Tag archives: HIPAA

OCR and FTC Issue a Joint Letter Suggesting Enforcement Actions May Be in the Pipeline

On July 20, 2023 HHS and the Federal Trade Commission (“FTC”) issued a joint letter to approximately 130 companies regarding their online data collection processes. The letter follows the much discussed December 1, 2022, Bulletin that expanded the kinds of websites and applications governed by HIPAA (you can read about our analysis of the bulletin … Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

By Steve Roosa (US), Anna Rudawski (US), Susan Ross (US) and Daniel Rosenzweig (US) on December 5, 2022 Posted in Compliance and risk management

HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading

OCR proposes to share HIPAA data breach settlements with victims

By on May 22, 2018 Posted in Data breach

Data Protection Report - Norton Rose Fulbright

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue reading

NIST releases latest version of its Cybersecurity Framework

By on April 19, 2018 Posted in Compliance and risk management

On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.… Continue reading

FCC TCPA order partially upheld and partially set aside

By Susan Ross (US) on March 17, 2018 Posted in Dispute resolution and litigation

Data Protection Report - digital privacy, CCPA and cybersecurity

On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones. The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive … Continue reading

Uber as a HIPAA business associate

By Alexis Wilpon (US) on March 7, 2018 Posted in General

Norton Rose Fulbright - Data Protection Report blog

Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the … Continue reading

Amended Colorado bill aims to enhance data privacy laws

By on February 21, 2018 Posted in Regulatory response

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue reading

Connecticut case finds health care privacy cause of action

By Susan Ross (US) on February 15, 2018 Posted in Regulatory response

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.… Continue reading

US HHS OCR issues cyber extortion newsletter

By Alexis Wilpon (US) on February 1, 2018 Posted in Regulatory response

This week, the US Department of Health and Human Services HHS Office for Civil Rights published a January 2018 newsletter focusing on cyber extortion.… Continue reading

South Dakota and Colorado strengthen data breach protections

By on January 29, 2018 Posted in Regulatory response

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading

HHS Update: Looking Toward Audits and Increased Enforcement

By Anna Rudawski (US) and Mark Faccenda (US) on September 8, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in … Continue reading

Your Money or Your PHI: New Guidance on Ransomware

By Mark Faccenda (US) and Anna Rudawski (US) on July 14, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading

OCR Launches Phase 2 of the HIPAA Audit Program

By on March 22, 2016 Posted in Compliance and risk management, Regulatory response

The HHS Office for Civil Rights (OCR) announced on Monday that it has launched the long-awaited Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program.… Continue reading

OCR issues guidance on HIPAA Security Rule compliance and mobile health apps

By on March 6, 2016 Posted in Compliance and risk management, Regulatory response

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently published two guidance documents to aid organizations in complying with HIPAA.… Continue reading

New HIPAA compliance resource available to mobile health app developers

By on October 8, 2015 Posted in Compliance and risk management

As we reported on the Health Law Pulse blog, the HHS Office of Civil Rights (OCR) has unveiled a new resource to provide mobile health developers guidance on complying with applicable Health Information Portability and Accountability Act (HIPAA) requirements. The portal allows developers to submit questions and offer comments on existing OCR guidance regarding how mobile medical applications … Continue reading

Health information privacy and security: New compliance considerations in an era of increased interconnectivity – web seminar

By on September 30, 2015 Posted in Compliance and risk management

On Tuesday, October 6, 2015, Norton Rose Fulbright attorneys Boris Segalis, Mark Faccenda and Kimberly Gold will present a health information privacy and security web seminar focused on compliance risks and obligations surrounding connected medical devices and healthcare data.… Continue reading

Anthem breach poses significant cybersecurity risks for Anthem’s customers; may trigger legal obligations

By on February 8, 2015 Posted in Compliance and risk management, Data breach

Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem. The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected … Continue reading

Encryption of patient personal information to be the law of the land in New Jersey

By on January 28, 2015 Posted in General

Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been … Continue reading