Posts tagged HIPAA.
Time 5 Minute Read

On October 31, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced two settlements over medical providers’ failures to comply with the HIPAA Security Rule, one with Plastic Surgery Associates of South Dakota and one with Bryan County Ambulance Authority.  The settlements mark the sixth and seventh OCR enforcement actions related to ransomware attacks with the latter being the first enforcement action in OCR’s Risk Analysis Initiative.

Time 2 Minute Read

On November 1, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights and the Assistant Secretary for Technology Policy announced the release of a new version of the Security Risk Assessment Tool.

Time 2 Minute Read

On October 3, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a monetary penalty of 240,000 dollars against Providence Medical Institute, an interstate network of medical providers, for violations of the HIPAA Security Rule in relation to a series of ransomware attacks against an orthopedics practice acquired by the entity.

Time 3 Minute Read

On June 29, 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act after Governor Daniel McKee transmitted the act back to the legislature without signature. The RIDTPPA will take effect on January 1, 2026.

Time 2 Minute Read

On June 20, 2024, the U.S. District Court for the Northern District of Texas Fort Worth Division ruled that guidance issued by the U.S. Department of Health and Human Services (“HHS”) relating to online tracking technologies exceeded HHS’ authority and ordered that it be vacated. 

Time 4 Minute Read

On May 24, 2024, Governor Tim Walz signed H.F. 4757 into law, enacting the Minnesota Consumer Data Privacy Act. The MNCDPA will take effect on July 31, 2025. 

Time 4 Minute Read

On April 17, 2024, Colorado enacted H.B. 1058 which amends the Colorado Privacy Act (“CPA”) and makes Colorado the first state to explicitly extend the protections of a state comprehensive privacy law to neural data.

The Act expands the definition of “sensitive data” in the CPA to include two newly-added defined terms: “biological data” and “neural data”.

Time 2 Minute Read

On April 22, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced its final “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” which strengthens privacy protections under HIPAA for reproductive health care-related PHI.

Time 3 Minute Read

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.

Time 1 Minute Read

On February 16, 2024, the U.S. Department of Health and Human Services' Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance and recommendations for cybersecurity measures for HIPAA covered entities to consider in the development of their information security programs, a ...

Time 2 Minute Read

On October 31, 2023, the Department of Health and Human Services (“HHS”) announced the issuance of a settlement agreement with Doctors’ Management Services (“DMS”), a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) Privacy and Security Rules (collectively, the “HIPAA Rules”). DMS is a HIPAA business associate (“BA”) that provides payer credentialing and medical billing services to HIPAA Covered Entities (“CEs”). 

Time 1 Minute Read

On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services (“HHS”) published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” 

Time 1 Minute Read

On September 13, 2023, the National Coordinator for Health Information Technology (“ONC”) and the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services released version 3.4 of the Security Risk Assessment (“SRA”) Tool under the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

Time 5 Minute Read

On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act (H.B. 154) (the “DPDPA”), a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature. This could make Delaware the 13th U.S. state to enact comprehensive privacy legislation.

Time 4 Minute Read

On June 22, 2023, the Oregon House of Representatives passed the Oregon Consumer Privacy Act (S.B. 619) (the “OCPA”), which was previously passed by the Oregon Senate on June 20, 2023. The OCPA has been sent to the Oregon governor’s desk for signature. If signed, the OCPA would make Oregon the 12th state to have enacted comprehensive privacy legislation.

Time 5 Minute Read

On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would impose obligations on digital service providers to protect minors.

Time 5 Minute Read

On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would require digital service providers to get parental consent to create an account with minors younger than 18 years of age.  

Time 2 Minute Read

On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires  vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.

Time 2 Minute Read

On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.

Time 2 Minute Read

On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach. 

Time 3 Minute Read

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.

Time 1 Minute Read

On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

Time 1 Minute Read

On December 7, 2022, the Federal Trade Commission released an updated Mobile Health App Interactive Tool to help developers determine what federal laws and regulations apply to apps that collect and process health data. The updated version of the tool, which revises the initial release in 2016, aims to assist developers of mobile apps that will access, collect, share, use or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness or addiction.

Time 2 Minute Read

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

Time 1 Minute Read

On September 27, 2022, California Governor Gavin Newsom signed into law a pair of bills designed to prevent medical information and other data held by California entities from being used in out-of-state abortion prosecutions. 

