Cooley Godward Kronish LLP. • January 18, 2012

Among other things, 2012 will be the year of the Department of Health and Human Services ("HHS") Office of Civil Rights ("OCR") pilot audit program to assess compliance with the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules and Breach Notification standards. The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, required that HHS conduct periodic audits to monitor and ensure compliance with HIPAA. OCR will implement this requirement through a pilot program of 150 audits from November 2011 through December 2012, including an initial wave of 20 audits that will inform how the remaining audits will be conducted. OCR has established a HIPAA Audit Program website.

Ford & Harrison LLP • December 13, 2011

Executive Summary: The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently launched a pilot audit program as part of its HIPAA enforcement efforts. OCR intends to audit a range of HIPAA-covered entities and plans to use resulting audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective. Audits conducted during the pilot phase will conclude by December 2012. In addition to the audit program, OCR will continue to accept HIPAA-related complaints from individuals.

Constangy, Brooks & Smith, LLP • November 14, 2011

The Office for Civil Rights ("OCR") of the Department of Health and Human Services has announced an audit initiative under which it intends to conduct audits of up to 150 covered entities to review compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The audit will focus on the HIPAA privacy and security requirements. The OCR will select a broad range of entities, including health plans and health care providers of all sizes. HIPAA audits begin immediately.

Fisher & Phillips, LLP • May 04, 2011

Health and Human Services' (HHS) Office for Civil Rights (OCR) has sent a strong message about its commitment to enforcement of the HIPAA Privacy and Security Rules by announcing two HIPAA Privacy Rule enforcements within one week, one of which includes the first ever use of civil monetary penalties for a HIPAA Privacy Rule violation.

Jones Walker • March 30, 2011

In the first civil monetary penalty (CMP) imposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for a covered entity’s violation of the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HHS notified Cignet Health, Cignet Health Center, Cignet Health Plan, and/or Cignet Health Care (Cignet) in a Notice of Final Determination, dated February 4, 2011, that Cignet had violated HIPAA and was subject to a CMP in the amount of approximately $4.3 million.

Jones Walker • March 30, 2011

On February 14, 2011, The General Hospital Corporation and Massachusetts General Physician Organization, Inc. (Mass General) entered into a Resolution Agreement with the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) to settle claims that Mass General violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by failing to safeguard the protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.

Constangy, Brooks & Smith, LLP • March 21, 2011

The U.S. Department of Health and Human Services (HHS) has recently imposed significant penalties against two entities for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), signaling the government's intent to seriously enforce the HIPAA privacy requirements. In one case, Cignet Health (Maryland) was fined $4.3 million dollars for failing to comply with the HIPAA requirement to provide patients with access to their medical records (actually, $1.3 million for failing to provide the records, and $3 million for not cooperating wit the government's investigation). The allegations involved the alleged failure of Cignet to provide 41 individuals access to their records between September 2008 and October 2009. During the course of the investigation, Office for Civil Rights (OCR) of the HHS (the office of enforcement of the HHS for HIPAA privacy issues) determined that Cignet willfully neglected the obligation to cooperate with OCR and did not attempt to resolve the patient issues. The penalty, which was significant in amount, is the first such assessment by HHS for failure to comply with the HIPAA requirements.

Jones Walker • June 21, 2010

On February 17, 2009, the Health Information Technology For Economic and Clinical Health Act, also known as the “HITECH Act,” was signed into law. The HITECH Act was one of the provisions contained in President Obama’s American Recovery and Reinvestment Act (ARRA), which in addition to describing Federal initiatives designed to encourage the use of health information technology, made some significant changes to the existing Privacy and Security Regulations that are a part of the Health Insurance Portability and Accountability Act or “HIPAA.” These changes, many of which became effective in February 2010, include new rules regarding an individual’s right to receive an accounting of disclosures of their protected health information (PHI), provisions regarding business associate accountability and liability, and new limitations on the use and disclosure of PHI. The HITECH Act strengthened HIPAA’s enforcement provisions, by, among other things, giving State attorneys general the right to bring civil actions in federal courts for violations of the privacy and security rules, and also increased HIPAA’s penalty provisions by creating a tiered penalty approach to violations, such that the more severe the violation, the higher the penalty. For example, whereas prior to the passage of the HITECH Act, the U.S. Department of Health and Human Services (HHS) could have imposed a fine of not more than $25,000 per entity per calendar year, penalties now can be as high as $1.5 million per entity per calendar year

Jones Walker • June 16, 2010

On February 17, 2009, the Health Information Technology For Economic and Clinical Health Act, also known as the “HITECH Act,” was signed into law. The HITECH Act was one of the provisions contained in President Obama’s American Recovery and Reinvestment Act (ARRA), which in addition to describing Federal initiatives designed to encourage the use of health information technology, made some significant changes to the existing Privacy and Security Regulations that are a part of the Health Insurance Portability and Accountability Act or “HIPAA.” These changes, many of which became effective in February 2010, include new rules regarding an individual’s right to receive an accounting of disclosures of their protected health information (PHI), provisions regarding business associate accountability and liability, and new limitations on the use and disclosure of PHI.

Cooley Godward Kronish LLP. • February 18, 2010

The American Recovery and Reinvestment Act of 2009 is commonly known for its provisions designed to stimulate a flagging economy. However, the Act's Title XIII (known as the "Health Information Technology for Economic and Clinical Health Act" or "HITECH Act") has another purpose—to impose obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") directly on business associates (as defined under HIPAA) with respect to the way they handle certain health-related information in connection with an employer's health plan and to impose civil or criminal penalties for any violations of those obligations. This Alert discusses how business associates are affected by the HITECH Act and what employers should do to monitor the compliance of business associates under the HITECH Act.

Ford & Harrison LLP • October 07, 2009

In August 2009, the Department of Health and Human Services (HHS) issued its interim final rule with regard to requirements for notification in the event of a breach of unsecured protected health information (PHI). Among other notification requirements (including notice to impacted individuals and in some cases notice to the media), the interim final rule requires covered entities (i.e. health plans, healthcare clearinghouses or certain health care providers) to provide notice to HHS of any breach of unsecured PHI:

Vedder Price • September 17, 2009

HIPAA Breach Notification Rules.

Ogletree Deakins • August 13, 2009

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17 as part of the American Recovery and Reinvestment Act of 2009 (H.R. 1), also known as the economic stimulus bill. The legislation was designed to advance the use of health information technology, such as electronic health records.

Fisher & Phillips, LLP • May 06, 2009

The American Recovery and Reinvestment Act (ARRA), signed by President Obama into law on February 17, 2009, included changes to the health information privacy and security rules under HIPAA, the Health Insurance Portability and Accountability Act of 1996.

Ford & Harrison LLP • February 24, 2009

The American Recovery and Reinvestment Act ("ARRA") signed into law on February 17, 2009 includes significant changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA). Below are highlights of some of the significant changes and their effective dates.

Fisher & Phillips, LLP • March 30, 2007

In 2006, the IRS, HHS and DOL, issued HIPAA regulations for wellness programs, outlining how those programs should be designed.

Nexsen Pruet • September 12, 2005

Employers who sponsor and administer employee health plans need to take action to comply with two new sets of rules under the Health Insurance Portability and Accountability Act (HIPAA).

Vedder Price • February 17, 2005

On December 30, 2004, the Departments of Treasury, Labor and Health and Human Services jointly issued final and proposed regulations regarding the portability requirements under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").