Archives: Privacy & HIPAA

Subscribe to Privacy & HIPAA RSS Feed

FDA Finalizes Policy for Sharing Patient-Specific Data from Medical Devices

FDA recently released guidance (“Manufacturers Sharing Patient-Specific Information from Medical Devices with Patients Upon Request”) finalizing its policy on medical device manufacturers sharing patient-specific information from devices with patients at the patients’ request. In response to the more active roles patients are playing in their health care, and increased frequency with which patients are seeking … Continue Reading

Mobile App Compliance for Dummies: New Tool Helps Developers Understand Their Legal Compliance Requirements

In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading

Expect Increased State AG Enforcement Actions on Health Data Incidents

Businesses working with U.S. customer or employee data are very familiar with the roles the Federal Trade Commission (FTC), U.S. Department of Health and Human Services, and other federal agencies play in privacy regulation and enforcement. But, increasingly, if your company ends up facing a health – or other data – incident, you may find … Continue Reading

After a Strong Enforcement Presence in 2015, OCR Starts 2016 with a $239,000 Civil Money Penalty Judgment

It has been a busy winter for the US Department of Health and Human Service, Office for Civil Rights (“OCR”).  Since November 2015, the agency has announced three settlements and one civil money penalty judgment amounting to over $5 million in fines and settlements.  Most recently, on February 3, 2016, a U.S. Department of Health … Continue Reading

HHS’ Selection of Contractor Provides Latest Update on Impending Second Round of HIPAA Audits

On October 27, 2015, a U.S. Department of Health and Human Services (“HHS”) official stated that the agency has hired FCi Federal, a provider of management and professional services to government agencies in Ashburn, VA, to conduct the second round of Health Insurance Portability and Accountability Act (“HIPAA”) data security audits.  Similar to the Phase … Continue Reading

OCR Creates Online Portal for HIPAA Compliance Questions

In a recent Law360 article (login required), Partner Brad Rostolsky, addressed the establishment of an online portal to receive questions from developers of mobile medical apps about compliance with the Health Insurance Portability and Accountability Act. “Where health information is flowing pretty freely on mobile devices, it’s incredibly important for everyone involved to make the … Continue Reading

Preparing for a HIPAA Data Breach: Easy Steps to Ensure “Breach Readiness”

The 2013 changes to HIPAA’s privacy and security regulations in combination with the government’s bolstered approach to compliance and enforcement reinforces the need for health care providers to remain focused on preparing for the inevitable likelihood that privacy or security issues will occur. With the number of significant data breaches expected to rise, it is … Continue Reading

Cure of Security Rule Violations Following Breach of EPHI Cannot Save Covered Entities from $750,000 Settlement; Non-Breach Related Security Complaint Leads to $218,000 HIPAA Settlement

More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading

Texas Hospital CFO Pleads Guilty To Making A HITECH Act False Statement

The HITECH Act—including the HITECH Final Rule’s provisions about HIPAA, data privacy, security, and breach notification—is an issue we have covered in detail previously. According to a June 17, 2015 press release, the former CFO of the Shelby Regional Medical Center in Texas has pleaded guilty to making a false statement in “representing that the … Continue Reading

OCR Announces Settlement and Corrective Action Plan with Pharmacy Stemming from Alleged Violations

The HHS Office for Civil Rights recently announced a settlement and corrective action plan with Cornell Prescription Pharmacy (CPP), a small for-profit, single location, compounding pharmacy located in Denver, CO. CPP has agreed to pay $125,000 and enter into a corrective action plan to settle potential violations of the HIPAA Privacy Rule. This outcome is indicative of OCR's unwillingness to demonstrate wide variance in its enforcement response based on the size of an affected covered entity or the number of patients involved in a potential HIPAA violation.… Continue Reading

First Steps for GCs in Assessing a Data Breach

When a data breach is discovered by a company, it is often the responsibility of the company’s in-house counsel to swiftly assess the breach and provide an initial report to company management. There are several steps that in-house counsel should follow if faced with a breach to allow for an adequate assessment that company management can use. As noted … Continue Reading

Amidst Increasing Security Concerns, Medicare to Drop Social Security Numbers from Cards

Last week, President Obama signed into law a bill that will eradicate Social Security Numbers (SSNs) from all Medicare beneficiary cards over the next eight years. Medicare has four years to begin issuing cards with new identifiers, and four years after that to reissue cards to current beneficiaries. The removal of SSNs from the cards is not only expected to decrease the risks associated with identity theft for Medicare beneficiaries, but also Medicare's risk of exposure associated with breaches of protected health and personal information under HIPAA and state privacy laws.… Continue Reading

