Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading
The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in … Continue reading
On July 26, 2016, the FDA issued draft guidance to help clarify the form and content requirements of the Unique Device Identifier (UDI). Industry groups have 60 days to comment on the draft guidance. Background The UDI final rule, which established the UDI system, was published on September 24, 2013. The rule aims to develop … Continue reading
On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading
The use of technology in the health sector is on the rise. The intersection of these two industries leads to interesting legal questions relating to digital risk, including big data analytics, data security and privacy. In his budget speech on 10 May 2016, Minister Aaron Motsoaledi discussed the following interesting medical technology initiatives being undertaken … Continue reading
On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs … Continue reading
Increasing concerns about data integrity in the pharmaceutical industry have prompted the U.S. Food and Drug Administration (“FDA”) to release Draft Guidance addressing the issue as it relates to current good manufacturing practices (cGMP) for pharmaceutical companies. The Draft Guidance – titled Data Integrity and Compliance with CGMP, Guidance for Industry – is framed a … Continue reading
In the fall of 2015, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) released an online resource to assist mobile health application developers in determining whether they need to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). This week, the Federal Trade Commission (“FTC”) announced a new web-based tool … Continue reading
Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is … Continue reading
On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The FDA stresses that an effective cybersecurity risk management program should address potential cybersecurity risks throughout the product’s … Continue reading
The University of Washington Medicine (“UWM”) has agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule for US$ 750,000, following a breach report first submitted by UWM on November 27, 2013. In addition to settlement, UWM has entered into a Resolution Agreement with the United … Continue reading
Norton Rose Fulbright’s Data Privacy co-chairs authored a blog post that reported on the recent Anthem breach and the consequential cybersecurity risks for its customers. See Anthem breach posts significant cybersecurity risks for Anthem’s customers; may trigger legal obligations, Data Protection Report, February 8, 2015. The data breach, which affected about 80 million current and former … Continue reading
On June 11, 2014, the US Department of Health and Human Services (“HHS”) issued two reports to Congress addressing Health Information Accountability and Portability Act of 1996 (“HIPAA”) compliance activities for calendar years 2011 and 2012. The first report, relating to breaches of unsecured HIPAA-protected health information, describes the types and numbers of breaches reported … Continue reading
On May 7th, two New York hospitals agreed to pay the Department of Health and Human Services (“HHS”) $4.8 million dollars to settle claims that the hospitals had failed to secure patients’ electronic protected health information, in violation of the Health Insurance Portability and Accountability Act (“HIPAA”). Specifically, Columbia University Medical Center paid $1.5 million … Continue reading
On April 22, 2014, the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced that it had reached settlement agreements with two organizations alleged to have violated the Health Information Portability and Accountability Act of 1996 (“HIPAA”) in conjunction with the theft of unencrypted computers. HHS conducted a review of … Continue reading
With many Australian organisations still coming to grips with recent changes to their privacy laws, legislation to mandate notification of privacy breaches is back on the agenda. Amongst other aspects, the recent changes introduced significant fines and increased the scope for liability if personal information is exported. This has forced organisations to review their privacy … Continue reading
In a report released on February 26th, the federal government stated that its Heath Care Fraud and Abuse Control Program (“HCFAC”), established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recovered $4.3 billion during FY 2013. This amount includes more than $2.6 billion from healthcare fraud settlements and judgments and is the … Continue reading
During a US House of Representatives Science Committee hearing last week, cybersecurity researchers described that the Affordable Care Act’s healthcare website, HealthCare.gov, is still susceptible to security issues, which could put patients’ sensitive health information at risk. David Kennedy, president and CEO of information security firm TrustedSec, LLC is one of the individuals who testified … Continue reading