As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving malware, highlighting the importance of reviewing systems for unpatched and unsupported software that can leave patient information susceptible to malware and other … Continue Reading
As previously reported, an Indiana jury awarded $1.44 million to a Walgreens customer based on allegations that the customer’s pharmacist accessed, reviewed and shared the customer’s prescription history with others who then used the information to intimidate and harass the customer. The facts of the case involved a love triangle between the pharmacist, her husband … Continue Reading
In a decision released November 11, 2014, the Connecticut Supreme Court reversed the judgment of the trial court and held for the first time in Connecticut that (1) HIPAA does not preempt state common law claims for negligence or negligent infliction of emotional distress, and (2) HIPAA may provide the applicable standard of care. The … Continue Reading
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act … Continue Reading
A company named SLC Security, LLC (“SLC”), recently announced that it will begin notifying individuals if it believes it has identified a security breach or vulnerability of a company and it has not received a satisfactory response from the company to which it reported the issue. On SLC’s blog, it claims it is providing “awareness … Continue Reading
On September 18, 2014, California Governor, Jerry Brown, signed Assembly Bill 1755 (“AB1755”) into law, amending breach notification provisions in the California Health and Safety Code applicable to licensed clinics, health facilities, home health agencies, and hospices. Under existing law, certain health care entities licensed by the California Department of Public Health (“CDPH”), including hospitals … Continue Reading
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form. To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR. But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief … Continue Reading
On May 7, 2014, the FTC hosted the latest seminar in their Spring Privacy Series to address the status of Consumer Generated and Controlled Health Data and relate results of recent FTC studies on the topic. Consumers are embracing new technologies, particularly in the fitness domain and are generating vast amounts of “health data” both … Continue Reading
On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date. These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA … Continue Reading
To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals. HITECH … Continue Reading
Sources and volumes of data are growing exponentially. Website clicks, social media, sensors, and card swipers are generating massive amounts of data every second. More and more enterprises are beginning to collect and utilize this Big Data for all kinds of purposes, including improved business intelligence, targeted marketing and fraud detection. With so much attention … Continue Reading
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries. The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading
The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.” Quoting Jennifer Trussell, who investigates medical identity theft on behalf of … Continue Reading
On January 7, 2014, the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) for the purpose of modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities … Continue Reading
Authors: Lynn Sessions, Kimberly Wong, Cory Fox and Anne Foster. On January 25, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. Under the … Continue Reading
Throughout 2013, HHS OCR has stated that covered entities of all sizes need to give priority to securing ePHI. In addition, HHS OCR has recommended that covered entities identify and mitigate risks before an incident occurs. HHS OCR’s enforcement activity during 2013 has focused on covered entities large and small. To end 2013, HHS OCR … Continue Reading
On September 25, 2013, the Northern District Court of Florida, Tallahassee Division, ruled that Florida Statute § 766.1065 violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by requiring a plaintiff in a medical malpractice action to deliver a presuit authorization which allows the defending medical professionals to conduct ex parte interviews of … Continue Reading
Under the Privacy Rule, an individual has the right to adequate notice of how a covered entity may use and disclose PHI about the individual, as well as his/her rights and the covered entity’s obligations with respect to that information. Thus, a covered entity must develop and provide to individuals with a Notice of Privacy … Continue Reading
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of “personal information” to include “medical information” and health insurance information.” Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, … Continue Reading
The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013. Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. The resolution agreement relates … Continue Reading
Although HIPAA does not create a private cause of action, a recent Indiana Superior Court jury verdict indicates that HIPAA could still play an important role in private causes of action in state court based on negligence and professional liability as it relates to confidentiality. On July 26, a jury in Marion County, Indiana awarded … Continue Reading
In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company. The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online … Continue Reading