The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre issued a joint alert on Tuesday that advanced persistent threat groups “are actively targeting organizations involved in both national and international COVID-19 responses.” This warning should be heeded by hospitals, health systems, pharmaceutical companies, and academic medical … Continue reading
The United States Senate has passed a $2 trillion phase three emergency package, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The Senate approved the CARES Act on a unanimous vote of 96-0, with three Senators in self-quarantine and another returning home out of an abundance of caution. The CARES Act, assuming it … Continue reading
The Republican Party will soon be the party of health care. You watch. -President Donald J. Trump, March 23, 2019 Opening with the above quote from President Trump, the Republican Study Committee (RSC) released the first part of its healthcare plan entitled: A Framework for Personalized, Affordable Care. An accompanying press release from the RSC … Continue reading
Anthem Inc. has agreed to a US$115 million settlement to resolve a class action lawsuit relating to a 2015 cyberattack that compromised data on 79 million individuals. Anthem has denied any wrongdoing. In February of 2015, Anthem reported that hackers stole personally identifiable information from millions of current and former customers, including names, addresses, social … Continue reading
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims. The notice would solicit public opinion on creating a process for sharing a percentage of any penalty or settlement with those harmed … Continue reading
On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017. The Cybersecurity Framework aims to focus on industries vital to national and economic security, including energy, banking, … Continue reading
On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to the FCC’s determination on healthcare calls and three other rulings relating to cell phones. The appellate court upheld an exception for certain “emergency” … Continue reading
Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the … Continue reading
As Health Law Pulse posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs. The proposed bill overlaps with the Health Insurance Portability and … Continue reading
On January 16, 2018, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy. (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: … Continue reading
This week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the … Continue reading
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading
Pursuant to President Donald J. Trump’s October 12, 2017 Executive Order instructing the U.S. Department of Labor (DOL) to consider expanding access to association health plans (AHP), the DOL published a proposed rule on January 5, 2018 that would modify ERISA regulations to increase the availability of AHPs. Association health plans have been defined as … Continue reading
The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in … Continue reading
On July 26, 2016, the FDA issued draft guidance to help clarify the form and content requirements of the Unique Device Identifier (UDI). Industry groups have 60 days to comment on the draft guidance. Background The UDI final rule, which established the UDI system, was published on September 24, 2013. The rule aims to develop … Continue reading
On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading
In the fall of 2015, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) released an online resource to assist mobile health application developers in determining whether they need to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). This week, the Federal Trade Commission (“FTC”) announced a new web-based tool … Continue reading
The HHS Office for Civil Rights (OCR) announced on Monday that it has launched the long-awaited Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program. The purpose of the Audit Program is to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security and Breach Notification Rules. The … Continue reading
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently published two guidance documents to aid organizations in complying with HIPAA. The Crosswalk The HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (the “Crosswalk”), developed in connection with the National Institute of Standards and Technology (“NIST”) and the Office of the … Continue reading
On January 6, 2015, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) issued a final rule modifying certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The modifications grant to certain covered entities a narrowly tailored permission to disclose limited … Continue reading
The University of Washington Medicine (“UWM”) has agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule for US$ 750,000, following a breach report first submitted by UWM on November 27, 2013. In addition to settlement, UWM has entered into a Resolution Agreement with the United … Continue reading
On October 5, 2015, the HHS Office of Civil Rights (OCR) unveiled a new resource to provide mobile health (mHealth) developers guidance on complying with Health Information Portability and Accountability Act (HIPAA) requirements applicable to those organizations. The portal permits developers to submit questions and offer comments on existing OCR guidance regarding how mobile medical … Continue reading
On June 11, 2014, the US Department of Health and Human Services (“HHS”) issued two reports to Congress addressing Health Information Accountability and Portability Act of 1996 (“HIPAA”) compliance activities for calendar years 2011 and 2012. The first report, relating to breaches of unsecured HIPAA-protected health information, describes the types and numbers of breaches reported … Continue reading
On May 7th, two New York hospitals agreed to pay the Department of Health and Human Services (“HHS”) $4.8 million dollars to settle claims that the hospitals had failed to secure patients’ electronic protected health information, in violation of the Health Insurance Portability and Accountability Act (“HIPAA”). Specifically, Columbia University Medical Center paid $1.5 million … Continue reading