On February 3, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that an HHS administrative law judge (ALJ) ordered Lincare, Inc., a home health provider of respiratory care, infusion therapy and medical equipment, to pay $239,800 in civil monetary penalties (CMPs) for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violations were disclosing patient information to an unauthorized person, failing to take reasonable safeguards to protect patient information from unauthorized disclosure and failing to implement adequate policies and procedures to protect patient information removed from its offices. This marks only the second time that OCR has imposed CMPs for HIPAA violations.
*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.
On December 28, 2015, President Obama signed into law S. 2425, the Patient Access and Medicare Protection Act (the “Act”). In addition to provisions intended to ensure that Medicare reimbursement policies promote continued access to certain durable medical equipment, like wheelchair accessories, the Act includes provisions that affect adoption of Health Information Technology (“HIT”) and those that provide greater protection against medical identity theft. Specifically, the Act recognizes various categories of hardship exceptions from meaningful use requirements for the 2015 reporting period and strengthens the penalties associated with medical identity theft.
On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.
The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.
On October 16, the United States Attorney’s Office for the District of Massachusetts filed a criminal information against a former Warner Chilcott district manager alleging that he had obtained and used patient protected health information (PHI) in violation of the criminal provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The information alleges that this criminal violation occurred in connection with a scheme to promote Warner Chilcott’s osteoporosis drug Atelvia. The charge against former employee Landon Eckles is significant because it appears to be the first time a criminal prosecution under HIPAA has been brought against an employee of a pharmaceutical manufacturer for an alleged HIPAA privacy violation. Eckles pleaded guilty to the charges on November 12.
On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
On Monday, October 5, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an online platform for mobile health developers and others interested in the intersection of information technology and health information privacy and security. Interested parties can submit questions and comments on issues related to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Practising Legal Institute has published “Cybersecurity: A Practical Guide to the Law of Cyber Risk,” a treatise edited by Ed McNicholas and Vivek Mohan of Sidley Austin LLP. This “Sidley on Cybersecurity” treatise sets out in a clear and readable manner the complex legal framework for cybersecurity in the United States. We hope that it will be a practical legal guide for in-house attorneys, IT leaders, senior executives, and corporate directors concerned about cybersecurity risk.
The White House is soliciting public comments on its Proposed Privacy and Trust Principles (the Proposed Principles) for the Precision Medicine Initiative (PMI). PMI is a federal initiative to support research, technology and policies that enable the development of individualized treatments, and is backed by a $215 million investment under President Obama’s 2016 Budget.