Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting … Continue Reading
On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were … Continue Reading
On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state … Continue Reading
Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities … Continue Reading
Many a health lawyer has been struggling with how to communicate the U-turn-laden road of whether hospitals should allow physicians to text orders. The bottom line is: NOT YET. One way to summarize the The Joint Commission’s (TJC) position on texting orders is: Up until 2011: “What is texting?” 2011: “No texting!” May 2016: “You … Continue Reading
In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in … Continue Reading
Covered entities (CEs) and business associates (BAs) beware—third-party application software security vulnerabilities are on the rise, according to the Health & Human Services (HHS) Office for Civil Rights in Action. In June 2016, the HHS Office for Civil Rights in Action published a newsletter reminding HIPAA CEs and BAs about the risks inherent in third-party application … Continue Reading
Covered entities and business associates should expect an increased number of individuals asking about their rights to access their health information given several consumer-friendly tools recently released by the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), and the HHS Office of the National Coordinator for Health IT (ONC). After … Continue Reading
The Department of Health and Human Services Office for Civil Rights (OCR) sent out an email on May 3, 2016 providing the OCR Cyber-Awareness April Monthly Update. This update addresses the fact that, according to OCR, covered entities often believe business associates will not notify them of a breach or cyber attack, and that it … Continue Reading
Insurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. … Continue Reading
Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, … Continue Reading
On Monday, March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) formally announced the launch of the long-awaited and much anticipated Phase Two HIPAA compliance audits. Phase One of these audits was conducted as a pilot program in 2011 and 2012 on 115 covered entities. The Phase Two … Continue Reading
On January 6, 2016, the Department of Health and Human Services (HHS) issued a Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to the “Federal … Continue Reading
Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading
The Office for Civil Rights (OCR) has once again penalized a covered entity for failing to comply with the requirements of the HIPAA Security Rule. On December 14, 2015, the OCR announced that the University of Washington, on behalf of the university’s affiliated covered entity UW Medicine, agreed to a settlement in the amount of … Continue Reading
Legal concerns about employee privacy issues have exploded over the past year. Privacy concerns in the workplace are no longer limited to who has access to an employee’s personnel file, but have expanded to include matters ranging from an employee’s social media activity, criminal conviction history, genetic history, medical information, and background checks. John Barlament … Continue Reading
Wellness programs are great ways for employers to provide guidance on ways employees can improve their health through fitness, diet and various other means. But oftentimes, employers forget that wellness programs may be an extension of a company’s heath care plan. As such, the Health Insurance Portability and Accountability Act (HIPAA) rules apply equally to … Continue Reading