Health Information Technology, Privacy and Security 2018 First Quarter Update

Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting guidance and events from the first quarter of 2018. Continue Reading

One Is the Loneliest Number: Alabama Becomes the Final State to Pass Data Breach Notification Law

On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were the only states that did not have data breach notification laws.

Under Senate Bill 318, any person or business entity, including government entities, who handle electronically stored “sensitive personally identifying information” regarding Alabama residents must comply with the new data breach notification law. The law is effective on June 1, 2018 (which is, incidentally, one month before the South Dakota law goes into effect). Continue Reading

South Dakota Officially the 49th State to Pass Data Breach Notification Law

On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state has followed suit. Up until this point, the lone stragglers were South Dakota and Alabama (more on Alabama below). Continue Reading

Proposed Federal Cybersecurity Rules

Stockmarket Group-Person with Pen-700_440The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules address five key areas: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.  Continue Reading

OCR Will Increase Focus on Smaller Breaches

Abstract code background

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities with breaches affecting fewer than 500 individuals. Previously, OCR’s Regional Offices focused their attention on investigating all reported breaches involving the PHI of 500 or more individuals. Continue Reading

TXT U L8R: Should Your Physician Be Texting Orders?

Doctor using smartphone

Many a health lawyer has been struggling with how to communicate the U-turn-laden road of whether hospitals should allow physicians to text orders. The bottom line is: NOT YET. One way to summarize the The Joint Commission’s (TJC) position on texting orders is:

Up until 2011: “What is texting?”

2011: “No texting!”

May 2016: “You will be able to text—just hang on!” Continue Reading

Does Your Company Meet Privacy Shield Protection Criteria?

Blog Image - Security BadgeAs of August 1, the US-EU Privacy Shield is up and running. Companies transferring personal data (e.g., employee data, customer data, etc.) from the EU to the U.S. can now register with the U.S. Department of Commerce provided that they meet the requisite protection criteria. Registration under the Privacy Shield certifies that the transfer of the personal data does not run afoul of the EU rules which generally prohibit the transfer of such personal data to the U.S.  Continue Reading

EU Regulators Allow One-Year Test of Privacy Shield

http://teekid.com/istockphoto/banner/banner3.jpg

The long-awaited US-EU Privacy Shield—the successor to the US-EU Safe Harbor which was declared invalid—is set to kick in on August 1, 2016. (See our July 8 post for detail.) One of the reasons it took so long to put the Privacy Shield in place was the opposition it encountered from consumer groups and the data protection authorities of the EU member states (i.e., the Article 29 Working Group). The Article 29 Working Group called the Privacy Shield inadequate and not in conformity with EU law. This, of course, took a lot of luster off the Privacy Shield for companies involved in transatlantic business.

Continue Reading

New, Stringent Cyber Supply Chain Standard Under Development

Power_Line

Just last week, the Federal Energy Regulatory Commission or “FERC” moved closer to regulating the supply chain management practices for energy companies that own and operate the physical assets that comprise the nation’s power grid. Specifically, on July 21, FERC directed the North American Electric Reliability Corporation or “NERC” to issue a new supply chain management standard that addresses risks to information systems and related bulk electric system assets.  Continue Reading

New Guidance Released by OCR on Ransomware

Male cybersecurity threat systems manager pushing RANSOMWARE on a transparent control interface. Computer crime concept for a hacking attack restricting file access to seek a ransom from a user.

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in proactively preventing and efficiently responding to ransomware attacks. For example, the guidance addresses:

  • Implementing a security management process, including conducting a risk analysis and mitigating identified risks;
  • Implementing procedures to guard against and detect malicious software;
  • Training users on malicious software protection and reporting of malicious software detections;
  • Implementing access controls to limit access to ePHI; and
  • Maintaining an overall contingency plan.

Continue Reading

LexBlog