Three Things to Learn from Delaware Supreme Court’s Opinion on Board of Director Oversight Duties (Marchand v. Barnhill)
August 6, 2019 | Blog | By David Chorney
In June 2019, the Delaware Supreme Court issued a decision reaffirming a risk of director liability where there is no board-level reporting process for essential compliance matters. The facts of the case arise from a 2015 listeria outbreak at Blue Bell manufacturing which resulted in the death of three people. The Delaware case reaffirmed the position that directors may be subject to liability if the director “(1) completely fail[ed] to implement any reporting or information system or controls, or (2) having implemented such a system or controls, consciously fail[ed] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”
July 22, 2019 | Blog | By Dianne Bourque, Matt Mora
There are reports that HHS plans to issue a proposed rule next month, which would again amend 42 CFR Part 2 (“Part 2”) and modify how the medical records of patients with substance abuse disorders are currently shared between providers. Part 2 amendments, especially amendments to align Part 2 with the Health Insurance Portability and Accountability Act (“HIPAA”), would be welcome news to the many stakeholders in the industry who have repeatedly voiced their concerns regarding the regulatory hurdles that surround the disclosure of drug and alcohol treatment records.
June 10, 2019 | Blog | By Sarah Beth Kuyers
The HHS Office for Civil Rights (OCR) released a new guidance document regarding which HIPAA violations business associates (BAs) can and cannot be held directly liable for. In the guidance, OCR states that BAs can be held directly liable for a list of 10 violations but notes that certain other violations, like the reasonable cost requirement for a patient’s access to their PHI, cannot be enforced directly by OCR against a BA. The covered entity (CE) is still on the hook for violations of this type, however, so CEs should carefully review their BAAs to ensure that it covers requirements that don’t directly apply to BAs but are still enforceable against CEs. Large data breaches also continue to dominate the press.
June 5, 2019 | Blog | By Kristen Marotta
Medical Informatics Engineering, Inc. (Medical Informatics) and its wholly-owned subsidiary, NoMoreClipboard, LLC, an electronic medical record and software services provider is now liable for a combined total of $1 million to both the federal and state governments after hackers accessed approximately 3.5 million patients’ health records in 2015. The breach, reported to OCR on July 23, 2015, occurred through a compromised user ID and password. Compromised patient information included social security numbers, names, email addresses, health insurance policy information, addresses, dates of birth, and clinical information.
May 14, 2019 | Blog | By Cynthia Larose
The adoption of connected medical devices and the Internet of Medical Things (IoMT) has both enhanced the quality of patient care and increased the vulnerability of health care organizations. Sophisticated cyberattacks on hospitals and health systems threaten patient safety and impose substantial financial costs.
April 4, 2019 | Blog | By Kristen Marotta
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.
March 6, 2019 | Blog | By Kristen Marotta, Sarah Beth Kuyers
AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records. The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018.
January 4, 2019 | Blog | By Sarah Beth Kuyers, Kristen Marotta
Today, we’re looking back at HIPAA and other privacy and security developments in 2018. This past year saw continued HIPAA enforcement (including the largest ever fine for a HIPAA breach), reminders from the OCR on best practices for HIPAA compliance, and updates to state and international privacy and security laws. We’ll also look ahead to 2019, which could bring several significant changes to HIPAA, such as reducing the burdens for sharing patient information in order to promote care coordination and better patient outcomes.
December 12, 2018 | Blog | By Kristen Marotta
It has been a busy few weeks for HIPAA enforcement. On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks. In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.
December 10, 2018 | Blog | By Sarah Beth Kuyers
Last week, the Office for Civil Rights (OCR) announced that it had reached a settlement with a contract physician group based in Florida to resolve potential HIPAA violations relating to the sharing of protected health information (PHI) with a vendor. The physician group, Advanced Care Hospitalists PL (ACH), agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct.
