In response to the shifting legal landscape around reproductive health care, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) finalized amendments to the HIPAA Privacy Rule to strengthen privacy protections for highly sensitive protected health information (PHI) related (or potentially related) to reproductive health care. OCR announced the final rule … Continue Reading
On 5 June 2024, the Australian Information Commissioner commenced civil penalty proceedings in the Australian Federal Court against Medibank Private Limited (an Australian health insurance provider) in relation to an October 2022 data breach. On 25 October 2022, Medibank notified the Office of the Australian Information Commissioner (OAIC) of a data breach concerning sensitive personal … Continue Reading
Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security … Continue Reading
The US Department of Health and Human Services, Office for Civil Rights (OCR)and the Substance Abuse and Mental Health Services Administration issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 C.F.R. Part 2 (Part 2), applicable to certain federally assisted SUD treatment programs (Part 2 Programs), and … Continue Reading
Nine years after its initial inception, Singapore’s data protection authority (Commission) published in September 2023 an updated set of advisory guidelines for the healthcare sector (Revised Guidelines). As with other advisory guidelines issued by the Commission, the Revised Guidelines are not intended to be legally binding, but will guide the interpretation and enforcement of Singapore’s … Continue Reading
Key Takeaway: Organizations must conduct a fact-based analysis to determine whether health data collection and tracking technology deployed on their websites and mobile apps complies with the federal Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable laws and guidance. Cookies, web beacons, and similar technology are used to collect and analyze data about … Continue Reading
As we head into the fourth quarter, US businesses need to assess their progress in preparing for sweeping changes to the California Consumer Privacy Act (“CCPA”) that become effective January 1, 2023, and with compliance with four new state consumer privacy laws (in Colorado, Connecticut, Utah and Virginia) that become effective throughout 2023 (collectively, “2023 … Continue Reading
On November 23rd, a Squire Patton Boggs partner will lead a panel of industry thought leaders in a discussion of transcontinental health research and data issues. Topics to be explored include: What are the challenges that companies need to face in order to promote research with health data? What should evolve in the legal framework … Continue Reading
On June 1, an SPB Partner and other industry experts will co-present on the ABA Webinar: Got Data?: How the Health Data Rules are Changing. The program, organized by the American Bar Association (ABA) will address recent and upcoming developments impacting health data including, CMS and ONC final rules on information blocking and interoperability, HIPPA and guidance … Continue Reading
The US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).\ Under the terms of the settlement, the Clinic agreed to … Continue Reading
Last month the Substance Abuse and Mental Health Services Administration (“SAMHSA”) finalized amendments to the federal Confidentiality of Substance Use Disorder Patient Records regulation, 42 C.F.R. Part 2 (“Part 2”). The changes purport to better facilitate substance use disorder (“SUD”) care coordination and treatment by loosening technical consent requirements, clarifying permissible disclosures, and providing other … Continue Reading
On April 30, 2020, a Squire Patton Boggs Partner will co-present a complimentary webinar, Privacy Law, Coronavirus, and Post-Pandemic Best Practices. The program, organized by Bloomberg Law, will address recent HIPAA changes and temporary waivers, telehealth privacy and cyber considerations, and practical tips and recommendations to manage privacy and cyber risk during these challenging times. … Continue Reading
The Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and has been a steady source of litigation ever since. BIPA regulates how “private entities” collect, use and share biometric data and imposes certain security requirements. The stated intent of BIPA was to address the heightened risk of identity theft associated with the processing … Continue Reading
A medical imaging company is paying for its flawed data security system. In addition to its system failures, the company failed to investigate and respond properly when alerted to problems by the FBI. As a result, the Office of Civil Rights imposed a $3 million penalty and required a corrective action plan. This yet another … Continue Reading
In the face of the ongoing opioid crisis in the United States, the Office of the National Coordinator for Health Information Technology (“ONC”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently released two fact sheets to clarify how the requirements of 42 CFR Part 2 apply in different provider contexts, including via … Continue Reading
In a May 22, 2018 article that appeared in Law360 Expert Analysis piece, Squire Patton Boggs partner Elliot Golding writes, “There is no shortage of attention on health care data privacy and cybersecurity, with an avalanche of new and proposed government and regulatory initiatives underway. Although health care has long been a key target for … Continue Reading
In a podcast interview with Healthcare InfoSecurity, Squire Patton Boggs Partner Elliot Golding addresses evolving healthcare privacy and security issues, particularly complex issues involving Internet of Things (IoT) devices. This includes addressing new risks when connected devices link to legacy systems, the applicable regulatory environment, and other key issues companies operating in the health care … Continue Reading
The United States Department of Health and Human Services (HHS) recently entered into a $750,000 resolution agreement with the University of Washington (UW) following an investigation. The investigation was prompted by UW reporting a breach of about 90,000 people’s personal health information (PHI) after an employee unknowingly downloaded malicious malware from an email attachment. Similar … Continue Reading
Another month, another round of data breaches – seem like a familiar refrain when healthcare providers, health plans and their counsel think about cybersecurity? But what if instead we could get organized and manage this growing business risk in a more proactive manner? It sounds like a good idea, but for many counsel, who view … Continue Reading
News of the data breach suffered by Anthem continues to dominate the news (here, here, and here for example). And, further raising the stakes, class action lawsuits from individuals whose information has potentially been compromised are beginning to roll into courthouses across the country (California, Alabama, Indiana, Georgia, California (again), and California (again)). Because health care data is such a … Continue Reading
The widely reported data breach at Community Health Systems, Inc. (CHS) appears to have relied upon a “spear phish email” to launch the initial malware, according to a recent alert from the FBI. Experts engaged by CHS believe that the attacker is an “Advanced Persistent Threat.” The FBI alert provides tips for organizations to prevent … Continue Reading
September 22, 2014 is the deadline to have business associate and data use agreements updated to conform to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule (the Omnibus Rule), which became effective September 23, 2013. The Omnibus Rule’s transition provisions protect eligible business associate agreements and data use agreements until … Continue Reading
Florida enacted a new data breach reporting law, the Florida Information Protection Act (“FIPA”), which will affect most, if not all, healthcare businesses. The law became effective the first of this month (July 1, 2014). The deadline for data breach reporting under FIPA is now 30 days, shortened from 45 days in the previous version … Continue Reading