 2024 ]

 

Size Matters: Just how big is the Change Healthcare breach?  Over 100 million Americans may be affected.  

I rode in a 150-mile bike ride between Houston and College Station, Texas last weekend; the Bike MS 150 raises money for research into a cure for multiple sclerosis.  There were several thousand riders, of all shapes, sizes, athleticism and biking skills.  No matter who you are, odds are there's someone faster than you and someone slower than you.  That gives you the opportunity to find a rider (or more likely a group of riders) who are slightly faster than you, upon whom you can "draft" as they ride past.  One thing you learn while riding in a large group is the benefit of numbers and the concept of the Peloton: the lead rider cuts a path through the air molecules such that trailing riders can exert less energy to keep up the same speed; likewise, the riders close behind the lead rider cut the aerodynamic "drag" on that rider by disrupting the backdraft that would normally happen.  

So when you are riding by yourself and a group passes you by a couple miles per hour faster, you can drop into the air behind them and ride at their speed with the same level of effort (or less) than you were exerting by yourself. The pack of riders create a "wind shadow" that hides you from the mass of air you would otherwise be riding into (as if against the wind). 

I bring this up because something occurred to me this morning: the Change breach may end up creating a "wind shadow" for other providers who are dealing with data breaches over the next few years, at least with respect to lawsuits for breach damages: how can a plaintiff prove that his damages were caused by Dr. Smith's data breach when the plaintiff's data was already exposed via the Change breach?  

Jeff [8:11 AM]

[ Tuesday, April 23, 2024 ]

 

United Healthcare: It's been a bad spring for UHC: their pharmacy order and clearinghouse subsidiary Change Healthcare suffered one of the most impactful cybersecurity events in healthcare, resulting in delayed prescription deliveries and payment processing for providers and plans.  We are now learning that hackers from the AlphV hacker group (also referred to as BlackCat) apparently accessed Change's systems February 12 and began stealing data.  On February 21, AlphV detonated a ransomware bomb that encrypted and froze the bulk of Change's system, basically shutting down Change's claims processing and clearinghouse function, along with its Optum affiliate that processes pharmacy orders.  UHC has now announced that the data was stolen and is now being disclosed by the hackers.

Wired magazine reported that Change paid $22,000,000 in ransom to get the hackers to return or destroy the data.  Now, UHC is announcing that the hackers are disclosing the data anyway.  Who would've thought hackers wouldn't honor their promises?

Jeff [8:20 AM]

https://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024 May 2024 June 2024 July 2024 August 2024 September 2024 October 2024 November 2024 December 2024 January 2025 February 2025 March 2025 May 2025 June 2025 July 2025 August 2025 September 2025 November 2025 December 2025 January 2026

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here