April 4, 2019 | Blog | By Kristen Marotta
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.
March 6, 2019 | Blog | By Kristen Marotta, Sarah Beth Kuyers
AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records. The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018.
January 4, 2019 | Blog | By Sarah Beth Kuyers, Kristen Marotta, Kate Stewart
Today, we’re looking back at HIPAA and other privacy and security developments in 2018. This past year saw continued HIPAA enforcement (including the largest ever fine for a HIPAA breach), reminders from the OCR on best practices for HIPAA compliance, and updates to state and international privacy and security laws. We’ll also look ahead to 2019, which could bring several significant changes to HIPAA, such as reducing the burdens for sharing patient information in order to promote care coordination and better patient outcomes.
December 12, 2018 | Blog | By Kristen Marotta
It has been a busy few weeks for HIPAA enforcement. On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks. In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.
December 10, 2018 | Blog | By Sarah Beth Kuyers
Last week, the Office for Civil Rights (OCR) announced that it had reached a settlement with a contract physician group based in Florida to resolve potential HIPAA violations relating to the sharing of protected health information (PHI) with a vendor. The physician group, Advanced Care Hospitalists PL (ACH), agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct.
December 5, 2018 | Blog | By David Chorney
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced a no-fault settlement, including a $125,000 penalty and a two year corrective action plan for Allergy Associates of Hartford, P.C. The settlement was reached after a physician at Allergy Associates disclosed protected health information (PHI) about a patient to a local television station.
Strategies to Unlock AI’s Potential in Healthcare Part 6: Commercialization of AI Tools in Healthcare – the Challenge of Securing Adequate Data Rights
November 26, 2018 | Blog | By Julie Korostoff
In this sixth post in our series on artificial intelligence in health care, Julie Korostoff highlights the importance of securing adequate data rights to commercialize an AI technology. The post addresses the contractual commitments that a developer of a healthcare AI tool should secure in order to have the data rights necessary for development and commercialization.
October 30, 2018 | Blog | By Sarah Beth Kuyers
As we discussed last week, the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda. In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.
October 25, 2018 | Blog | By Dianne Bourque
Software developers are racing to develop health care products that leverage artificial intelligence (AI), including machine learning and deep learning. Examples include software that analyzes radiology images and pathology slides to help physicians diagnose disease, electronic health records software that automates routine tasks, and software that analyzes genetic information to support targeted treatment. The one thing that all of these products have in common is a need to interact, in some way, with real world medical data. However, this real world data can be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as a patchwork of federal and state laws and regulations. Below we discuss the contexts in which developers may encounter these laws, as well as strategies to navigate related legal issues.
September 24, 2018 | Blog | By Eli Greenspan
This week, Congress and the White House need to finalize a government spending bill in order to avoid a shutdown. While all signs point to a deal being reached, it is widely expected that several agencies will be operating on a continuing resolution for the first couple months of fiscal year 2019. While the Departments of Labor, HHS, and Education are expected to receive a full appropriation prior to September 30th, the FDA, which is funded through the Department of Agriculture, is expected to be funded through the continuing resolution, which will go through December 7th.
July 3, 2018 | Blog
In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security. To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security.
June 20, 2018 | Blog | By Kate Stewart, Sarah Beth Kuyers
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.
June 14, 2018 | Blog
Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems.
May 31, 2018 | Blog | By Sarah Beth Kuyers
The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security.
May 16, 2018 | Blog
In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located.
May 10, 2018 | Blog | By Ryan Cuthbertson
Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA). That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation.
May 4, 2018 | Blog | By Dianne Bourque
Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws). It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA.
April 5, 2018 | Blog | By Ryan Cuthbertson
Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.
February 26, 2018 | Blog
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities.
Explore Other Viewpoints:
- Arbitration, Mediation & Alternate Dispute Resolution
- Bankruptcy & Restructuring
- Class Action
- Complex Commercial Litigation
- Consumer Product Safety
- Debt Financing
- EB-5 Financing
- Education & Nonprofits
- Employment, Labor & Benefits
- Energy & Sustainability
- Environmental Enforcement Defense
- Environmental Law
- FDA Regulatory
- Federal Circuit Appeals
- Financial Institution Litigation
- Government Law
- Health Care
- Health Care Compliance, Fraud and Abuse, & Regulatory Counseling
- Health Care Enforcement & Investigations
- Health Care Transactions
- Health Information Privacy & Security
- IP Due Diligence
- IPR's & Other Post Grant Proceedings
- Insolvency & Creditor Rights Litigation
- Insurance & Financial Services
- Insurance Consulting & Risk Management
- Insurance and Reinsurance Problem-Solving & Dispute Resolution
- Intellectual Property
- Investment Funds
- Licensing & Technology Transactions
- Life Sciences
- Litigation & Investigations
- M&A Litigation
- ML Strategies
- Medicare, Medicaid and Commercial Coverage & Reimbursement
- Mergers & Acquisitions
- Patent Litigation
- Patent Prosecution & Strategic Counseling
- Privacy & Cybersecurity
- Private Client
- Private Equity
- Products Liability & Complex Tort
- Project Development & Finance
- Public Finance
- Real Estate Litigation
- Real Estate Transactions
- Real Estate, Construction & Infrastructure
- Retail & Consumer Products
- Securities & Capital Markets
- Securities Litigation
- Sports & Entertainment
- Strategic IP Monetization & Licensing
- Trade Secrets
- Trademark & Copyright
- Trademark Litigation
- Venture Capital & Emerging Companies
- White Collar Defense & Government Investigations