Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

January 23, 2008

HIPAA Privacy and Security Update

This Legal Alert discusses recent updates regarding the Privacy and Security regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA).

The Department of Health and Human Services Office of Civil Rights (OCR) has received 32,487 complaints regarding the HIPAA Privacy regulations. It has referred 419 cases to the Department of Justice (DOJ) for criminal investigation. In addition, OCR has referred 215 cases that may represent potential violations of the HIPAA Security regulations to the Centers for Medicare and Medicaid Services (CMS). CMS has also announced that it will begin on-site reviews of hospitals' compliance with the Security regulations, expecting to review 10 to 20 hospitals in the next nine months. The first reviews are expected to be of hospitals where CMS has received complaints about security practices and larger hospitals nationwide. Remote access to data and use of portable storage devices are among the issues that CMS is expected to review.

In addition, a New York State appellate court recently ruled that punitive damages may be imposed on a health care provider for unintentional but grossly negligent and/or reckless breaches of confidentiality or breaches that show callous indifference to a patient's right to confidentiality, where the breach has the potential to cause significant harm to the patient. The court stated that the right of patients to privacy of protected health information is so important a public policy that even an inadvertent breach might in some cases warrant punitive damages. The defendant in the case discussed with a patient's mother information regarding the patient, which led the mother to surmise that her daughter had had an abortion at defendant's clinic. Punitive damages are not always covered by malpractice insurance. Providers dealing with patients under care of a very sensitive nature (HIV-related illness, abortion, sexually transmitted diseases, mental health issues, alcohol and substance abuse treatment, etc.) should be particularly mindful of this case, as it is likely that the disclosure of those types of information might lead to the same analysis by a jury or court.

For providers, these developments further support the need for a sound HIPAA compliance plan. Ensuring compliance before a complaint or investigation is far more effective, and much less expensive than defending an investigation or other review. Hiscock & Barclay, LLP has experience in assisting providers with HIPAA-compliance efforts, including the provision of training, and with responding to regulatory reviews and investigations.

Should you need assistance in these matters or in the development or update of a HIPAA compliance program, please contact Melissa M. Zambri, Partner in the Firm's Health Care and Human Services Practice Area.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


Connecticut Joins the Ranks of States Proposing Landmark AI Legislation


NYS PSC Modifies Pole Attachment Rules to Accelerate Broadband and Cellular Service Deployment


NYS Department of Health Publishes Amended Proposed Cybersecurity Regulations for Hospitals


FTC Noncompete Rule Survives—For Now


New York Trial Court Finds Uber Is Not Vicariously Liable for Driver's Negligence


ERISA Forfeiture Lawsuits: Navigating the Emerging Legal Landscape

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out