Time 3 Minute Read

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

Time 1 Minute Read

On July 21, 2022, the National Institute of Standards and Technology (“NIST”) released an updated draft of its HIPAA Security Rule guidance. The draft guidance, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide” (NIST Special Publication 800-66, Revision 2), is designed to assist HIPAA regulated entities “maintain the confidentiality, integrity and availability of electronic protected health information (ePHI).” NIST issued the updated draft guidance to align it with other NIST cybersecurity guidance documents that have been published since the original HIPAA Security Rule guidance was issued in 2008.

Time 4 Minute Read

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health  data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”

Time 2 Minute Read

On July 8, 2022, President Biden issued an Executive Order titled, “Protecting Access to Reproductive Health Care Services,” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade. The Executive Order aims, in part, to “ [p]rotect[] the privacy of patients and their access to accurate information” regarding reproductive health care services. It directs the Department of Health and Human Services (“HHS”) and the Federal Trade Commission to take certain steps to address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data, and by digital surveillance related to reproductive health care services from fraudulent schemes or deceptive practices.

Time 4 Minute Read

On June 29, 2022, the U.S. Department of Health and Human Services (“HHS”) issued two guidance documents to “help protect patients seeking reproductive health care, as well as their providers” following the Supreme Court’s decision in Dobbs vs. Jackson Women’s Health Organization. These guidance documents address the legal protections for individuals’ protected health information (“PHI”) relating to abortion and other reproductive health care, as well as how individuals can protect their medical information on personal devices, menstruation tracking apps and other health-related apps.

Time 4 Minute Read

On June 13, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealth in compliance with the HIPAA Privacy and Security Rules (the “Guidance”). Specifically, the Guidance clarifies how audio-only telehealth can be conducted after OCR’s Notification of Enforcement Discretion for Telehealth (the “Telehealth Notification”), put in place during the COVID-19 pandemic, is no longer in effect.

Time 4 Minute Read

On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). The Vermont Insurance Data Security Law applies to “licensees”—those licensed, authorized to operate or registered, and those required to be licensed, authorized or registered, under Vermont insurance law, with few exceptions. The new law generally follows MDL-668’s provisions, adopting the model law’s broad definition of nonpublic information and requiring licensees to, in part, maintain a written information security program (“WISP”) and investigate cybersecurity incidents. Unlike other state laws based on MDL-668, however, the Vermont Insurance Data Security Law declines to establish separate cybersecurity event notification requirements for licensees.

Time 4 Minute Read

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

Time 4 Minute Read

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

Time 3 Minute Read

On December 15, 2021, the New Jersey Acting Attorney General Andrew J. Bruck announced that its Division of Consumer Affairs had reached a $425,000 settlement with New Jersey-based providers of cancer care, Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, “RCCA”), over alleged failures to adequately safeguard patient data.

Time 2 Minute Read

On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative. Led by the Department of Justice (“DOJ”) Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will seek to “utilize the False Claims Act (“FCA”) to pursue cybersecurity related fraud by government contractors and grant recipients.”

Time 2 Minute Read

On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information (“PHI”) safeguards.

Time 9 Minute Read

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

Time 2 Minute Read

On September 30, 2021, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued guidance regarding when the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule applies to disclosures and requests for information about a person’s COVID-19 vaccination status.

Time 1 Minute Read

On October 1, 2021, Connecticut’s two new data security laws become effective. As we previously reported, the new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor from certain Connecticut Superior Court assessed damages for businesses that create and maintain a written cybersecurity program.

Time 2 Minute Read

Connecticut recently passed two cybersecurity laws that will become effective on October 1, 2021. The newly passed laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program that complies with applicable state or federal law or industry-recognized security frameworks.

Time 2 Minute Read

On May 25, 2021, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced that it had reached a settlement with Peachstate Health Management, LLC (“Peachstate”) for violations of the HIPAA Security Rule. As part of this settlement, Peachstate (dba AEON Clinical Laboratories) agreed to pay OCR $25,000 and to implement a robust corrective action plan.

Time 1 Minute Read

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently announced more settlements associated with its HIPAA Right of Access Initiative. The settlements with Village Plastic Surgery ("VPS") and The Arbour, Inc. (“Arbour”) resulted in combined civil monetary penalties of $95,000.

Time 3 Minute Read

The United States Court of Appeals for the Fifth Circuit recently vacated a $4.3 million civil monetary penalty imposed by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) in 2017 against the University of Texas M.D. Anderson Cancer Center (“MD Anderson”). The Court held that OCR’s civil monetary penalty for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and HIPAA Security Rule was “arbitrary, capricious, and otherwise unlawful.”

