The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come. In the latest installment of the CCPA blog series, we describe these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.
Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
On Wednesday, August 17, 2016, the Future of Privacy Forum released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles-based trust framework that builds on existing legal expectations to provide a set of best practices providing appropriate protections given the nature and sensitivity of the data.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
Hogan Lovells hosted the second annual Health Privacy Law Forum for health privacy professionals yesterday. Participants spoke with Deven McGraw, Deputy Director of Health Information Privacy at the U.S. Department of Health and Human Services Office for Civil Rights , and former Federal Trade Commissioner Julie Brill, now a partner at Hogan Lovells and co-chair of its Privacy and Cybersecurity practice.
The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
The 2009 HITECH Act mandated that the U.S. Department of Health and Human Services Office for Civil Rights conduct periodic audits of covered entities and business associates for compliance with HIPAA privacy and security requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. In February 2014, the agency issued a notice in the Federal Register announcing its plan to survey up to 1,200 covered entities and business associates to select organizations for the next round of HIPAA audits.
On May 7, 2014, the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations. The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.
The Department of Health and Human Services (HHS) just released the highly anticipated final regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The regulations address: Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act; Final rule adopting changes […]
Hogan Lovells is proud to have six lawyers from its Privacy and Information Management group presenting at various sessions of this year’s IAPP Global Privacy Summit. For those attending the Summit, please consider attending the sessions this week to hear from members of the Hogan Lovells team about various cutting edge topics, as well as about how you can get involved in the IAPP’s public service initiative.