Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Marcy Wilder

Posts by Marcy Wilder
Posted in Health Privacy/HIPAA

OCR Provides Insight into Enforcement Priorities and Breach Trends

Regulators, industry experts, and researchers provided insight into health privacy and security enforcement trends, emerging threats, and new tools at a recent conference focused on HIPAA. Moving into 2020, organizations with health data should be aware of: Shifting OCR enforcement priorities, regulators’ continued attention to key HIPAA compliance activities, the changing threat landscape for health data, and new guidance and frameworks for health data not regulated by HIPAA.

Posted in Health Privacy/HIPAA

HIPAA Penalty Caps to Be Reduced and Tied to Culpability Level

In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.

Posted in Health Privacy/HIPAA

HHS Seeking Input on HIPAA Changes

The Department of Health and Human Services (HHS) announced a Request for Information (RFI) regarding how the HIPAA Privacy, Security, and Breach Notification Rules could be modified to reduce regulatory burdens and to improve  care coordination, case management, and value-based health care. In addition to opening the door for public comments on current challenges and potential modifications to the HIPAA Rules, the RFI specifically requests feedback on anticipated changes to several specific provisions of the Privacy Rule.

Posted in Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Regulators provided key insights into enforcement trends and potential changes to HIPAA regulations at the 11th Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference in October co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

Posted in Health Privacy/HIPAA

California Consumer Privacy Act: The Challenge Ahead – Four Key Considerations for Health and Life Sciences Companies

The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies.  Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come. In the latest installment of the CCPA blog series, we describe these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.

Posted in Health Privacy/HIPAA, Privacy & Security Litigation

Aetna $17.2 Million Breach Settlement Brings Lessons for Handling Health Data

Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.

Posted in Consumer Privacy, Cybersecurity & Data Breaches, News & Events

Combatting the Massive Wave of WannaCry Ransomware

Major companies, health care organizations and government agencies are facing a wave of cyberattacks involving ransomware that takes control of computers and denies access until a ransom is paid. These attacks are occurring on a global scale and in some cases are having a significant impact on business and healthcare operations. The cyberattack has disrupted targets throughout the world from Britain’s National Health Service to US Fortune 500 companies, the Russian Foreign Ministry, and universities in China.

Posted in Health Privacy/HIPAA

New York Regulators Lead the Charge to Fill Health Data Protection Gaps Left by Federal Law

After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.

Posted in Health Privacy/HIPAA

New HHS Guidance Makes Clear HIPAA Applies in the Cloud

Cloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services Office for Civil Rights released guidance making clear that cloud service providers that create, receive, maintain, or transmit electronic protected health information are covered by HIPAA.

Posted in Health Privacy/HIPAA

ONC Report Identifies Gaps in Data Protection for Health, Wellness, and Fitness Data

A new report from the Department of Health and Human Services Office of the National Coordinator for Health Information Technology highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

HHS Issues New Guidance on Ransomware and HIPAA

The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.

Posted in Health Privacy/HIPAA

OCR Releases Updated Audit Protocol

The revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights. The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates. The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance. In addition, business associates will be subject to HIPAA audits for the first time.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR Highlights Priorities as it Steps Up HIPAA Enforcement

Last week, the Department of Health and Human Services Office for Civil Rights launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.

Posted in Health Privacy/HIPAA

OCR Releases mHealth Guidance for App Developers

Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.

Posted in Health Privacy/HIPAA

Precision Medicine Initiative Moves Forward with new Guidelines and Funding Opportunities

The White House released the Precision Medicine Initiative Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development.

Posted in Health Privacy/HIPAA

HHS Office of Inspector General Calls On OCR for Increased HIPAA Oversight

The HHS Office for Civil Rights needs to improve and expand its health privacy and data breach enforcement efforts. This was the message delivered by the September 29 release of twin reports by the U.S. Department of Health and Human Services Office of Inspector General that assessed OCR’s enforcement of federal health privacy laws. The studies were commissioned out of concern that the failure to adequately safeguard health information can expose large numbers of patients “to privacy invasion, fraud, identity theft, and/or other harm.” The enforcement of the HIPAA privacy laws in the U.S. are viewed as critical to ensuring that vulnerabilities that can lead to data breaches and potential harm to patients are addressed.

Posted in Health Privacy/HIPAA, News & Events

U.S. Health IT Policy Committee to Hold Hearing and Seek Public Comment on HIPAA Accounting of Disclosure Requirements

On September 30, 2013 (11:45am – 5:00pm EDT), the US Health Information Technology Policy Committee’s Privacy and Security “Tiger Team” will convene an online public hearing to discuss how to improve transparency for patients about the uses and disclosures of their identifiable, electronic health information. This may result in recommendations from the Policy Committee to HHS, which is considering how to implement HIPAA requirements relating to an individual’s right to an “accounting” of disclosures of their protected health information made through an electronic health record.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

HHS Issues New HITECH/HIPAA Rule: Top Ten Changes

In the most significant change to HIPAA since the law was enacted, the Department of Health and Human Services issued an omnibus HIPAA regulation, which will require substantial operational changes for HIPAA covered entities and their business associates.  Ten important changes are: Changes to the data breach rule will make more incidents reportable. Business associates are […]

Posted in Consumer Privacy, Cybersecurity & Data Breaches, Health Privacy/HIPAA

Best Practices for Minimizing Health Data Breach Risks

At an American Hospital Association Signature Learning Series seminar in New York City, Hogan Lovells Privacy and Information Management practice director Marcy Wilder spoke to senior executives from health systems and hospitals about best practices for minimizing data breach risks and creating a culture of patient privacy compliance in large complex healthcare organizations.  Experts provided Five Tips to Make Patient […]

Posted in Health Privacy/HIPAA

Alaska Medicaid Settles HIPAA Security Rule Violations for $1.7 Million

Following an extensive investigation by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Alaska Department of Health and Social Services (DHSS), Alaska’s state Medicaid agency, agreed to pay $1.7 million in fines and to comply with a corrective action plan (CAP) to address gaps in its compliance with the HIPAA Privacy and Security Rules.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

HHS OCR Director Leon Rodriguez Warns of Low Tolerance for HIPAA Noncompliance and Announces that Release of HITECH Rule is Imminent

UPDATE: On June 22, OMB announced that it is extending its review of the HIPAA Final Regulations. Although the OMB generally has up to 90 days to review regulations, it may receive a 30 day extension issued by the Director or an indefinite extension issued by the head of the rulemaking agency. It is unclear […]

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Hospital to Pay $750,000 to Settle Data Breach Charges Brought by Massachusetts AG

On May 24, a Massachusetts hospital agreed to pay $750,000 to settle alleged HIPAA violations relating to a 2010 data breach. This was the largest settlement to date for actions initiated by attorneys general under HITECH. The complaint, brought by Massachusetts Attorney General Martha Coakley, resulted from the loss of back-up tapes with unencrypted personal […]