Skip to main content

Health Information Privacy & Security

Viewpoints

Filter by:

Viewpoint
In June 2019, the Delaware Supreme Court issued a decision reaffirming a risk of director liability where there is no board-level reporting process for essential compliance matters.  The facts of the case arise from a 2015 listeria outbreak at Blue Bell manufacturing which resulted in the death of three people. The Delaware case reaffirmed the position that directors may be subject to liability if the director “(1) completely fail[ed] to implement any reporting or information system or controls, or (2) having implemented such a system or controls, consciously fail[ed] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”  
Viewpoint

Another Chance for HIPAA and Part 2 Harmony?

July 22, 2019 | Blog | By Dianne Bourque, Matt Mora

There are reports that HHS plans to issue a proposed rule next month, which would again amend 42 CFR Part 2 (“Part 2”) and modify how the medical records of patients with substance abuse disorders are currently shared between providers. Part 2 amendments, especially amendments to align Part 2 with the Health Insurance Portability and Accountability Act (“HIPAA”), would be welcome news to the many stakeholders in the industry who have repeatedly voiced their concerns regarding the regulatory hurdles that surround the disclosure of drug and alcohol treatment records.
Viewpoint General
The HHS Office for Civil Rights (OCR) released a new guidance document regarding which HIPAA violations business associates (BAs) can and cannot be held directly liable for.  In the guidance, OCR states that BAs can be held directly liable for a list of 10 violations but notes that certain other violations, like the reasonable cost requirement for a patient’s access to their PHI, cannot be enforced directly by OCR against a BA.  The covered entity (CE) is still on the hook for violations of this type, however, so CEs should carefully review their BAAs to ensure that it covers requirements that don’t directly apply to BAs but are still enforceable against CEs.  Large data breaches also continue to dominate the press.
Viewpoint

EMR Company Suffers Double Whammy After HIPAA Breach

June 5, 2019 | Blog | By Kristen Marotta

Medical Informatics Engineering, Inc. (Medical Informatics) and its wholly-owned subsidiary, NoMoreClipboard, LLC, an electronic medical record and software services provider is now liable for a combined total of $1 million to both the federal and state governments after hackers accessed approximately 3.5 million patients’ health records in 2015. The breach, reported to OCR on July 23, 2015, occurred through a compromised user ID and password. Compromised patient information included social security numbers, names, email addresses, health insurance policy information, addresses, dates of birth, and clinical information.
Health Privacy

Health Care & Cybersecurity: A Powerful Combination

May 14, 2019 | Blog | By Cynthia Larose

The adoption of connected medical devices and the Internet of Medical Things (IoMT) has both enhanced the quality of patient care and increased the vulnerability of health care organizations. Sophisticated cyberattacks on hospitals and health systems threaten patient safety and impose substantial financial costs.
Viewpoint General
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.
Viewpoint General

Latest HIPAA Breach Involves Medical Records Hack of Business Associate

March 6, 2019 | Blog | By Kristen Marotta, Sarah Beth Kuyers

AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records.  The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018.
Viewpoint General

HIPAA and Health Care Data Privacy - 2018 Year-in-Review

January 4, 2019 | Blog | By Sarah Beth Kuyers, Kristen Marotta

Today, we’re looking back at HIPAA and other privacy and security developments in 2018.  This past year saw continued HIPAA enforcement (including the largest ever fine for a HIPAA breach), reminders from the OCR on best practices for HIPAA compliance, and updates to state and international privacy and security laws.  We’ll also look ahead to 2019, which could bring several significant changes to HIPAA, such as reducing the burdens for sharing patient information in order to promote care coordination and better patient outcomes.
Viewpoint General

HIPAA Penalties For Failure to Cut Off Access To Former Employee

December 12, 2018 | Blog | By Kristen Marotta

It has been a busy few weeks for HIPAA enforcement. On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks. In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.
Viewpoint General

Another HIPAA Settlement for Failure to Enter Into a BAA

December 10, 2018 | Blog | By Sarah Beth Kuyers

Last week, the Office for Civil Rights (OCR) announced that it had reached a settlement with a contract physician group based in Florida to resolve potential HIPAA violations relating to the sharing of protected health information (PHI) with a vendor. The physician group, Advanced Care Hospitalists PL (ACH), agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct.
Viewpoint General
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced a no-fault settlement, including a $125,000 penalty and a two year corrective action plan for Allergy Associates of Hartford, P.C. The settlement was reached after a physician at Allergy Associates disclosed protected health information (PHI) about a patient to a local television station.
Viewpoint General
In this sixth post in our series on artificial intelligence in health care, Julie Korostoff highlights the importance of securing adequate data rights to commercialize an AI technology. The post addresses the contractual commitments that a developer of a healthcare AI tool should secure in order to have the data rights necessary for development and commercialization.
Viewpoint General

Changes Ahead for HIPAA?

October 30, 2018 | Blog | By Sarah Beth Kuyers

As we discussed last week, the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda. In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.
Viewpoint General
Software developers are racing to develop health care products that leverage artificial intelligence (AI), including machine learning and deep learning. Examples include software that analyzes radiology images and pathology slides to help physicians diagnose disease, electronic health records software that automates routine tasks, and software that analyzes genetic information to support targeted treatment. The one thing that all of these products have in common is a need to interact, in some way, with real world medical data. However, this real world data can be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as a patchwork of federal and state laws and regulations. Below we discuss the contexts in which developers may encounter these laws, as well as strategies to navigate related legal issues.
Viewpoint General

ML Strategies Weekly Health Care Preview - Week of September 24th

September 24, 2018 | Blog | By Eli Greenspan

This week, Congress and the White House need to finalize a government spending bill in order to avoid a shutdown. While all signs point to a deal being reached, it is widely expected that several agencies will be operating on a continuing resolution for the first couple months of fiscal year 2019. While the Departments of Labor, HHS, and Education are expected to receive a full appropriation prior to September 30th, the FDA, which is funded through the Department of Agriculture, is expected to be funded through the continuing resolution, which will go through December 7th.
In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security.  To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security.
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.

HIPAA Tips from the Trenches

June 14, 2018 | Blog

Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems.

OCR Highlights Importance of Physical Safeguards to Protect PHI

May 31, 2018 | Blog | By Sarah Beth Kuyers

The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security.
In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located.
Sign up to receive email updates from Mintz.
Subscribe Now

Explore Other Viewpoints: