The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue Reading
On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.… Continue Reading
On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones. The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive marketing calls by “any reasonable means” that clearly expresses the desire to receive no further messages from the caller, and an exception for certain “emergency” healthcare-related calls. On the other hand, the court set aside the FCC’s decision regarding the definition of an “automatic telephone … Continue Reading
Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments. … Continue Reading
As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue Reading
On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy. (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA. In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA.… Continue Reading
This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.… Continue Reading
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.… Continue Reading
The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply with the new set of HIPAA Omnibus rules. The OCR has made clear that it is not focused merely on large institutions or hospital systems. In … Continue Reading
On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.… Continue Reading
The HHS Office for Civil Rights (OCR) announced on Monday that it has launched the long-awaited Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program.… Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently published two guidance documents to aid organizations in complying with HIPAA.… Continue Reading
As we reported on the Health Law Pulse blog, the HHS Office of Civil Rights (OCR) has unveiled a new resource to provide mobile health developers guidance on complying with applicable Health Information Portability and Accountability Act (HIPAA) requirements. The portal allows developers to submit questions and offer comments on existing OCR guidance regarding how mobile medical applications may be subject to HIPAA. OCR’s intent in offering the portal is to create a “safe space” where developers may submit inquiries on an anonymous basis, without fear of subsequent enforcement action.
On Tuesday, October 6, 2015, Norton Rose Fulbright attorneys Boris Segalis, Mark Faccenda and Kimberly Gold will present a health information privacy and security web seminar focused on compliance risks and obligations surrounding connected medical devices and healthcare data.… Continue Reading
Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem.
The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected individuals and employers, including to gain access to business information using social engineering attacks and other methods. Anthem’s business customers are advised to take immediate steps to harden their cybersecurity defenses, raise cybersecurity awareness among employees concerning likely secondary attacks, and remain vigilant against further … Continue Reading
Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.
The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the … Continue Reading