In response to the shifting legal landscape around reproductive health care, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) finalized amendments to the HIPAA Privacy Rule to strengthen privacy protections for highly sensitive protected health information (PHI) related (or potentially related) to reproductive health care. OCR announced the final rule … Continue Reading
The US Department of Health and Human Services, Office for Civil Rights (OCR)and the Substance Abuse and Mental Health Services Administration issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 C.F.R. Part 2 (Part 2), applicable to certain federally assisted SUD treatment programs (Part 2 Programs), and … Continue Reading
On May 8, 2023, Governor Ron DeSantis of Florida signed CS/CS/SB 264, amending a suite of Florida statutes to impose heightened requirements on business activities involving foreign interests. As related to the health care industry, CS/CS/SB 264 amended the Florida Electronic Health Records Exchange Act (“Act”) to, among other things, require “health care providers” that … Continue Reading
Key Takeaway: Organizations must conduct a fact-based analysis to determine whether health data collection and tracking technology deployed on their websites and mobile apps complies with the federal Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable laws and guidance. Cookies, web beacons, and similar technology are used to collect and analyze data about … Continue Reading
On June 1, an SPB Partner and other industry experts will co-present on the ABA Webinar: Got Data?: How the Health Data Rules are Changing. The program, organized by the American Bar Association (ABA) will address recent and upcoming developments impacting health data including, CMS and ONC final rules on information blocking and interoperability, HIPPA and guidance … Continue Reading
In a dramatic rebuttal of how the Department of Health and Human Services Office of Civil Rights’ (“OCR”) has historically enforced HIPAA with potential far-ranging consequences, the Fifth Circuit Court of Appeals recently handed down a landmark decision criticizing and restricting how OCR interprets HIPAA and OCR’s penalty authority. OCR brought an enforcement action against … Continue Reading
The US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).\ Under the terms of the settlement, the Clinic agreed to … Continue Reading
On April 30, 2020, a Squire Patton Boggs Partner will co-present a complimentary webinar, Privacy Law, Coronavirus, and Post-Pandemic Best Practices. The program, organized by Bloomberg Law, will address recent HIPAA changes and temporary waivers, telehealth privacy and cyber considerations, and practical tips and recommendations to manage privacy and cyber risk during these challenging times. … Continue Reading
On March 17, 2020, in response to the national COVID-19 public health emergency, divisions of the Department of Health and Human Services (HHS) outlined a series of policy changes regarding telehealth services. In an effort meant to expand the capacity of the healthcare system and protect seniors who are the most vulnerable to COVID-19, the … Continue Reading
The Sixth Circuit has joined other circuits in unanimously holding that HIPAA creates no private right of action. That was the easy part. The panel divided 2-1 in ruling that a Tennessee statute likewise provides no remedy for patients allegedly overcharged by Ciox, a medical-records company. But Faber v. Ciox Health wasn’t a complete blowout: the court … Continue Reading
A medical imaging company is paying for its flawed data security system. In addition to its system failures, the company failed to investigate and respond properly when alerted to problems by the FBI. As a result, the Office of Civil Rights imposed a $3 million penalty and required a corrective action plan. This yet another … Continue Reading
For the second time in as many years, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into settlement agreements with and levied hefty fines on three hospitals that allegedly impermissibly disclosed patients’ protected health information to ABC News in the course of filming a television network documentary series. OCR announced … Continue Reading
Let’s hope you don’t pay that much to encrypt electronic Protected Health Information (ePHI). How about a total of $4.3 million over two years? Well, that’s the total penalty for encryption violations assessed by Health and Human Services (HHS). An Administrative Law Judge found the penalty could have been much worse. The facts are sobering. … Continue Reading
In a podcast interview with Healthcare InfoSecurity, Squire Patton Boggs Partner Elliot Golding addresses evolving healthcare privacy and security issues, particularly complex issues involving Internet of Things (IoT) devices. This includes addressing new risks when connected devices link to legacy systems, the applicable regulatory environment, and other key issues companies operating in the health care … Continue Reading
A recent blog post summarized Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York that may signal a broader trend of increased state HIPAA enforcement. Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at … Continue Reading
As part of its ongoing implementation of the 21st Century Cures Act (Public Law 114-255), the Department of Health and Human Services last month released a number of new HIPAA guidance tools, including additional information about research uses and disclosures. The research guidance contains helpful tips for covered entities regarding authorizations, revocations, and “reviews preparatory … Continue Reading
The Department of Health and Human Services Office of Civil Rights (HHS OCR) recently settled with a notable covered entity – a nonprofit Federally Qualified Community Health Center (FQHC) – over alleged Health Information Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. With the FQHC agreeing to pay $400,000 to HHS and entering … Continue Reading
On March 30, 2016, the US Department of Justice (DOJ) announced that healthcare providers who serve the elderly in the following 10 states will have task forces looking over their shoulders: California, Georgia, Kansas, Kentucky, Iowa, Maryland, Ohio, Pennsylvania, Tennessee and Washington. Known as the Elder Justice Task Forces (Task Forces), these partnerships combine the … Continue Reading
HHS recently agreed to a $3.5 million resolution with business associates and covered entities for numerous violations of the Privacy, Breach Notification, and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA). Triple S, as the parties are collectively known, seemed to miss the regulatory ball in a few ways, like protected health … Continue Reading
News of the data breach suffered by Anthem continues to dominate the news (here, here, and here for example). And, further raising the stakes, class action lawsuits from individuals whose information has potentially been compromised are beginning to roll into courthouses across the country (California, Alabama, Indiana, Georgia, California (again), and California (again)). Because health care data is such a … Continue Reading
The widely reported data breach at Community Health Systems, Inc. (CHS) appears to have relied upon a “spear phish email” to launch the initial malware, according to a recent alert from the FBI. Experts engaged by CHS believe that the attacker is an “Advanced Persistent Threat.” The FBI alert provides tips for organizations to prevent … Continue Reading
September 22, 2014 is the deadline to have business associate and data use agreements updated to conform to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule (the Omnibus Rule), which became effective September 23, 2013. The Omnibus Rule’s transition provisions protect eligible business associate agreements and data use agreements until … Continue Reading