Category

Health Privacy

04 August 2016

HHS Office for Civil Rights Updates Its Website with Guidance on HIPAA Audits and Unique Device Identifiers (UDIs)

HHS-OCR has updated its website with guidance on two important and current issues: ongoing HIPAA audits and deidentification.  After officially launching phase two of its audit program earlier this month, sending notification letters to 167 covered entities, HHS-OCR has posted updated guidance on its website regarding the audits.  Unrelated to the audits, OCR also posted guidance on the treatment of unique device identifiers (UDIs) under HIPAA’s standards for de-identification and limited data sets.

(more…)

EmailShare
07 July 2016

OCR Announces First HIPAA Settlement With a Business Associate

On June 24, 2016, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) entered into a resolution agreement with the Department of Health and Human Services Office for Civil Rights (“OCR”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule after the theft of a CHCS mobile device compromised the protected health information (“PHI”) of 412 nursing home residents.  This is OCR’s first settlement with a HIPAA business associate.  As part of the settlement, CHCS agreed to enter into a two-year corrective action plan (“CAP”) and pay a monetary penalty of $650,000.

(more…)

EmailShare
09 June 2016

Robust Debate at NAIC Cybersecurity Task Force Interim Meeting Highlights Concerns with Draft Insurance Data Security Model Law

On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees.  The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).

(more…)

EmailShare
20 May 2016

Council Adopts EU-wide Cybersecurity Directive

On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.

The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015.  It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.

(more…)

EmailShare
15 February 2016

ALJ Upholds Civil Monetary Penalty Imposed by the Office for Civil Rights

On February 3, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that an HHS administrative law judge (ALJ) ordered Lincare, Inc., a home health provider of respiratory care, infusion therapy and medical equipment, to pay $239,800 in civil monetary penalties (CMPs) for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violations were disclosing patient information to an unauthorized person, failing to take reasonable safeguards to protect patient information from unauthorized disclosure and failing to implement adequate policies and procedures to protect patient information removed from its offices. This marks only the second time that OCR has imposed CMPs for HIPAA violations.

(more…)

EmailShare
11 January 2016

Top Ten Data Protection and Privacy Issues to Watch in 2016

*This post originally appeared in Law360 on January 7, 2016.

While 2015 was a big year in data, 2016 may prove to be even bigger.  Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.

(more…)

EmailShare
07 January 2016

Patient Access and Medicare Protection Act

On December 28, 2015, President Obama signed into law S. 2425, the Patient Access and Medicare Protection Act (the “Act”).  In addition to provisions intended to ensure that Medicare reimbursement policies promote continued access to certain durable medical equipment, like wheelchair accessories, the Act includes provisions that affect adoption of Health Information Technology (“HIT”) and those that provide greater protection against medical identity theft.  Specifically, the Act recognizes various categories of hardship exceptions from meaningful use requirements for the 2015 reporting period and strengthens the penalties associated with medical identity theft.

(more…)

EmailShare
21 December 2015

Cybersecurity Act of 2015 Signed Into Law

On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.

The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.

(more…)

EmailShare
25 November 2015

Employee of Pharmaceutical Manufacturer Criminally Charged with Wrongful Disclosure of Patient Information for Marketing Purpose

On October 16, the United States Attorney’s Office for the District of Massachusetts filed a criminal information against a former Warner Chilcott district manager alleging that he had obtained and used patient protected health information (PHI) in violation of the criminal provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The information alleges that this criminal violation occurred in connection with a scheme to promote Warner Chilcott’s osteoporosis drug Atelvia. The charge against former employee Landon Eckles is significant because it appears to be the first time a criminal prosecution under HIPAA has been brought against an employee of a pharmaceutical manufacturer for an alleged HIPAA privacy violation. Eckles pleaded guilty to the charges on November 12.

(more…)

EmailShare
XSLT Plugin by BMI Calculator