Time 2 Minute Read

On September 30, 2020, Anthem, Inc. (“Anthem”) entered into an assurance of voluntary compliance (the “Agreement”) with the attorneys general of 42 states and the District of Columbia to settle claims under state and federal law relating to Anthem’s 2015 data breach (the “Breach”).

Time 2 Minute Read

On September 21, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.

Time 2 Minute Read

On September 15, 2020, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced five more settlements under its HIPAA Right of Access Initiative. The OCR announced its Right of Access Initiative in 2019, promising vigorous enforcement of HIPAA’s access rules. The five newly announced settlements bring OCR's total to seven completed enforcement actions under the Right of Access Initiative.

Time 3 Minute Read

UPDATE: On September 25, 2020, California Governor Gavin Newsom vetoed SB-980.

On August 31, 2020, the California Senate joined the Assembly in passing SB-980, as amended, a bill to establish the Genetic Information Privacy Act (the “Act”), which would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice; obtaining consumers’ express consent regarding the collection, use and disclosure of genetic data; and enabling consumers to access and delete their genetic data. The bill is pending California Governor Gavin Newsom’s signature.

Time 5 Minute Read

On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.

Time 4 Minute Read

On April 9, 2020 the U.S. Senate Committee on Commerce, Science and Transportation held a “paper hearing” entitled Enlisting Big Data in the Fight Against Coronavirus. A “paper hearing” consists of the committee members submitting opening statements and witnesses submitting testimony, which were posted on the Committee’s website. Witnesses were required to submit answers to member questions last week.

Time 4 Minute Read

On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending D.C.’s data breach notification law (the “Bill”). Among other requirements, the Bill requires the provision of identity theft prevention services in certain data breaches, establishes a new regulatory reporting requirement in the event of a cognizable data breach affecting 50 or more residents of D.C., and imposes certain data security requirements on covered businesses.

Time 4 Minute Read

On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

Time 6 Minute Read

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued a Bulletin on sharing and protecting patients’ protected health information (“PHI”) in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) during the COVID-19 national emergency. The Bulletin emphasizes that the HIPAA Privacy Rule is still in effect during this national emergency, but that HIPAA-covered entities may use or disclose patients’ PHI when necessary to treat a patient, to protect the nation’s public health and for other critical purposes.

Time 2 Minute Read

The outbreak of COVID-19 has dramatically changed the economy and working landscape of the United States and many other countries across the world. Companies suddenly find themselves dealing with a host of privacy issues and questions about sharing information with employees, customers and others. In addition, transitioning to a remote workforce can create privacy and data security concerns.

Time 2 Minute Read

The District Court for the District of Columbia recently invalidated certain Department of Health and Human Services (“HHS”) rules regarding an individual’s access to their protected health information (“PHI”). The Court held that: (1) individuals can only direct their electronic PHI to third parties (and not hard copy PHI); and (2) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Omnibus Rule provisions regarding the caps on fees that HIPAA-covered entities may charge for such requests did not follow relevant administrative law procedures.

Time 2 Minute Read

On December 12, 2019, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC, agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.

Time 1 Minute Read

The U.S. Department of Education and the U.S. Department of Health and Human Services released joint guidance on the application of the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to student records. This is the first update to the agencies’ guidance since it was issued in 2008. The 27-page document includes FAQs clarifying for schools, health care professionals and families how FERPA and HIPAA apply to student education and health records. The FAQs answer which rule ...

Time 3 Minute Read

On November 7, 2019, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced a $1.6 million civil penalty imposed against the Texas Health and Human Services Commission (“TX HHSC”), a state agency, for violations of HIPAA Privacy and Security Rules in connection with the unauthorized disclosure of electronic protected health information (“ePHI”). The ePHI breach – which exposed names, addresses, Social Security numbers, and treatment information of at least 6,617 individuals – was first reported to OCR on June 11, 2015, by Texas’s Department of Aging and Disability Services (“DADS”).

Time 4 Minute Read

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

Time 3 Minute Read

On July 11, 2019, Washington Attorney General Bob Ferguson announced that his office had entered into a consent decree and $10 million settlement with Premera Blue Cross (“Premera”) that stems from a 2014-2015 breach that affected more than 11 million individuals. The settlement, which includes a payment of roughly $5.4 million to Washington state and $4.6 million to a coalition of 29 other state Attorneys General (the “Multistate AGs”), is one of the largest ever for a breach involving protected health information (“PHI”) and comes just one month after another notable HIPAA settlement involving a similar coalition of state AGs.

