Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Health Care

Subscribe to Health Care RSS Feed

Top Takeaways from IAPP

Posted in Global, Health Care, Policy and Regulatory Positioning, Services

The world of privacy grows every day as more data goes through the cloud. The new trends and weekly data breaches make conferences like the Global Privacy Summit all the more relevant.

Earlier this month we went to IAPP’s annual event and networked with many professionals in the privacy sphere. Here were some of our key takeaways:

1. Connect with your FBI Continue Reading

HIPAA Audits Are Here: What to Expect When You are Expecting (an Audit)

Posted in Health Care

The Phase 2 audit program for HIPAA compliance is under way. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had launched the Phase 2 audits to examine and assess how covered entities and their business associates are adhering to the HIPAA Privacy, Security, and Breach Notification Rules. OCR will survey … Continue Reading

Advisory Alert: Can Ransomware Trap Your Health Information?

Posted in Cyber and National Security, Health Care

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been highlighting the threat posed by “ransomware”—when an organization is locked out of its own systems and files by cyber criminals who then demand the organization pay a ransom to regain access.  OCR launched its Cyber-Awareness initiative on Feb. 2 by emaili… Continue Reading

February 2016: The Month of Groundhog Day, Super Bowl 50, Valentine’s Day … and HIPAA Breach Notifications

Posted in Health Care

Feb. 29, 2016, a/k/a Leap Day, is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2015.

A small breach involves fewer than 500 individuals. While HIPAA requires cover… Continue Reading

Advisory Alert: Proposed Changes to the Alcohol and Drug Abuse Treatment Confidentiality Rule

Posted in Health Care

On Feb. 9, 2016, the U.S. Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published in the Federal Register a proposed rule putting forth amendments to the Alcohol and Drug Abuse Treatment Confidentiality Rule at 42 C.F.R. Part 2 (the “Part 2 Rule”). A redline of the proposed changes to the … Continue Reading

Advisory Alert: Second CMP Assessed for HIPAA Violations

Posted in Health Care

Do You Know Where Your Data Is?

For only the second time in its history, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a civil money penalty (CMP) on a covered entity for allegedly violating the HIPAA Privacy Rule. The Administrative Law Judge’s (ALJ’s) decision upholding the $239,800 CMP against Lincare… Continue Reading

As if a 20-Year Consent Order Wasn’t Enough Fun: FTC Brings First Monetary Settlement in Information Security Case

Posted in Health Care

The FTC reached a $250,000 settlement with a 20-year consent order with Henry Schein Practice Solutions, Inc. over its use of allegedly subpar encryption technology in its offering to dental practices. This settlement is particularly noteworthy for a number of reasons:

  • In addition to the typical 20-year consent order (in this case requiring Schein to ma
Continue Reading

Advisory Alert: NY Attorney General Reaches Settlement over Exiting Clinician Taking Patient List

Posted in Health Care

It may not be a big dollar amount ($15,000), but a recent New York Attorney General settlement represents a big issue—interpreting that HIPAA prohibits a health care professional who is changing practices from taking a patient list without the patients’ authorizations. Health care providers should review their procedures surrounding departing p… Continue Reading

Confusion Continues Over Medical Identity Theft Victim Rights under HIPAA

Posted in Health Care

In a Nov. 10, 2015 letter, the Chairs and Ranking Members of the Senate Committee on Health, Education, Labor, and Pensions and the Committee on Finance raised concerns with the U.S. Department of Health and Human Services (“HHS”) regarding what HHS is doing to support and protect victims of medical identity theft in the wake of large health informatio… Continue Reading

DWT Releases Latest Health Care Breach Charts

Posted in Data Protection, Health Care

Safeguarding patient information is at the core of responsibilities for health care entities under the Health Insurance Portability and Accountability Act (HIPAA). But safeguarding patient information isn’t just a regulatory requirement; every medical professional who takes the Hippocratic Oath (Modern Version) swears to respect patient priv… Continue Reading

Are Attorneys Entitled to “HIPAA Rate”?

Posted in Health Care

Over the past year, numerous lawsuits and complaints to the HHS Office for Civil Rights (“OCR”) have been filed by plaintiffs’ attorneys over a seemingly obscure HIPAA issue – the rate that health care providers and their release-of-information contractors may charge attorneys for copies of their clients’ medical records. In response to a Fr… Continue Reading

Advisory Alert: Time for a HIPAA Security Check-Up!

Posted in Data Protection, Health Care

The 2015 HIPAA Security conference held by the National Institute of Standards and Technology (“NIST”) and the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) kicked off last week with OCR’s announcement of a new settlement. In its latest settlement with a small health care provider, OCR emphasized comprehensiv… Continue Reading

NIST Issues Draft Guidance for Mobile Health Data

Posted in Health Care

With health care breaches constantly on the rise, increasing access to electronic health records (EHRs) from mobile devices, and more prevalent “shadow” cloud use, health care organizations are getting a bit of help from the National Institute of Standards and Technology (NIST) with a draft cybersecurity guide: “NIST is soliciting stakeholder … Continue Reading

Advisory Alert: Proposed HHS Rule Sets the Stage for Changes to the Meaningful Use Program

Posted in Health Care

On March 30, the Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) published its proposed rulemaking for Stage 3 of the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program in the Federal Register. According to HHS, the proposed Stage 3 rule, if adopted, would simplify the EHR Incenti… Continue Reading

Disclosure of Germanwings Co-pilot’s Medical Information Raises Tricky Privacy Concerns

Posted in Health Care

Recent reports surrounding Germanwings co-pilot Andreas Lubitz suggest that Lubitz told his doctors he was on sick leave (or was instructed by his doctors to be on sick leave), and concealed that he was still flying for the commercial airline. Although Lubitz’ motives remain unknown, we now know a great deal of Lubitz’ medical history, including medi… Continue Reading

Advisory Alert: Premera Cyber-Attack Announced

Posted in Data Protection, Health Care

Defining Your Obligations as an Employer

On March 17, 2015, Premera announced a data breach involving the personal information of more than 11 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Employers and plan sponsors should take steps to verify how the Premera breach affects their plans and that no… Continue Reading

Advisory Alert: What the Anthem Breach Means to Employers

Posted in Data Protection, Employment, Health Care

On Feb. 4, 2015, Anthem announced a data breach involving the personal information of more than 80 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Group health plans may be affected because Anthem: (1) provides insured health benefits; (2) administers health benefits for a self-insured plan; or (3) … Continue Reading

Adam Greene Named One of the Top 10 Influencers in Health Information Security

Posted in Health Care

Adam Greene was named one of the Top 10 Influencers in health information security by HealthCareInfo Security, a leading industry website whose editorial board “made the selections of the Influencers based on the impression they’ve left over the last year, as well as the impact we expect them to have in 2015 and beyond.” According to the publica… Continue Reading

Advisory Alert: Refill Reminders and the TCPA

Posted in Health Care, Marketing and Consumer Privacy

The Telephone Consumer Protection Act (“TCPA”) presents another challenge as health care providers continue to engage patients and seek to meet Meaningful Use reminder objectives. Over the past year, there have been several class action suits alleging pharmacies’ prescription refill reminders violated TCPA. One federal trial court recently … Continue Reading