On September 30, 2013 (11:45am – 5:00pm EDT), the US Health Information Technology Policy Committee’s Privacy and Security “Tiger Team” will convene an online public hearing to discuss how to improve transparency for patients about the uses and disclosures of their identifiable, electronic health information. This may result in recommendations from the Policy Committee to HHS, which is considering how to implement HIPAA requirements relating to an individual’s right to an “accounting” of disclosures of their protected health information made through an electronic health record.
On August 28, the Federal Trade Commission (FTC) filed an administrative complaint against medical testing laboratory LabMD based on allegations that the company engaged in “unfair acts or practices” by failing to employ “reasonable and appropriate measures to prevent unauthorized access to personal information.” The FTC’s action in this case stems from an incident in which a file containing personal information on approximately 9,300 individuals allegedly was shared on a peer-to-peer (P2P) network from a company computer with P2P file-sharing software installed. The complaint follows other recent FTC actions in which the agency has relied on its Section 5 authority under the FTC Act to claim that companies’ exposure of data to P2P networks constituted an unlawful, unfair data security practice. The FTC’s action against LabMD makes clear that institutions governed by the Health Insurance Portability and Accountability Act (HIPAA) must also be mindful of the FTC’s increasing enforcement activity related to security controls, including actions against healthcare providers.
On September 19, the Department of Health and Human Services issued new guidance on the “refill reminder” requirements under HIPAA. The new final HIPAA regulations, most of which go into effect on September 23, 2013, limit the remuneration that a covered entity may receive in exchange for making communications to patients about a drug or biologic currently prescribed to that patient.
In a recently-announced settlement between the Department of Health and Human Services Office for Civil Rights and a New York health plan, the health plan agreed to pay $1.2 million for the breach of electronic patient records stored in the internal memory of digital photocopiers leased and improperly disposed by the plan.
A February 4, 2013 article published by the specialized healthcare news site “Actusoins” revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly-regulated jurisdiction. The journalist was researching another article, and entered the name of a physician into Google. The journalist was astonished to find at [...]
In the most significant change to HIPAA since the law was enacted, the Department of Health and Human Services issued an omnibus HIPAA regulation, which will require substantial operational changes for HIPAA covered entities and their business associates. Ten important changes are: Changes to the data breach rule will make more incidents reportable. Business associates are [...]
The Department of Health and Human Services (HHS) just released the highly anticipated final regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The regulations address: Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act; Final rule adopting changes [...]
Hogan Lovells partner Marcy Wilder will speak on “Health Policy & Regulatory Environments: A Mobile Perspective” at the 2012 mHealth Summit on December 4. The panel discussion will cover major policies impacting the current and future use of mobile devices in America, specifically addressing the role of mobile devices in accountable care organizations, HIPAA compliance, [...]
On November 26, the U.S. Department of Health and Human Services’ Office for Civil Rights released guidance on methods for de-identification of protected health information in keeping with the HIPAA Privacy Rule (as required under the HITECH Act). The guidance answers questions related to each of the permissible de-identification methods – the expert determination [...]
At an American Hospital Association Signature Learning Series seminar in New York City, Hogan Lovells Privacy and Information Management practice director Marcy Wilder spoke to senior executives from health systems and hospitals about best practices for minimizing data breach risks and creating a culture of patient privacy compliance in large complex healthcare organizations. Experts provided Five Tips to Make Patient [...]
A new law that amends the California Confidentiality of Medical Information Act (CMIA) may provide some relief to HIPAA covered entities and business associates, some of whom have faced class action lawsuits seeking millions in statutory damages under the CMIA for large-scale data breaches. The changes to the CMIA are summarized in this entry.
This summer, several states have enacted legislation addressing a broad range of privacy issues including data breach notification, health care privacy, employer access to employees’ and applicants’ social networking accounts, the collection of Social Security numbers, and telemarketing. We provide an overview of the recent privacy regulation developments in Vermont, Connecticut, Hawaii, New York, and Illinois.
Following an extensive investigation by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Alaska Department of Health and Social Services (DHSS), Alaska’s state Medicaid agency, agreed to pay $1.7 million in fines and to comply with a corrective action plan (CAP) to address gaps in its compliance with the HIPAA Privacy and Security Rules.
UPDATE: On June 22, OMB announced that it is extending its review of the HIPAA Final Regulations. Although the OMB generally has up to 90 days to review regulations, it may receive a 30 day extension issued by the Director or an indefinite extension issued by the head of the rulemaking agency. It is unclear [...]
On May 24, a Massachusetts hospital agreed to pay $750,000 to settle alleged HIPAA violations relating to a 2010 data breach. This was the largest settlement to date for actions initiated by attorneys general under HITECH. The complaint, brought by Massachusetts Attorney General Martha Coakley, resulted from the loss of back-up tapes with unencrypted personal [...]
On April 17th, Phoenix Cardiac Surgery, P.C. agreed to pay a $100,000 fine and put in place a corrective action plan under a resolution agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) following an extensive investigation into the health care provider’s HIPAA privacy and security practices. The investigation [...]
On March 13, 2012, the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced its settlement with Blue Cross Blue Shield of Tennessee (BCBST). The settlement marks the first enforcement action resulting directly from the filing by a covered entity of a breach notification report required by the Health Information [...]
Minnesota Attorney General Lori Swanson has filed a civil lawsuit in federal court against HIPAA business associate Accretive Health, Inc. (“Accretive”) for alleged violations of HIPAA, Minnesota medical privacy law, and consumer debt collection practices laws. The lawsuit was filed in part through the powers granted to state attorneys general (“AGs”) under HITECH provisions that [...]
Today the U.S. Department of Health and Human Services (HHS) issued a voluntary privacy notice for Personal Health Records (PHRs) as well as new proposed rules that would expand the rights of patients to access test result reports directly from clinical laboratories covered by HIPAA. Both announcements were part of a HHS Consumer Health IT [...]
The U.S. Department of Health and Human Services (HHS) today extended the public comment period for its new proposed requirements for human subjects research under the Common Rule. HHS’ proposal includes significant new data privacy and security obligations on research entities, including the creation of mandatory data security and information protection standards for all studies involving identifiable [...]
The U.S. Department of Health and Human Services (HHS) published new proposed requirements for human subjects research under the Common Rule that, if adopted, would include significant new data privacy and security obligations on research entities. HHS is considering the creation of mandatory data security and information protection standards for all studies involving identifiable or potentially [...]
Springboarding off our earlier report on the Supreme Court’s decision in Sorrell v. IMS Health, Hogan Lovells Privacy and Information Management practice co-leader Marcy Wilder and associate Eric Bukstein have published a more detailed look at the case. Read their BNA Privacy & Security Law Report for analysis of the decision.
The U.S. Supreme Court struck down today a Vermont law prohibiting pharmaceutical companies from buying or using prescription data for marketing. The decision, Sorrell v. IMS Health, holds that the state law prohibiting the sale or disclosure for marketing purposes of prescription data that identifies prescribers (but not patients) is an unconstitutional infringement on the free speech rights of pharmaceutical and data mining companies.
The Department of Health and Human Services (HHS) has issued a proposed rule implementing changes to the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. This proposed rule addresses the changes required by the HITECH Act, which requires HIPAA covered entities and business associates to account for disclosures of protected health [...]