December 5, 2018 | Blog | By David Chorney
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently announced a no-fault settlement, including a $125,000 penalty and a two year corrective action plan for Allergy Associates of Hartford, P.C. The settlement was reached after a physician at Allergy Associates disclosed protected health information (PHI) about a patient to a local television station.
Strategies to Unlock AI’s Potential in Healthcare Part 6: Commercialization of AI Tools in Healthcare – the Challenge of Securing Adequate Data Rights
November 26, 2018 | Blog | By Julie Korostoff
In this sixth post in our series on artificial intelligence in health care, Julie Korostoff highlights the importance of securing adequate data rights to commercialize an AI technology. The post addresses the contractual commitments that a developer of a healthcare AI tool should secure in order to have the data rights necessary for development and commercialization.
October 30, 2018 | Blog | By Sarah Beth Kuyers
As we discussed last week, the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda. In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.
October 25, 2018 | Blog | By Dianne Bourque
Software developers are racing to develop health care products that leverage artificial intelligence (AI), including machine learning and deep learning. Examples include software that analyzes radiology images and pathology slides to help physicians diagnose disease, electronic health records software that automates routine tasks, and software that analyzes genetic information to support targeted treatment. The one thing that all of these products have in common is a need to interact, in some way, with real world medical data. However, this real world data can be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as a patchwork of federal and state laws and regulations. Below we discuss the contexts in which developers may encounter these laws, as well as strategies to navigate related legal issues.
September 24, 2018 | Blog | By Eli Greenspan
This week, Congress and the White House need to finalize a government spending bill in order to avoid a shutdown. While all signs point to a deal being reached, it is widely expected that several agencies will be operating on a continuing resolution for the first couple months of fiscal year 2019. While the Departments of Labor, HHS, and Education are expected to receive a full appropriation prior to September 30th, the FDA, which is funded through the Department of Agriculture, is expected to be funded through the continuing resolution, which will go through December 7th.
July 3, 2018 | Blog
In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security. To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security.
June 20, 2018 | Blog | By Sarah Beth Kuyers
Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.
June 14, 2018 | Blog
Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems.
May 31, 2018 | Blog | By Sarah Beth Kuyers
The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security.
May 16, 2018 | Blog
In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located.
Explore Other Viewpoints:
- Arbitration, Mediation & Alternate Dispute Resolution
- Bankruptcy & Restructuring
- Class Action
- Complex Commercial Litigation
- Consumer Product Safety
- Debt Financing
- EB-5 Financing
- Education & Nonprofits
- Employment, Labor & Benefits
- Energy & Sustainability
- Environmental Enforcement Defense
- Environmental Law
- FDA Regulatory
- Federal Circuit Appeals
- Financial Institution Litigation
- Government Law
- Health Care
- Health Care Compliance, Fraud and Abuse, & Regulatory Counseling
- Health Care Enforcement & Investigations
- Health Care Transactions
- Health Information Privacy & Security
- IP Due Diligence
- IPRs & Other Post Grant Proceedings
- Insolvency & Creditor Rights Litigation
- Institutional Investor Class Action Recovery
- Insurance & Financial Services
- Insurance Consulting & Risk Management
- Insurance and Reinsurance Problem-Solving & Dispute Resolution
- Intellectual Property
- Investment Funds
- Licensing & Technology Transactions
- Life Sciences
- Litigation & Investigations
- M&A Litigation
- ML Strategies
- Medicare, Medicaid and Commercial Coverage & Reimbursement
- Mergers & Acquisitions
- Patent Litigation
- Patent Prosecution & Strategic Counseling
- Privacy & Cybersecurity
- Private Client
- Private Equity
- Products Liability & Complex Tort
- Project Development & Finance
- Public Finance
- Real Estate Litigation
- Real Estate Transactions
- Real Estate, Construction & Infrastructure
- Retail & Consumer Products
- Securities & Capital Markets
- Securities Litigation
- Sports & Entertainment
- Strategic IP Monetization & Licensing
- Trade Secrets
- Trademark & Copyright
- Trademark Litigation
- Venture Capital & Emerging Companies
- White Collar Defense & Government Investigations