As Health Law Pulse posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs. The proposed bill overlaps with the Health Insurance Portability and … Continue reading
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading
The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in … Continue reading
On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading
The use of technology in the health sector is on the rise. The intersection of these two industries leads to interesting legal questions relating to digital risk, including big data analytics, data security and privacy. In his budget speech on 10 May 2016, Minister Aaron Motsoaledi discussed the following interesting medical technology initiatives being undertaken … Continue reading
On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs … Continue reading
In a timely note, the March 2016 edition of the Medical Devices Safety Update, put out by the Australian Therapeutic Goods Administration, highlights medical device cyber security as a key issue. Interestingly, this comes shortly after the release by the FDA of its draft guidance in relation to “Post Market Management of Cyber Security in … Continue reading
Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is … Continue reading
On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The FDA stresses that an effective cybersecurity risk management program should address potential cybersecurity risks throughout the product’s … Continue reading
The University of Washington Medicine (“UWM”) has agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule for US$ 750,000, following a breach report first submitted by UWM on November 27, 2013. In addition to settlement, UWM has entered into a Resolution Agreement with the United … Continue reading
Norton Rose Fulbright’s Data Privacy co-chairs authored a blog post that reported on the recent Anthem breach and the consequential cybersecurity risks for its customers. See Anthem breach posts significant cybersecurity risks for Anthem’s customers; may trigger legal obligations, Data Protection Report, February 8, 2015. The data breach, which affected about 80 million current and former … Continue reading
On June 11, 2014, the US Department of Health and Human Services (“HHS”) issued two reports to Congress addressing Health Information Accountability and Portability Act of 1996 (“HIPAA”) compliance activities for calendar years 2011 and 2012. The first report, relating to breaches of unsecured HIPAA-protected health information, describes the types and numbers of breaches reported … Continue reading
On May 7th, two New York hospitals agreed to pay the Department of Health and Human Services (“HHS”) $4.8 million dollars to settle claims that the hospitals had failed to secure patients’ electronic protected health information, in violation of the Health Insurance Portability and Accountability Act (“HIPAA”). Specifically, Columbia University Medical Center paid $1.5 million … Continue reading
On April 22, 2014, the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced that it had reached settlement agreements with two organizations alleged to have violated the Health Information Portability and Accountability Act of 1996 (“HIPAA”) in conjunction with the theft of unencrypted computers. HHS conducted a review of … Continue reading
With many Australian organisations still coming to grips with recent changes to their privacy laws, legislation to mandate notification of privacy breaches is back on the agenda. Amongst other aspects, the recent changes introduced significant fines and increased the scope for liability if personal information is exported. This has forced organisations to review their privacy … Continue reading
In a report released on February 26th, the federal government stated that its Heath Care Fraud and Abuse Control Program (“HCFAC”), established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recovered $4.3 billion during FY 2013. This amount includes more than $2.6 billion from healthcare fraud settlements and judgments and is the … Continue reading