June 10, 2019 | Blog | By Sarah Beth Kuyers, Kate Stewart
The HHS Office for Civil Rights (OCR) released a new guidance document regarding which HIPAA violations business associates (BAs) can and cannot be held directly liable for. In the guidance, OCR states that BAs can be held directly liable for a list of 10 violations but notes that certain other violations, like the reasonable cost requirement for a patient’s access to their PHI, cannot be enforced directly by OCR against a BA. The covered entity (CE) is still on the hook for violations of this type, however, so CEs should carefully review their BAAs to ensure that it covers requirements that don’t directly apply to BAs but are still enforceable against CEs. Large data breaches also continue to dominate the press.
June 5, 2019 | Blog | By Kristen Marotta
Medical Informatics Engineering, Inc. (Medical Informatics) and its wholly-owned subsidiary, NoMoreClipboard, LLC, an electronic medical record and software services provider is now liable for a combined total of $1 million to both the federal and state governments after hackers accessed approximately 3.5 million patients’ health records in 2015. The breach, reported to OCR on July 23, 2015, occurred through a compromised user ID and password. Compromised patient information included social security numbers, names, email addresses, health insurance policy information, addresses, dates of birth, and clinical information.
May 14, 2019 | Blog | By Cynthia Larose
The adoption of connected medical devices and the Internet of Medical Things (IoMT) has both enhanced the quality of patient care and increased the vulnerability of health care organizations. Sophisticated cyberattacks on hospitals and health systems threaten patient safety and impose substantial financial costs.
April 4, 2019 | Blog | By Kristen Marotta
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.
March 6, 2019 | Blog | By Kristen Marotta, Sarah Beth Kuyers
AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records. The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018.
January 4, 2019 | Blog | By Sarah Beth Kuyers, Kristen Marotta, Kate Stewart
Today, we’re looking back at HIPAA and other privacy and security developments in 2018. This past year saw continued HIPAA enforcement (including the largest ever fine for a HIPAA breach), reminders from the OCR on best practices for HIPAA compliance, and updates to state and international privacy and security laws. We’ll also look ahead to 2019, which could bring several significant changes to HIPAA, such as reducing the burdens for sharing patient information in order to promote care coordination and better patient outcomes.
December 12, 2018 | Blog | By Kristen Marotta
It has been a busy few weeks for HIPAA enforcement. On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks. In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.
December 10, 2018 | Blog | By Sarah Beth Kuyers
Last week, the Office for Civil Rights (OCR) announced that it had reached a settlement with a contract physician group based in Florida to resolve potential HIPAA violations relating to the sharing of protected health information (PHI) with a vendor. The physician group, Advanced Care Hospitalists PL (ACH), agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct.
December 5, 2018 | Blog | By David Chorney
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced a no-fault settlement, including a $125,000 penalty and a two year corrective action plan for Allergy Associates of Hartford, P.C. The settlement was reached after a physician at Allergy Associates disclosed protected health information (PHI) about a patient to a local television station.
Strategies to Unlock AI’s Potential in Healthcare Part 6: Commercialization of AI Tools in Healthcare – the Challenge of Securing Adequate Data Rights
November 26, 2018 | Blog | By Julie Korostoff
In this sixth post in our series on artificial intelligence in health care, Julie Korostoff highlights the importance of securing adequate data rights to commercialize an AI technology. The post addresses the contractual commitments that a developer of a healthcare AI tool should secure in order to have the data rights necessary for development and commercialization.
October 30, 2018 | Blog | By Sarah Beth Kuyers
As we discussed last week, the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda. In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.
October 25, 2018 | Blog | By Dianne Bourque
Software developers are racing to develop health care products that leverage artificial intelligence (AI), including machine learning and deep learning. Examples include software that analyzes radiology images and pathology slides to help physicians diagnose disease, electronic health records software that automates routine tasks, and software that analyzes genetic information to support targeted treatment. The one thing that all of these products have in common is a need to interact, in some way, with real world medical data. However, this real world data can be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as a patchwork of federal and state laws and regulations. Below we discuss the contexts in which developers may encounter these laws, as well as strategies to navigate related legal issues.
September 24, 2018 | Blog | By Eli Greenspan
This week, Congress and the White House need to finalize a government spending bill in order to avoid a shutdown. While all signs point to a deal being reached, it is widely expected that several agencies will be operating on a continuing resolution for the first couple months of fiscal year 2019. While the Departments of Labor, HHS, and Education are expected to receive a full appropriation prior to September 30th, the FDA, which is funded through the Department of Agriculture, is expected to be funded through the continuing resolution, which will go through December 7th.
July 3, 2018 | Blog
In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security. To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security.
June 20, 2018 | Blog | By Kate Stewart, Sarah Beth Kuyers
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.
June 14, 2018 | Blog
Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems.
May 31, 2018 | Blog | By Sarah Beth Kuyers
The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security.
May 16, 2018 | Blog
In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located.
May 10, 2018 | Blog | By Ryan Cuthbertson
Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA). That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation.
May 4, 2018 | Blog | By Dianne Bourque
Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws). It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA.
Explore Other Viewpoints:
- Arbitration, Mediation & Alternate Dispute Resolution
- Bankruptcy & Restructuring
- Class Action
- Complex Commercial Litigation
- Consumer Product Safety
- Debt Financing
- EB-5 Financing
- Education & Nonprofits
- Employment, Labor & Benefits
- Energy & Sustainability
- Environmental Enforcement Defense
- Environmental Law
- FDA Regulatory
- Federal Circuit Appeals
- Financial Institution Litigation
- Government Law
- Health Care
- Health Care Compliance, Fraud and Abuse, & Regulatory Counseling
- Health Care Enforcement & Investigations
- Health Care Transactions
- Health Information Privacy & Security
- IP Due Diligence
- IPR's & Other Post Grant Proceedings
- Insolvency & Creditor Rights Litigation
- Institutional Investor Class Action Recovery
- Insurance & Financial Services
- Insurance Consulting & Risk Management
- Insurance and Reinsurance Problem-Solving & Dispute Resolution
- Intellectual Property
- Investment Funds
- Licensing & Technology Transactions
- Life Sciences
- Litigation & Investigations
- M&A Litigation
- ML Strategies
- Medicare, Medicaid and Commercial Coverage & Reimbursement
- Mergers & Acquisitions
- Patent Litigation
- Patent Prosecution & Strategic Counseling
- Privacy & Cybersecurity
- Private Client
- Private Equity
- Products Liability & Complex Tort
- Project Development & Finance
- Public Finance
- Real Estate Litigation
- Real Estate Transactions
- Real Estate, Construction & Infrastructure
- Retail & Consumer Products
- Securities & Capital Markets
- Securities Litigation
- Sports & Entertainment
- Strategic IP Monetization & Licensing
- Trade Secrets
- Trademark & Copyright
- Trademark Litigation
- Venture Capital & Emerging Companies
- White Collar Defense & Government Investigations