With cybersecurity issues evolving rapidly, every minute counts. Our new video series, Your Cyber Minute, is specifically designed for busy in-house counsel to gain practical perspectives – fast. This multi-part series is an extension of our Ready, Set, Respond resource portal and highlights today’s hottest topics in cybersecurity. Tune in to watch the first two installments and get the latest in what you need to know and how to better be prepared.
Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. Comprehensive, enterprise-wide risk analysis and risk management practices remained points of emphasis throughout the conference. Additional themes, which we outline in this post, also emerged.
Cloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services Office for Civil Rights released guidance making clear that cloud service providers that create, receive, maintain, or transmit electronic protected health information are covered by HIPAA.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
Hogan Lovells hosted the second annual Health Privacy Law Forum for health privacy professionals yesterday. Participants spoke with Deven McGraw, Deputy Director of Health Information Privacy at the U.S. Department of Health and Human Services Office for Civil Rights , and former Federal Trade Commissioner Julie Brill, now a partner at Hogan Lovells and co-chair of its Privacy and Cybersecurity practice.
Please join us for our April 2016 Privacy and Cybersecurity Events, including discussions on the Internet of Things, big data in healthcare, the Telephone Consumer Protection Act, international data flows, and more.
Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.
Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. The spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.
The HHS Office for Civil Rights has launched an online portal designed to solicit questions from mHealth developers regarding compliance with HIPAA privacy and security requirements. The portal is designed to demystify HIPAA for app developers while providing guidance to regulators about which aspects of HIPAA may require clarification.
The HHS Office for Civil Rights needs to improve and expand its health privacy and data breach enforcement efforts. This was the message delivered by the September 29 release of twin reports by the U.S. Department of Health and Human Services Office of Inspector General that assessed OCR’s enforcement of federal health privacy laws. The studies were commissioned out of concern that the failure to adequately safeguard health information can expose large numbers of patients “to privacy invasion, fraud, identity theft, and/or other harm.” The enforcement of the HIPAA privacy laws in the U.S. are viewed as critical to ensuring that vulnerabilities that can lead to data breaches and potential harm to patients are addressed.
Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights. Comprehensive risk analysis and risk management practices remained a point of emphasis throughout the conference. This blog post addresses the following additional themes that emerged during the conference.
In an effort to help members of the health IT community better understand the federal laws relating to interoperability, the Office of the National Coordinator for Health Information Technology, part of the Department of Health and Human Services, has published a revised Guide to Privacy and Security of Electronic Health Information. Originally published in 2011, the updated document includes new insights about privacy- and security-related issues that will help providers, health IT professionals, vendors, and the public at large understand the different potentially applicable federal laws and incentive programs and how they fit together
Federal health IT leaders emphasized interoperability and computable privacy during the two-day Annual Meeting of the U.S. Office of the National Coordinator for Health Information Technology, which took place on February 2 and 3. Over 1,200 participants representing viewpoints across the healthcare spectrum attended the meeting in Washington, D.C. The meeting built on momentum from last week’s release of ONC’s draft Nationwide Interoperability Roadmap, as well as several high-profile announcements reinforcing the Obama Administration’s commitment to interoperability and privacy.
On December 2, the Department of Health and Human Services, Office for Civil Rights announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Government officials emphasized the importance of risk analysis and risk management in safeguarding PHI at the Seventh Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 23–24, 2014, and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. The conference’s themes—which include risk analysis and risk management, information sharing, and upcoming OCR enforcement efforts—highlighted how HIPAA regulated entities should approach cybersecurity considerations and compliance with the HIPAA Security Rule.
The 2009 HITECH Act mandated that the U.S. Department of Health and Human Services Office for Civil Rights conduct periodic audits of covered entities and business associates for compliance with HIPAA privacy and security requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. In February 2014, the agency issued a notice in the Federal Register announcing its plan to survey up to 1,200 covered entities and business associates to select organizations for the next round of HIPAA audits.
On May 7, 2014, the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations. The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.
The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI). The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI. The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.
The U.S. Department of Health and Human Services sent a strong message to local governments last week when it reached a settlement with Skagit County, Washington over alleged violations of the Health Insurance Portability and Accountability Act. This is the first time that HHS has settled charges against a local—and not state level—government entity for HIPAA violations.
HHS has issued new guidance addressing when it is appropriate under the HIPAA Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. The guidance does not impose new obligations, but rather is intended to clarify the application of existing HIPAA requirements to the disclosure of mental health information. Covered entity providers that handle such information may find it helpful to review the guidance to ensure that their practices are consistent with regulatory expectations.
On February 18, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for violating the Health Insurance Portability and Accountability Act. According to an 8-K filing submitted to the Securities and Exchange Commission, the Puerto Rico Health Insurance Administration notified Triple S on February 11, 2014 regarding its plans to sanction the insurer for HIPAA violations resulting from a 2013 breach of protected health information. The Health Insurance Administration also plans to impose administrative sanctions on the insurer, including the suspension of new enrollments into one of its plans and the obligation to notify affected individuals of their right to disenroll.
On January 31, the Federal Trade Commission announced a settlement with GMR Transcription Services following the public exposure of thousands of medical transcript files containing personal medical information. According to the FTC complaint, GMR failed to adequately verify that its overseas service provider implemented reasonable and appropriate security measures to protect personal information being transmitted and processed. This settlement, the FTC’s 50th with respect to data security, highlights the need for companies to engage in thorough vendor management and oversight with respect to data security practices.