Tag archives: HIPAA

FCC TCPA order partially upheld and partially set aside

Data Protection Report - digital privacy, CCPA and cybersecurity

On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones.  The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive marketing calls by “any reasonable means” that clearly expresses the desire to receive no further messages from the caller, and an exception for certain “emergency” healthcare-related calls.  On the other hand, the court set aside the FCC’s decision regarding the definition of an “automatic telephone … Continue Reading

Uber as a HIPAA business associate

Norton Rose Fulbright - Data Protection Report blog

Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments.  … Continue Reading

Connecticut case finds health care privacy cause of action

Norton Rose Fulbright - Data Protection Report blog

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.  (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA.  In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA.… Continue Reading

US HHS OCR issues cyber extortion newsletter

Data Protection Report - Norton Rose Fulbright

This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.… Continue Reading

South Dakota and Colorado strengthen data breach protections

Norton Rose Fulbright - Data Protection Report blog

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach.  South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.… Continue Reading

HHS Update: Looking Toward Audits and Increased Enforcement

Data Protection Report - Norton Rose Fulbright

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply  with the new set of HIPAA Omnibus rules.  The OCR has made clear that it is not focused merely on large institutions or hospital systems.  In … Continue Reading

Your Money or Your PHI: New Guidance on Ransomware

Data Protection Report - Norton Rose Fulbright

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.… Continue Reading

New HIPAA compliance resource available to mobile health app developers

Data Protection Report - Norton Rose Fulbright

As we reported on the Health Law Pulse blog, the HHS Office of Civil Rights (OCR) has unveiled a new resource to provide mobile health developers guidance on complying with applicable Health Information Portability and Accountability Act (HIPAA) requirements. The portal allows developers to submit questions and offer comments on existing OCR guidance regarding how mobile medical applications may be subject to HIPAA. OCR’s intent in offering the portal is to create a “safe space” where developers may submit inquiries on an anonymous basis, without fear of subsequent enforcement action.

More information about the portal can be found hereContinue Reading

Anthem breach poses significant cybersecurity risks for Anthem’s customers; may trigger legal obligations

Data Protection Report - Norton Rose Fulbright

Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem.

The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected individuals and employers, including to gain access to business information using social engineering attacks and other methods. Anthem’s business customers are advised to take immediate steps to harden their cybersecurity defenses, raise cybersecurity awareness among employees concerning likely secondary attacks, and remain vigilant against further … Continue Reading

Encryption of patient personal information to be the law of the land in New Jersey

Data Protection Report - Norton Rose Fulbright

Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.

The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the … Continue Reading

LexBlog