News and Insights

Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.

On August 14, 2013, the Office for Civil Rights (“OCR”) settled violations of HIPAA with Affinity Health Plan, Inc., for over $1.2 million. The settlement arose out of a breach report submitted by Affinity in which it acknowledged that information relating to possibly 344,579 individuals may have been improperly disclosed.

The improper disclosure was revealed s part of an investigative news report in which CBS Evening News purchased a photocopier previously leased by Affinity. CBS reported to Affinity that the hard drive of the copier contained protected health information (“PHI”). After investigating the breach, Affinity reported the breach to OCR. OCR’s investigation concluded that Affinity impermissibly disclosed the PHI by returning the leased copiers without erasing the data on the hard drives. In addition to the monetary settlement, Affinity was required to enter into a corrective action plan under which Affinity must use its best efforts to retrieve all hard drives that were contained on copiers previously leased by Affinity and take measures to safeguard any electronic PHI.

The issue of mobile devices and electronic protected health information (“ePHI”) has become an area of primary concern as health care providers increasingly use mobile devices to communicate with patients or other providers. The Office of the National Coordinator for Health Information Technology, the agency that spearheads the promotion of health information technology, and the Office for Civil Rights, the agency that enforces HIPAA, have taken steps to address this concern.

As the result of a roundtable discussion and public demand, the agencies have developed an educational initiative in accordance with HIPAA’s Privacy and Security Rules. The initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, offers health care providers and organizations tips on ways to protect their patients’ protected information on laptops, tablets, and smart phones.

The initiative seeks to educate providers on the risks associated with using mobile devices in the office setting, and offers tips to reduce the possibility of improper use or disclosure of the information on the devices, including using encryption software, firewalls, and password protection. The initiative was developed with HIPAA requirements in mind, but it does not guarantee compliance with HIPAA. HIPAA requires providers to assess their security and privacy risks and to develop and implement policies and procedures specific to the use of mobile devices in the office setting.

For more information on this initiative, visit

The government has published regulations that make sweeping changes to HIPAA. The regulations implement requirements of the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act of 2008.

The final rule implements the following changes:

  • Business associates are directly liable for certain aspects of compliance with HIPAA.
  • Disclosures of protected health information (“PHI”) for marketing and fundraising purposes are limited.
  • The authorization process for patients being enrolled in research studies is refined.
  • Requirements for notifying patients and the government in the event of a breach of unsecured PHI are clarified.
  • The penalty structure for violating HIPAA is revised.
  • Genetic information may not be used or disclosed by health plans for underwriting purposes.

Further changes to the HIPAA Privacy and Security Rules enable patients to exercise greater control over their information, and how it is used and disclosed. For example, Individuals may instruct their providers not to disclose treatment information to health plans if the individual has paid cash for the treatment, and patients will now be able to request their PHI to be provided to them in electronic form.

The official version of “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Act; Other Modifications to the HIPAA Rules,” will be published in the Federal Register on January 25, 2013.


The Office for Civil Rights entered into a $50,000 settlement with Hospice of North Idaho (“HONI”) relating to violations of HIPAA. This settlement, which stemmed from a breach of electronic protected health information (ePHI), has resulted in the first settlement for a violation involving fewer than 500 patients.

The HITECH amendments created an obligation that practices must report certain breaches of “unsecured protected health information” to the government. For breaches involving fewer than 500 individuals, the practice may report the violations in an annual report.

The investigation into HONI stemmed from a breach report submitted by HONI following the theft of a laptop computer that contained ePHI of 441 patients. During the investigation, the OCR found that HONI had no policies or procedures for protecting ePHI on mobile devices as required by HIPAA, nor had HONI conducted a risk analysis to safeguard this information. The OCR stated that “[t]his action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

Practices should ensure their policies and procedures are current and adapted to the practice’s methods of communicating about patients.

For more information, visit HHS’s Press Release.

The HITECH Act, which amended HIPAA, requires the Office for Civil Rights (“OCR”) to audit physician practices and other “covered entities” for compliance with HIPAA requirements. The OCR performed a pilot phase of 115 audits conducted between November 2011 and October 2012. The OCR will target all types of covered entities, including “small providers,” which include most physician practices.

The OCR’s audit assesses compliance against 77 security standards, or “protocols,” and 88 protocols relating to privacy and breach notification standards. In its initial 20 audits, the OCR found that 77% of the privacy audit issues, and 61% of the security audit issues, occurred in the small providers. The protocols emphasize extensive documentation, including written policies and risk assessments, compliance activities, training programs, and even documentation of decisions not to take certain compliance or security steps.

The OCR will review practices’ “processes, controls, and policies” to assess whether the practices are complying with the Privacy, Security, and the Breach Notification Rules. The audit mandate requires the OCR to review Privacy Rule requirements including (1) notice of privacy practices for “protected health information” (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. For the Security Rule, the OCR will review a practice’s administrative, physical, and technical safeguards. The OCR will assess a practice’s compliance with the Breach Notification Rule, including a practice’s assessment of the chances of experiencing a breach; what to do in the event of a breach; and the ongoing obligations in the event of a breach. Deficiencies found in audits of “business associates” of practices, which will be performed in a later audit waive, may lead to an audit of the practice. 

The OCR’s discovery of a violation of HIPAA requirements may result in significant fines and potential exclusion from the Medicare program.

For a more detailed examination of the audit protocols, click here.

« Previous PageNext Page »