Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: Office for Civil Rights

Posted in Health Privacy/HIPAA

New York Regulators Lead the Charge to Fill Health Data Protection Gaps Left by Federal Law

After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.

Posted in Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. Comprehensive, enterprise-wide risk analysis and risk management practices remained points of emphasis throughout the conference. Additional themes, which we outline in this post, also emerged.

Posted in Health Privacy/HIPAA

New HHS Guidance Makes Clear HIPAA Applies in the Cloud

Cloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services Office for Civil Rights released guidance making clear that cloud service providers that create, receive, maintain, or transmit electronic protected health information are covered by HIPAA.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR Emphasizes Security Obligations of Business Associates with Latest Enforcement

The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

HHS Issues New Guidance on Ransomware and HIPAA

The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.

Posted in News & Events

Hogan Lovells Brings Together Industry and Government Leaders for Second Annual Health Privacy Law Forum

Hogan Lovells hosted the second annual Health Privacy Law Forum for health privacy professionals yesterday. Participants spoke with Deven McGraw, Deputy Director of Health Information Privacy at the U.S. Department of Health and Human Services Office for Civil Rights , and former Federal Trade Commissioner Julie Brill, now a partner at Hogan Lovells and co-chair of its Privacy and Cybersecurity practice.

Posted in Health Privacy/HIPAA

OCR Releases Updated Audit Protocol

The revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights. The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates. The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance. In addition, business associates will be subject to HIPAA audits for the first time.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR Highlights Priorities as it Steps Up HIPAA Enforcement

Last week, the Department of Health and Human Services Office for Civil Rights launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.