State Attorneys General Address Data Privacy and Security Issues

State attorneys general across the United States have taken recent action towards addressing data privacy and security issues. In Connecticut, the attorney general announced the establishment of a Privacy and Data Security Department to handle investigations and litigation relating to data privacy and security. This month's National Association of Attorneys General (NAAG) Southern Region Meeting featured presentations on big data, cybersecurity, cloud computing and data breaches, and next month's NAAG presidential initiative summit will address topics such as intellectual property theft, cloud computing and digital currency. Finally, Washington's attorney general has proposed several amendments to expand the scope of that state's data breach notification requirements.… Continue Reading

FTC Offers Privacy and Security Guidance for Medical Devices in ‘Internet of Things’ Report

On January 27, the Federal Trade Commission (FTC) issued a 71-page Staff Report on privacy and security issues with the Internet of Things (IoT) - the growing ability of everyday devices to monitor and communicate information through the Internet. The Staff Report - which follows up on the FTC's public workshop over concerns with the IoT, as well as the FTC's first enforcement action brought in September 2013 - is especially relevant in the life sciences industry, which may see potentially revolutionary advances as a result of the IoT.… Continue Reading

New Jersey Enacts Data Privacy Law for Health Insurance Carriers

New Jersey Governor Chris Christie has signed a law requiring health insurance carriers in that state to encrypt individuals' personal information. This new law will be enforced in conjunction with the New Jersey Consumer Fraud Act (NJCFA), and failure to obey the law will be classified as a violation of the NJCFA, which could result in financial penalties for the carriers. The new legislation may also affect business associates through the contractual terms of business associate agreements.… Continue Reading

EU Justice Ministers Reach Partial General Approach on Aspects of Data Protection Regulation

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a recent meeting at which Justice ministers from across the European Union managed to agree on a partial general approach on several aspects of the draft Data Protection Regulation, which aims to set out a general EU framework for data protection. The ministers have … Continue Reading

EU Article 29 Data Protection Working Party Releases Guidelines Stemming from Google Spain Case

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on a recent set of guidelines issued by the European Union’s Article 29 Data Protection Working Party outlining how EU Data Protection Authorities (DPAs) intend to implement the judgment of the Court of Justice of the European Union in Google Spain SL and Google Inc. … Continue Reading

OCR Settlement Reflects Continued Emphasis on HIPAA Security Rule Safeguards

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced a $150,000 settlement of potential violations of the HIPAA Security Rule by Anchorage Community Mental Health Services (ACMHS). These potential violations were caused by a malware breach of ACMHS's information technology resources. OCR's subsequent investigation of the breach found that ACMHS's preventative security measures prior to the breach were insufficient, and the settlement includes a Resolution Agreement with a corrective action plan for ACMHS to improve its security measures.… Continue Reading

Effective Cyberliability Insurance Coverage

According to a recent study, the median amount of time between a breach of a company's cybernetwork and the discovery of that breach is 229 days. Given this lengthy amount of time, companies should consider the benefits of an expanded cyberliability insurance policy period, particularly if the company is switching from one insurance provider to another. This topic is discussed in "Hackers Don't Care About the Terms of Your Insurance Policy: The Importance of Retroactive Dates and Extended Reporting Periods in Effective Cyberliability Insurance Coverage," a client alert written by Reed Smith's Insurance Recovery Group.… Continue Reading

OCR Releases Ebola Bulletin

The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights ("OCR"), the agency responsible for enforcing the Health Insurance Portability and Accountability Act ("HIPAA"), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled "HIPAA Privacy In Emergency Situations," provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.… Continue Reading

Insights About Future Use of Protected Health Information Under HIPAA

In "HIPAA Enforcement: The Next Step," an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th, Reed Smith partner Brad Rostolsky details the HIPAA-related trends that he expects to see within the next several years. Among these predicted trends is an increase in the number of investigations by the Department of Health and Human Services' Office for Civil Rights regarding the illegal use and distribution of Protected Health Information without the permission of patients, a result of tightened regulations introduced in last year's HIPAA Omnibus Rule. Brad also discusses how companies should prepare for HIPAA compliance audits, the use of health information on social media, and potential privacy issues surrounding wearable consumer health devices.… Continue Reading

New California Amendment Aims to Increase Breach Responsibility and Accountability

A recently enacted law in California is designed to expand the scope of requirements for entities that own, license, and maintain data or information about a resident of the state. This amendment to the California Civil Code, scheduled to go into effect on January 1, 2015, was passed in the wake of several recent high-profile security breaches at such retailers as Target, Neiman Marcus, and The Home Depot.… Continue Reading

U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith's Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit "opt-out," allowing them to block the distribution of this information to any third parties.… Continue Reading

Recent Data Breaches Serve as Warning for Companies to Assess Their Cybersecurity Insurance Coverage

Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that … Continue Reading
LexBlog