Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Healthcare

Subscribe to Healthcare RSS Feed

NIST Issues Draft Guidance for Mobile Health Data

Posted in Healthcare

With health care breaches constantly on the rise, increasing access to electronic health records (EHRs) from mobile devices, and more prevalent “shadow” cloud use, health care organizations are getting a bit of help from the National Institute of Standards and Technology (NIST) with a draft cybersecurity guide: “NIST is soliciting stakeholder … Continue Reading

Advisory Alert: Proposed HHS Rule Sets the Stage for Changes to the Meaningful Use Program

Posted in Healthcare

On March 30, the Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) published its proposed rulemaking for Stage 3 of the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program in the Federal Register. According to HHS, the proposed Stage 3 rule, if adopted, would simplify the EHR Incenti… Continue Reading

Disclosure of Germanwings Co-pilot’s Medical Information Raises Tricky Privacy Concerns

Posted in Healthcare

Recent reports surrounding Germanwings co-pilot Andreas Lubitz suggest that Lubitz told his doctors he was on sick leave (or was instructed by his doctors to be on sick leave), and concealed that he was still flying for the commercial airline. Although Lubitz’ motives remain unknown, we now know a great deal of Lubitz’ medical history, including medi… Continue Reading

Advisory Alert: Premera Cyber-Attack Announced

Posted in Data Protection, Healthcare

Defining Your Obligations as an Employer

On March 17, 2015, Premera announced a data breach involving the personal information of more than 11 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Employers and plan sponsors should take steps to verify how the Premera breach affects their plans and that no… Continue Reading

Advisory Alert: What the Anthem Breach Means to Employers

Posted in Data Protection, Employment, Healthcare

On Feb. 4, 2015, Anthem announced a data breach involving the personal information of more than 80 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Group health plans may be affected because Anthem: (1) provides insured health benefits; (2) administers health benefits for a self-insured plan; or (3) … Continue Reading

Adam Greene Named One of the Top 10 Influencers in Health Information Security

Posted in Healthcare

Adam Greene was named one of the Top 10 Influencers in health information security by HealthCareInfo Security, a leading industry website whose editorial board “made the selections of the Influencers based on the impression they’ve left over the last year, as well as the impact we expect them to have in 2015 and beyond.” According to the publica… Continue Reading

Advisory Alert: Refill Reminders and the TCPA

Posted in Healthcare, Marketing and Consumer Privacy

The Telephone Consumer Protection Act (“TCPA”) presents another challenge as health care providers continue to engage patients and seek to meet Meaningful Use reminder objectives. Over the past year, there have been several class action suits alleging pharmacies’ prescription refill reminders violated TCPA. One federal trial court recently … Continue Reading

Encryption and Securing BYO Devices at the Heart of Massachusetts AG $100,000 Settlement

Posted in Healthcare

The Massachusetts Attorney General announced Friday that her office had reached a settlement with Beth Israel Deaconess Medical Center (BIDMC) surrounding a 2012 data breach in which a physician’s unencrypted personal laptop containing patient and employee information was stolen from BIDMC’s grounds.  Under the terms of the settlement, BIDM… Continue Reading

Preparing for HIPAA Compliance Audits

Posted in Healthcare

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), the office responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), will continue to audit HIPAA covered entities and business associates in 2015. OCR conducted its first phase of the HIPAA audit program, k… Continue Reading

Advisory Alert: Ebola or Not, Patient Privacy Must Be Protected

Posted in Healthcare

In the wake of the recent Ebola cases, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a new bulletin reminding HIPAA-covered entities and their business associates that the requirements of the HIPAA Privacy Rule still apply when sharing protected health information (PHI), even in emergency situatio… Continue Reading

Advisory Alert: CMS Reopens the Medicare Payment Adjustment Hardship Exception Application Submission Period for Certain Providers and Hospitals

Posted in Healthcare

Centers for Medicare & Medicaid Services (CMS) recently announced the reopening of the submission period for hardship exception applications for eligible professionals and eligible hospitals that have been unable to fully implement 2014 Edition Certified Electronic Health Record Technology (CEHRT) due to availability delays. Qualified pr… Continue Reading

Advisory: California Extends Its Medical Data Breach Notification Requirement From 5 to 15 Days

Posted in Data Protection, Healthcare

On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This is good news for these healthcare providers, who often foun… Continue Reading

Advisory: Starting Oct. 6, Patients Can Access Test Reports Directly From Clinical Laboratories

Posted in Healthcare

On Oct. 6, 2014, a final rule issued jointly by the Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights (OCR) will require all HIPAA-covered labs (i.e., labs that conduct certain electronic transactions, such as electronic submission of claims) to provide individuals with … Continue Reading

Advisory: CMS Issues Final Rule Providing Flexibility for Providers Unable to Fully Implement 2014 Technology to Demonstrate Meaningful Use in 2014

Posted in Healthcare

In response to providers being unable to fully implement 2014 Edition certified electronic health record technology (CEHRT) due to limited availability, CMS adopted changes proposed earlier this year through a final rule allowing additional options for the 2014 reporting period and amending the meaningful use stage timeline. Providers who rece… Continue Reading

DWT Advisory: Rhode Island Hospital’s Breach of Health Information Leads to Settlement with Massachusetts Attorney General

Posted in Healthcare

On July 23, 2014, the Massachusetts attorney general announced a settlement with Women & Infants Hospital of Rhode Island (WIH) over the loss of unencrypted backup tapes. WIH agreed to pay $150,000 and undertake numerous compliance measures, including hiring an independent auditor, to resolve allegations that it failed to protect the personal i… Continue Reading

Advisory: Appellate Court Rules Medical Information Must Actually Have Been Viewed by an Unauthorized Person for a Plaintiff to Recover Under the California Confidentiality of Medical Information Act

Posted in Data Protection, Healthcare

The California Court of Appeal recently held that in order to recover under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code §§ 56 et seq., a plaintiff must plead and prove that the “stolen medical information was actually viewed by an unauthorized person.” Sutter Health et al. v. The Superior Court of Sacramento CounContinue Reading

DWT Advisory: New HIPAA Reports to Congress Shed Light on OCR Enforcement

Posted in Healthcare

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal tha… Continue Reading

Stolen Patient Information on Hospital Computer Not Considered “Medical Information” by California Appellate Court

Posted in Healthcare

The California Court of Appeal recently held that the release of an index identifying hospital patients did not constitute the release of medical information under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code, § 56 et seq., because the index contained only demographic information and nothing “regarding a patient… Continue Reading