Several states are following the path of Illinois’ Biometric Information Privacy Act (BIPA), a law that has led to a rise in the volume of class action privacy litigation and underlined the significance of enterprise-level management of biometric data (e.g., fingerprint, voiceprint, and retina, facial, or iris image). Organizations that gather and utilize biometric data … Continue Reading
Reed Smith will be hosting an upcoming CLE webinar, “Best Practices for managing privacy risks in vendor engagements – diligence, contracting, and oversight under the California law” on Wednesday, September 11, 2019 at 2:00 PM ET. This program will offer a review on how organizations can approach third-party information sharing under the CCPA. Furthermore, as … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a … Continue Reading
By Jennifer Pike and Brad Rostolsky on Posted in Privacy & HIPAA
In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and … Continue Reading
It has been a busy winter for the US Department of Health and Human Service, Office for Civil Rights (“OCR”). Since November 2015, the agency has announced three settlements and one civil money penalty judgment amounting to over $5 million in fines and settlements. Most recently, on February 3, 2016, a U.S. Department of Health … Continue Reading
On October 27, 2015, a U.S. Department of Health and Human Services (“HHS”) official stated that the agency has hired FCi Federal, a provider of management and professional services to government agencies in Ashburn, VA, to conduct the second round of Health Insurance Portability and Accountability Act (“HIPAA”) data security audits. Similar to the Phase … Continue Reading
The 2013 changes to HIPAA’s privacy and security regulations in combination with the government’s bolstered approach to compliance and enforcement reinforces the need for health care providers to remain focused on preparing for the inevitable likelihood that privacy or security issues will occur. With the number of significant data breaches expected to rise, it is … Continue Reading
More than three years after the Cancer Care Group, P.C. (“CCG”) notified the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of a breach of unsecured electronic protected health information (“ePHI”), the radiation oncology private practice settled and implemented a corrective action plan (“CAP”) with OCR for $750,000. This settlement … Continue Reading
The HHS Office for Civil Rights recently announced a settlement and corrective action plan with Cornell Prescription Pharmacy (CPP), a small for-profit, single location, compounding pharmacy located in Denver, CO. CPP has agreed to pay $125,000 and enter into a corrective action plan to settle potential violations of the HIPAA Privacy Rule. This outcome is indicative of OCR's unwillingness to demonstrate wide variance in its enforcement response based on the size of an affected covered entity or the number of patients involved in a potential HIPAA violation.… Continue Reading
When a data breach is discovered by a company, it is often the responsibility of the company’s in-house counsel to swiftly assess the breach and provide an initial report to company management. There are several steps that in-house counsel should follow if faced with a breach to allow for an adequate assessment that company management can use. As noted … Continue Reading
Last week, President Obama signed into law a bill that will eradicate Social Security Numbers (SSNs) from all Medicare beneficiary cards over the next eight years. Medicare has four years to begin issuing cards with new identifiers, and four years after that to reissue cards to current beneficiaries. The removal of SSNs from the cards is not only expected to decrease the risks associated with identity theft for Medicare beneficiaries, but also Medicare's risk of exposure associated with breaches of protected health and personal information under HIPAA and state privacy laws.… Continue Reading
New Jersey Governor Chris Christie has signed a law requiring health insurance carriers in that state to encrypt individuals' personal information. This new law will be enforced in conjunction with the New Jersey Consumer Fraud Act (NJCFA), and failure to obey the law will be classified as a violation of the NJCFA, which could result in financial penalties for the carriers. The new legislation may also affect business associates through the contractual terms of business associate agreements.… Continue Reading
The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights ("OCR"), the agency responsible for enforcing the Health Insurance Portability and Accountability Act ("HIPAA"), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled "HIPAA Privacy In Emergency Situations," provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.… Continue Reading
In "HIPAA Enforcement: The Next Step," an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th, Reed Smith partner Brad Rostolsky details the HIPAA-related trends that he expects to see within the next several years. Among these predicted trends is an increase in the number of investigations by the Department of Health and Human Services' Office for Civil Rights regarding the illegal use and distribution of Protected Health Information without the permission of patients, a result of tightened regulations introduced in last year's HIPAA Omnibus Rule. Brad also discusses how companies should prepare for HIPAA compliance audits, the use of health information on social media, and potential privacy issues surrounding wearable consumer health devices.… Continue Reading
On February 6, 2014, the U.S. Department of Health & Human Services' (HHS) Centers for Medicare & Medicaid Services, Centers for Disease Control and Prevention, and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 regulations to provide patients with direct access to laboratory test reports. HHS believes that patients should have the right to access these test reports in order to gain vital information, allowing them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply by October 6, 2014.… Continue Reading
The Privacy and Security Tiger Team, a subcommittee of the Office of the National Coordinator for Health IT's HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information contained in an electronic designated record set, concluding that the rule is overbroad and lacks value.… Continue Reading
After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System ("NICS") the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the "mental health prohibitor").
OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.… Continue Reading
According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. The OIG's report concluded that OCR failed to provide for periodic audits to ensure that covered entities were in compliance with the Security Rule, and failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule.… Continue Reading
The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass., to pay $150,000 to the Department of Health and Human Services' Office for Civil Rights to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, passed as part of the American Recovery and Reinvestment Act of 2009.… Continue Reading
By Brad Rostolsky and Jennifer Pike on Posted in Privacy & HIPAA
On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following: … Continue Reading
By Brad Rostolsky and Jennifer Pike on Posted in Privacy & HIPAA
Recent posts on www.lifescienceslegalupdate.com include:
"OCR Releases HIPAA Guide for Law Enforcement," which links to new references on the HHS website for law enforcement and emergency planners.
View the entire entry:
https://www.lifescienceslegalupdate.com/2013/09/articles/data-privacy/ocr-releases-hipaa-guide-for-law-enforcement/
...and
"OCR Announces Enforcement Delay for CLIA Labs," which references the HHS' decision to delay enforcement of certain requirements pertaining to HIPAA-covered labs.… Continue Reading
This post was written by Daniel Kadar. As a champion for the protection of personally identifiable information and with broad definitions for the concepts of personal and medical data, France has established a very specific set of policies requiring that all bodies hosting medical data must apply for official accreditation or work with an accredited … Continue Reading
The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers. … Continue Reading