Category Archives: Health Care

Subscribe to Health Care RSS Feed

“So, don’t ask me no questions and I won’t tell you no lies:” Physician Receives Criminal Conviction for HIPAA Violations and Obstructing a Criminal Health Care Investigation  

On April 30, 2018 a Massachusetts physician was convicted by a federal jury for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and obstructing a criminal health care investigation after impermissibly disclosing protected health information and lying to federal agents during a criminal health care investigation.… Continue Reading

Health Information Technology, Privacy and Security 2018 First Quarter Update

Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting … Continue Reading

TXT U L8R: Should Your Physician Be Texting Orders?

Many a health lawyer has been struggling with how to communicate the U-turn-laden road of whether hospitals should allow physicians to text orders. The bottom line is: NOT YET. One way to summarize the The Joint Commission’s (TJC) position on texting orders is: Up until 2011: “What is texting?” 2011: “No texting!” May 2016: “You … Continue Reading

New Guidance Released by OCR on Ransomware

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in … Continue Reading

OCR Provides Educational Tools about Individuals’ Rights to their Health Information Under HIPAA

Covered entities and business associates should expect an increased number of individuals asking about their rights to access their health information given several consumer-friendly tools recently released by the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), and the HHS Office of the National Coordinator for Health IT (ONC). After … Continue Reading

Managing Business Associate Security Incidents: OCR Cyber-Awareness Update

The Department of Health and Human Services Office for Civil Rights (OCR) sent out an email on May 3, 2016 providing the OCR Cyber-Awareness April Monthly Update. This update addresses the fact that, according to OCR, covered entities often believe business associates will not notify them of a breach or cyber attack, and that it … Continue Reading

BREAKING: Data Breach Covered Under Traditional Policy, 4th Circuit Says

Insurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. … Continue Reading

Hospitals Experience an Alarming Rise in Ransomware Attacks This Year

Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, … Continue Reading

OCR Launches Phase Two of HIPAA Audits

On Monday, March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) formally announced the launch of the long-awaited and much anticipated Phase Two HIPAA compliance audits. Phase One of these audits was conducted as a pilot program in 2011 and 2012 on 115 covered entities. The Phase Two … Continue Reading

California Attorney General Endorses the Center for Internet Security’s (CIS) Critical Security Controls as the “Minimum Level” of “Reasonable Security” Measures

In mid-February, the California Attorney General Kamala D. Harris released a Data Breach Report1 analyzing the 657 data breaches that have been reported to her office since 2012. That was the year California began requiring businesses and government agencies to notify the Attorney General’s Office of breaches affecting more than 500 California residents. In addition … Continue Reading

Hospital’s Network Held Hostage by Hackers

Hackers have attacked the network systems at Hollywood Presbyterian Medical Center in Southern California by infecting the hospital’s systems with ransomware. These hackers are allegedly demanding over $3.6 billion to decrypt the system to restore functionality. The network has now reportedly been offline for over a week, forcing staff at the hospital to complete daily … Continue Reading

EU-US Privacy Shield Replaces Safe Harbor

The European Commission and the U.S. Department of Commerce have reached a last-minute deal on a new trans-Atlantic data sharing agreement. Initially coined as “Safe Harbor 2.0” this new agreement will instead be referred to as the “EU-US Privacy Shield.”  EU Justice Commissioner, Vera Jourová, addressed the new agreement at a press conference earlier today.  The … Continue Reading

FDA Issues Guidelines on Postmarket Management of Cybersecurity in Medical Devices

The U.S. Food and Drug Administration (“FDA”) recently issued draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices” (“Guidance”). The medical device industry anxiously awaited the Guidance, which outlines recommended steps medical device manufacturers should take to continually monitor, identify, and address cybersecurity vulnerabilities after devices enter the market. The FDA previously issued guidance … Continue Reading

HHS Modifies HIPAA In An Attempt to Address Gun Violence

On January 6, 2016, the Department of Health and Human Services (HHS) issued a Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to the “Federal … Continue Reading

Approved – Cybersecurity Act of 2015

It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 (“CISA”), into law. Much to the vexation of privacy advocates, CISA was buried in the 2,009-page $1.1 trillion spending bill. The Act provides liability protection to companies that voluntarily share “cyber … Continue Reading

ERISA Preemption and State Data Breach Notification Laws…Good News?

Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading

HIPAA Settlement Reinforces the Need to Conduct a Risk Analysis

The Office for Civil Rights (OCR) has once again penalized a covered entity for failing to comply with the requirements of the HIPAA Security Rule. On December 14, 2015, the OCR announced that the University of Washington, on behalf of the university’s affiliated covered entity UW Medicine, agreed to a settlement in the amount of … Continue Reading

OCR Launches Mobile App, Promises Access Guidance and Promises Audits Coming Soon

The Office for Civil Rights (“OCR”) has been busy lately, having recently launched a mobile application; promised a late October release of informal guidance on individuals’ right to access their medical records and promised that Phase Two of the HIPAA audits will be starting shortly. Following are the high points; read our Health Law Alert … Continue Reading

FDA Issues Warning on Cybersecurity for Infusion Pump

On July 31, 2015, the U.S. Food and Drug Administration (“FDA”) issued a safety warning alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities associated with the infusion pump. The Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The infusion … Continue Reading

Healthy reminder: HIPAA rules apply to most workplace wellness programs

Wellness programs are great ways for employers to provide guidance on ways employees can improve their health through fitness, diet and various other means. But oftentimes, employers forget that wellness programs may be an extension of a company’s heath care plan. As such, the Health Insurance Portability and Accountability Act (HIPAA) rules apply equally to … Continue Reading

Another Day, Another Cyberattack: Premera Blue Cross Announces Large Data Breach

It has happened again…this time to Premera Blue Cross (Premera).  On March 17, Premera announced that it was the target of a “sophisticated cyberattack” where unauthorized users gained access to Premera’s IT systems and potentially the data of 11 million individuals.  The initial attack is reported to have occurred on May 5, 2014 and was … Continue Reading

Were you affected by the Anthem breach? Answers to these questions may help

It’s being called “a very sophisticated external cyber-attack.” With the theft of 80 million of its customers’ and employees’ records, Anthem Health Insurance has suffered one of—if not the—largest data breach in our nation’s history. Reports suggest the cost of the attack may exceed $100 million. After sophisticated hackers broke into the company’s database, likely … Continue Reading