Time 3 Minute Read

Arizona Attorney General Mark Brnovich recently announced a settlement with healthcare software provider Medical Informatics Engineering Inc. (“MIE”) and its wholly owned subsidiary NoMoreClipboard, LLC. The settlement resolves a multistate litigation arising out of a May 2015 data breach in which hackers infiltrated WebChart, a web application run by MIE, and stole the electronic Protected Health Information (“ePHI”) of over 3.9 million individuals. Arizona and 15 other states (the “Multistate AGs”) filed the suit in December 2018, asserting claims under the federal Health Insurance Portability and Accountability (“HIPAA”) as well as various applicable state data protection laws. Notably, the lawsuit was the first-ever multistate litigation alleging claims under HIPAA.

Time 2 Minute Read

On May 24, 2019, Oregon Governor Kate Brown signed Senate Bill 684 (the “Bill”) into law. The Bill, which takes effect January 1, 2020, amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by enhancing the breach notification requirements applicable to third-party vendors.

Time 2 Minute Read

On May 29, 2019, Nevada’s governor approved SB 220 (the “Amendment Bill”), which provides amendments to an existing law that requires operators of websites and online services (“Operators”) to post a notice on their website regarding their privacy practices. The Amendment Bill will require Operators to establish a designated request address through which a consumer may submit a verified request directing the Operator not to make any “sale” of covered information collected about the consumer. Pursuant to the Amendment Bill, Operators must respond to a verified opt-out request within 60 days of receipt.

Time 3 Minute Read

On May 6, 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement and $3 million settlement with Touchstone Medical Imaging (“Touchstone”). The settlement is the first OCR HIPAA enforcement action in 2019, following an all-time record year of HIPAA enforcement in 2018.

Time 1 Minute Read

On April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights announced reductions in available penalties for three out of four tiers of privacy and security violations set forth in the HITECH Act, based on the severity of the violation. Previously, all four tiers of violation were subject to a maximum annual civil monetary penalty of $1.5 million. The revised regime provides for maximum civil penalties of $25,000 for the lowest tier of violation (i.e., unknowing violations), $100,000 for the second tier of violation (i.e., violations where ...

Time 4 Minute Read

As we move closer to implementation of the California Consumer Privacy Act of 2018 (“CCPA”), companies should consider how the new law could affect their operations in multiple ways – including, for example, data collected through their employee benefit plans.

Time 3 Minute Read

The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.

Time 2 Minute Read

On October 30, 2018, ATA Consulting LLC (doing business as Best Medical Transcription) agreed to a $200,000 settlement with the New Jersey Attorney General resulting from a server misconfiguration that allowed private medical records to be posted publicly online. The fine was suspended to $31,000 based on the company’s financial condition. Read the settlement.

Time 3 Minute Read

Recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and record settlement of $16 million with Anthem, Inc. (“Anthem”) following Anthem’s 2015 data breach. That breach, affecting approximately 79 million individuals, was the largest breach of protected health information (“PHI”) in history.

Time 5 Minute Read

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

Time 2 Minute Read

In its most recent cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) provided guidance regarding identifying vulnerabilities and mitigating the associated risks of software used to process electronic protected health information (“ePHI”). The guidance, along with additional resources identified by OCR, are outlined below:

Time 1 Minute Read

The Department of Health and Human Services (“HHS”) recently published two advance notices of proposed rulemaking that address the accounting of disclosures and the potential distribution of civil monetary penalties to affected individuals.

Time 2 Minute Read

On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation. 

Time 3 Minute Read

On October 3, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement clarifying when protected health information (“PHI”) can be shared with family, friends and others. This announcement, prompted by the recent mass shooting in Las Vegas, outlines the purposes for which PHI can be disclosed to these parties pursuant to HIPAA and the conditions that apply, which are summarized below:

Time 3 Minute Read

On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement follows a bulletin issued in late August during Hurricane Harvey that addressed how protected health information (“PHI”) can be shared during emergencies. Together, these communications underscore key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations.

Time 2 Minute Read

On July 25, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced the release of an updated web tool that highlights recent data breaches of health information.

Time 3 Minute Read

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Health Care Industry Cybersecurity Task Force (the “Task Force”) have published important materials addressing cybersecurity in the health care industry.

Time 2 Minute Read

On May 10, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $2.4 million civil monetary penalty against Memorial Hermann Health System (“MHHS”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. 

Time 5 Minute Read

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.

