Photo of Deb Hiser

Deborah focuses her practice on representing physicians, behavioral health providers, hospitals, ambulatory surgery centers and multispecialty clinics in operational and regulatory matters. She successfully guides HIPAA investigations, including breaches involving hundreds of individuals.

On April 24, 2017, the Office of Civil Rights (“OCR”) announced the first HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information by a wireless service provider. CardioNet, an ambulatory cardiac monitoring service, provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, agreed to pay $2.5 million, and to implement a corrective action plan.

As reported by the OCR, in 2012 CardioNet reported to the OCR the theft of a workforce member’s unencrypted laptop containing electronic PHI (“ePHI”) of 1,391 individuals. OCR’s investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.   Additionally, CardioNet’s provided the OCR draft policies and procedures implementing the HIPAA Security standards, and was unable to produce final policies or procedures implementing the security safeguards for ePHI, including mobile devices.
Continue Reading Mighty Fine – The High Cost ($2.5 Million) for Unsecured ePHI

Remember when Edward Snowden showed the world how easy it is for your cell phone to record everything you say? Initial gut reaction for many was something along the lines of disbelief to shock. As time went by, many people took comfort in the idea that the government could not care less about their day-to-day activities. After all—for most of us—our day consists of the daily routine of workout, work, and daily errands. Yet, spying is not limited to the intelligence community. As we have seen again and again, health information is particularly valuable. Devices such as Internet cameras (think security cameras) or perhaps even web cams (the little lens that stares from the top of your laptop) pose risks to health data. Many health entities have not considered the unique risks posed by such devices, but it is a risk the Federal Trade Commission is not ignoring.
Continue Reading IoT Security: Same…Err…Stuff, Different Day

Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask for is the risk analysis. The OCR has obviously lost its patience for entities that choose or fail to perform an adequate risk analysis. Earlier this month, Advocate Health Care Center (Advocate Health) agreed to pay a massive $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement is the largest to-date against a single entity.
Continue Reading HIPAA punches a serious blow: Advocate Health enters into $5.5-million settlement for violations

My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016. 
Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt

There are at least 1,040 reasons to love Florida. Who isn’t drawn to the sunshine, the pristine beaches, the food… and the tax fraud racket? For decades, South Florida has been the Silicon Valley for scam artists, drawn by the weather and the opportunity to make lots of money without actually doing much work. According to the Federal Trade Commission, Florida holds the highest per capita rate of identity theft complaints, followed by Georgia and California. While Medicare fraud, mortgage fraud, and securities fraud have traditionally been the bread and butter of South Florida scam artists, tax refund scams are definitely the new darling. But as the IRS recently announced, it’s the dawn of a new day for tax fraud prevention.
Continue Reading IRS shines the light on tax ID theft

It may still be September, but to countless retailers, Halloween is already here. Passing by displays of spooky items while shopping, the ’80s haunted-house music video “Somebody’s Watching Me” comes to mind: “I always feel like somebody’s watching me, and I have no privacy” (yes, Rockwell has attribution, but Michael rocks the chorus).

The paranoid fellow in the video was worried about the IRS and the mailman – how quaint. In today’s world, high on many consumers’ “creepy stuff” lists is the use of mobile technologies by a growing number of retailers to track customers’ movements in their stores.
Continue Reading Somebody’s watching your privacy policy