Photo of Caitlin C. Podbielski

As a member of the Privacy, CyberSecurity & Media Group, Ms. Podbielski assists clients in analyzing and responding to data security incidents involving state and federal privacy laws. In addition to incident response counseling, Ms. Podbielski advises health care clients on compliance matters under the Health Insurance Portability and Accountability Act, including guidance on conducting risk assessments, development of policies and procedures, and compliance with the minimum necessary principles.  She regularly counsels a variety of clients on matters pertaining to state and federal tax exemption, state and federal privacy and security laws, and health care regulation. As a member of the Trade & Professional Associations Group, Ms. Podbielski has advised a variety of tax-exempt organizations, including organizations exempt under 501(c)(3), (c)(4), (c)(6) and (c)(7) of the Internal Revenue Code, on a variety of issues related to exempt status, including eligibility and application for exemption, state solicitation and registration law compliance, and annual filings with the Internal Revenue Service.

HIPAARecognizing that different levels of culpability warrant different annual civil penalty limits, the Department of Health and Human Services adopted a notification April 23, 2019, to be published in the Federal Register April 30, 2019, that reduces the majority of the caps on annual civil penalties.  See 45 C.F.R. Part. 160.
Continue Reading HIPAA Civil Penalty Annual Limits Plummet

The American Recovery and Reinvestment Act of 2009 (ARRA) tasked the Office of Civil Rights (OCR) (the division of the Department of Health and Human Services responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) and regulations promulgated thereto) with conducting audits of covered entities and business associates for compliance with HIPAA.  Phase One concluded in 2012, and covered entities and business associates have since been waiting for the rollout of Phase Two.  The Phase Two audits will be the first time business associates may find themselves face-to-face with OCR, as Phase One audits did not include business associates.  The protocol for Phase Two audits is to include changes to the regulations from the 2013 Omnibus Final Rule, which vastly expanded the types of entities falling within the definition of “business associate” and implemented regulations prescribed by the Health Information Technology for Economic and Clinical Health Act (HITECH) subjecting business associates to liability under HIPAA for compliance with the Security Rule and most of the Privacy Rule.

Phase Two audits were expected to begin in late 2014, but Jocelyn Samuels, the Director of OCR, recently announced that budgetary and staffing considerations have further delayed the rollout of Phase Two audits.  Without specifying a specific date upon which the Phase Two audits would commence, Ms. Samuels did not downplay the imminence of such audits, explaining that the audits would begin “expeditiously.”

Continue Reading Delay of HIPAA Phase Two Audits: Preparing for the Inevitable