Time 2 Minute Read

On April 24, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement with CardioNet, Inc. (“CardioNet”) stemming from gaps in policies and procedures uncovered after CardioNet reported breaches of unsecured electronic protected health information (“ePHI”). CardioNet provides patients with an ambulatory cardiac monitoring service, and the settlement is OCR’s first with a wireless health services provider.

Time 2 Minute Read

On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Metro Community Provider Network (“MCPN”) that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information (“PHI”).

Time 2 Minute Read

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on June 16, 2017.

Time 2 Minute Read

On February 17, 2017, Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) agreed to pay $1.1 million as part of a settlement with the New Jersey Division of Consumer Affairs (the “Division”) regarding allegations that Horizon did not adequately protect the privacy of nearly 690,000 policyholders.

Time 3 Minute Read

On February 16, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Memorial Healthcare System (“Memorial”) that emphasized the importance of audit controls in preventing breaches of protected health information (“PHI”). The $5.5 million settlement with Memorial is the fourth enforcement action taken by OCR in 2017, and matches the largest civil monetary ever imposed against a single covered entity.

Time 3 Minute Read

On February 1, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $3.2 million civil monetary penalty against Children’s Medical Center of Dallas (“Children’s”) for alleged ongoing violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules, following two consecutive breaches of patient electronic protected health information (“ePHI”). This is the third enforcement action taken by OCR in 2017, following the respective actions taken against MAPFRE Life Insurance of Puerto Rico and Presence Health earlier in January.

Time 2 Minute Read

On January 18, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) relating to a breach of protected health information (“PHI”) contained on a portable storage device. This is the second enforcement action taken by OCR in 2017, following the action taken against Presence Health earlier this month for failing to make timely breach notifications.

Time 3 Minute Read

On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.

Time 2 Minute Read

On November 22, 2016, the Department of Health and Human Services (“HHS”)  announced a $650,000 settlement with University of Massachusetts Amherst (“UMass”), resulting from alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. 

Time 2 Minute Read

On October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page Guide details steps businesses should take once they become aware of a potential breach. The Guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.

Time 2 Minute Read

Earlier this month, the Department of Health and Human Services’ Office for Civil Rights issued guidance (the “Guidance”) for HIPAA-covered entities that use cloud computing services involving electronic protected health information (“ePHI”).

Time 2 Minute Read

On September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

Time 1 Minute Read

Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, recently spoke at Bloomberg Law’s Second Annual Big Law Business Summit. In Part 1 of the panel discussion, Lisa describes the dramatic changes in the legal landscape of privacy over the last 10 to 15 years, discussing the emergence of privacy laws such as “the Gramm-Leach-Bliley Act for the financial sector, HIPAA for the health care sector and…of course, the local implementation of the European Data Protection Directive.” She then continues to note an ...

Time 3 Minute Read

On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.

Time 3 Minute Read

On July 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements with two large public health centers, Oregon Health & Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”), over alleged HIPAA violations.

Time 3 Minute Read

On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”). This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013. The HIPAA Omnibus Rule made business associates directly liable for their violations of the HIPAA rules. The settlement with CHCS is also notable because it involved a breach that affected fewer than 500 individuals.

Time 1 Minute Read

Recently, Aegerion Pharmaceuticals announced that it will enter into several settlements and plead guilty to two misdemeanors in connection with alleged violations of HIPAA, drug marketing regulations and securities laws. The criminal charges stem from the company’s marketing of a cholesterol drug called Juxtapid. Aegerion allegedly failed to comply with risk evaluation and management strategies and marketed Juxtapid (which is labeled with a warning about liver toxicity) without proper directions for use. 

Time 5 Minute Read

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced resolution agreements with Raleigh Orthopaedic Clinic, P.A., (“Raleigh Orthopaedic”) and New York-Presbyterian Hospital (“NYP”) for HIPAA Privacy Rule violations.

Time 2 Minute Read

The Federal Trade Commission recently released an interactive tool for mobile health apps. The tool was developed in conjunction with several other federal agencies, including the Department of Health and Human Services’ Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration.

Time 4 Minute Read

On March 16, 2016, and March 17, 2016, respectively, the Department of Health and Human Services (“HHS”) announced resolution agreements with North Memorial Health Care of Minnesota (“North Memorial”) and The Feinstein Institute for Medical Research (“Feinstein Institute”) over potential violations of the HIPAA Privacy Rule.

Time 2 Minute Read

On March 21, 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it has commenced Phase 2 of the HIPAA Audit Program. Phase 1 of the HIPAA Audit Program ran from 2011-2012 and produced several notable findings, including that two-thirds of covered entities had not performed a risk assessment as required by the HIPAA Security Rule.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page