Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Health Care

Subscribe to Health Care RSS Feed

As if a 20-Year Consent Order Wasn’t Enough Fun: FTC Brings First Monetary Settlement in Information Security Case

Posted in Health Care

The FTC reached a $250,000 settlement with a 20-year consent order with Henry Schein Practice Solutions, Inc. over its use of allegedly subpar encryption technology in its offering to dental practices. This settlement is particularly noteworthy for a number of reasons:

  • In addition to the typical 20-year consent order (in this case requiring Schein to ma
Continue Reading

Advisory Alert: NY Attorney General Reaches Settlement over Exiting Clinician Taking Patient List

Posted in Health Care

It may not be a big dollar amount ($15,000), but a recent New York Attorney General settlement represents a big issue—interpreting that HIPAA prohibits a health care professional who is changing practices from taking a patient list without the patients’ authorizations. Health care providers should review their procedures surrounding departing p… Continue Reading

Confusion Continues Over Medical Identity Theft Victim Rights under HIPAA

Posted in Health Care

In a Nov. 10, 2015 letter, the Chairs and Ranking Members of the Senate Committee on Health, Education, Labor, and Pensions and the Committee on Finance raised concerns with the U.S. Department of Health and Human Services (“HHS”) regarding what HHS is doing to support and protect victims of medical identity theft in the wake of large health informatio… Continue Reading

DWT Releases Latest Health Care Breach Charts

Posted in Data Protection, Health Care

Safeguarding patient information is at the core of responsibilities for health care entities under the Health Insurance Portability and Accountability Act (HIPAA). But safeguarding patient information isn’t just a regulatory requirement; every medical professional who takes the Hippocratic Oath (Modern Version) swears to respect patient priv… Continue Reading

Are Attorneys Entitled to “HIPAA Rate”?

Posted in Health Care

Over the past year, numerous lawsuits and complaints to the HHS Office for Civil Rights (“OCR”) have been filed by plaintiffs’ attorneys over a seemingly obscure HIPAA issue – the rate that health care providers and their release-of-information contractors may charge attorneys for copies of their clients’ medical records. In response to a Fr… Continue Reading

Advisory Alert: Time for a HIPAA Security Check-Up!

Posted in Data Protection, Health Care

The 2015 HIPAA Security conference held by the National Institute of Standards and Technology (“NIST”) and the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) kicked off last week with OCR’s announcement of a new settlement. In its latest settlement with a small health care provider, OCR emphasized comprehensiv… Continue Reading

NIST Issues Draft Guidance for Mobile Health Data

Posted in Health Care

With health care breaches constantly on the rise, increasing access to electronic health records (EHRs) from mobile devices, and more prevalent “shadow” cloud use, health care organizations are getting a bit of help from the National Institute of Standards and Technology (NIST) with a draft cybersecurity guide: “NIST is soliciting stakeholder … Continue Reading

Advisory Alert: Proposed HHS Rule Sets the Stage for Changes to the Meaningful Use Program

Posted in Health Care

On March 30, the Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) published its proposed rulemaking for Stage 3 of the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program in the Federal Register. According to HHS, the proposed Stage 3 rule, if adopted, would simplify the EHR Incenti… Continue Reading

Disclosure of Germanwings Co-pilot’s Medical Information Raises Tricky Privacy Concerns

Posted in Health Care

Recent reports surrounding Germanwings co-pilot Andreas Lubitz suggest that Lubitz told his doctors he was on sick leave (or was instructed by his doctors to be on sick leave), and concealed that he was still flying for the commercial airline. Although Lubitz’ motives remain unknown, we now know a great deal of Lubitz’ medical history, including medi… Continue Reading

Advisory Alert: Premera Cyber-Attack Announced

Posted in Data Protection, Health Care

Defining Your Obligations as an Employer

On March 17, 2015, Premera announced a data breach involving the personal information of more than 11 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Employers and plan sponsors should take steps to verify how the Premera breach affects their plans and that no… Continue Reading

Advisory Alert: What the Anthem Breach Means to Employers

Posted in Data Protection, Employment, Health Care

On Feb. 4, 2015, Anthem announced a data breach involving the personal information of more than 80 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Group health plans may be affected because Anthem: (1) provides insured health benefits; (2) administers health benefits for a self-insured plan; or (3) … Continue Reading

Adam Greene Named One of the Top 10 Influencers in Health Information Security

Posted in Health Care

Adam Greene was named one of the Top 10 Influencers in health information security by HealthCareInfo Security, a leading industry website whose editorial board “made the selections of the Influencers based on the impression they’ve left over the last year, as well as the impact we expect them to have in 2015 and beyond.” According to the publica… Continue Reading

Advisory Alert: Refill Reminders and the TCPA

Posted in Health Care, Marketing and Consumer Privacy

The Telephone Consumer Protection Act (“TCPA”) presents another challenge as health care providers continue to engage patients and seek to meet Meaningful Use reminder objectives. Over the past year, there have been several class action suits alleging pharmacies’ prescription refill reminders violated TCPA. One federal trial court recently … Continue Reading

Encryption and Securing BYO Devices at the Heart of Massachusetts AG $100,000 Settlement

Posted in Health Care

The Massachusetts Attorney General announced Friday that her office had reached a settlement with Beth Israel Deaconess Medical Center (BIDMC) surrounding a 2012 data breach in which a physician’s unencrypted personal laptop containing patient and employee information was stolen from BIDMC’s grounds.  Under the terms of the settlement, BIDM… Continue Reading

Preparing for HIPAA Compliance Audits

Posted in Health Care

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), the office responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), will continue to audit HIPAA covered entities and business associates in 2015. OCR conducted its first phase of the HIPAA audit program, k… Continue Reading

Advisory Alert: Ebola or Not, Patient Privacy Must Be Protected

Posted in Health Care

In the wake of the recent Ebola cases, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a new bulletin reminding HIPAA-covered entities and their business associates that the requirements of the HIPAA Privacy Rule still apply when sharing protected health information (PHI), even in emergency situatio… Continue Reading

Advisory Alert: CMS Reopens the Medicare Payment Adjustment Hardship Exception Application Submission Period for Certain Providers and Hospitals

Posted in Health Care

Centers for Medicare & Medicaid Services (CMS) recently announced the reopening of the submission period for hardship exception applications for eligible professionals and eligible hospitals that have been unable to fully implement 2014 Edition Certified Electronic Health Record Technology (CEHRT) due to availability delays. Qualified pr… Continue Reading

Advisory: California Extends Its Medical Data Breach Notification Requirement From 5 to 15 Days

Posted in Data Protection, Health Care

On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This is good news for these healthcare providers, who often foun… Continue Reading

Advisory: Starting Oct. 6, Patients Can Access Test Reports Directly From Clinical Laboratories

Posted in Health Care

On Oct. 6, 2014, a final rule issued jointly by the Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights (OCR) will require all HIPAA-covered labs (i.e., labs that conduct certain electronic transactions, such as electronic submission of claims) to provide individuals with … Continue Reading