Tag archives: data privacy

OCR proposes to share HIPAA data breach settlements with victims

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims. The notice would solicit public opinion on creating a process for sharing a percentage of any penalty or settlement with those harmed … Continue reading

South Dakota and Colorado strengthen data breach protections

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach.  South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading

Your money or your PHI: New guidance on ransomware

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading

Medical technology initiatives announced in Health Minister’s budget speech

The use of technology in the health sector is on the rise.  The intersection of these two industries leads to interesting legal questions relating to digital risk, including big data analytics, data security and privacy. In his budget speech on 10 May 2016, Minister Aaron Motsoaledi discussed the following interesting medical technology initiatives being undertaken … Continue reading

FDA warns of potential link between antimalware and medical device failure

On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs … Continue reading

Australian TGA on cyber security

In a timely note, the March 2016 edition of the Medical Devices Safety Update, put out by the Australian Therapeutic Goods Administration, highlights medical device cyber security as a key issue. Interestingly, this comes shortly after the release by the FDA of its draft guidance in relation to “Post Market Management of Cyber Security in … Continue reading

Ransomware incident response – prevention, readiness and strategy

Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is … Continue reading

FDA builds on postmarket cybersecurity measures for medical devices

On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices.  The FDA stresses that an effective cybersecurity  risk management program should address potential cybersecurity risks throughout the product’s … Continue reading

HHS modifies HIPAA rules to facilitate criminal background check reporting

On January 6, 2015, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) issued a final rule modifying certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The modifications grant to certain covered entities a narrowly tailored permission to disclose limited … Continue reading

Anthem breach may trigger legal obligations for organizations that use Anthem to provide or support employee health insurance plans

Norton Rose Fulbright’s Data Privacy co-chairs authored a blog post that reported on the recent Anthem breach and the consequential cybersecurity risks for its customers. See Anthem breach posts significant cybersecurity risks for Anthem’s customers; may trigger legal obligations, Data Protection Report, February 8, 2015. The data breach, which affected about 80 million current and former … Continue reading

Bill would increase usefulness of Medicare data

Recent bipartisan legislation introduced into the US House of Representatives by House Budget Committee Chairman Paul Ryan (R-Wis) and Representative Ron Kind (D-Wis) entitled “Expanding the Availability of Medicare Data Act” (H.R. 4418) would expand the availability of Medicare claims data that is available to qualified entities under the Centers for Medicare and Medicaid Services’ … Continue reading

Two HIPAA settlement agreements illustrate need for encryption

On April 22, 2014, the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced that it had reached settlement agreements with two organizations alleged to have violated the Health Information Portability and Accountability Act of 1996 (“HIPAA”) in conjunction with the theft of unencrypted computers. HHS conducted a review of … Continue reading

Privacy – Mandatory breach notification coming to Australia

With many Australian organisations still coming to grips with recent changes to their privacy laws, legislation to mandate notification of privacy breaches is back on the agenda.  Amongst other aspects, the recent changes introduced significant fines and increased the scope for liability if personal information is exported.  This has forced organisations to review their privacy … Continue reading