Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, and other data privacy and security matters. Read his rc.com bio here.

Subscribe to all posts by Conor Duffy

HHS Exercises Discretion to Reduce Maximum Annual Civil Money Penalties for Certain HIPAA Violations

By Conor Duffy on April 30, 2019 Posted in HIPAA and Health Information

On April 26, 2019, the U.S. Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion (Notice) regarding imposition of Civil Money Penalties (CMPs) under HIPAA. In the Notice, HHS announces that it has revisited its prior interpretation of the standards for assessment of CMPs under the HITECH Act, and is exercising … Continue Reading

OCR Issues Five New HIPAA FAQs on Health Information Apps

By Conor Duffy on April 24, 2019 Posted in HIPAA and Health Information

On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers. The new FAQs are available here under the Header “Access Right, Apps and APIs.” … Continue Reading

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

By Conor Duffy on April 18, 2019 Posted in HIPAA and Health Information

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) … Continue Reading

Department of Justice Announces Significant False Claims Act Settlements Tied to Electronic Health Records Arrangements

By Conor Duffy on February 21, 2019 Posted in Enforcement & Litigation

The Department of Justice (DOJ) recently announced two high-dollar False Claims Act (FCA) enforcement actions involving allegedly fraudulent arrangements tied to the implementation and use of electronic health record systems (EHRs). The respective settlements enable recovery by DOJ of over $100 million, and immediately precede the government’s recent proposal of new rules to promote the … Continue Reading

Physician Convicted of HIPAA Violation Receives Probation

By Conor Duffy on January 16, 2019 Posted in Enforcement & Litigation, HIPAA and Health Information

According to reports, a Georgia-based physician who previously pleaded guilty to criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) received six months of probation from a Massachusetts federal judge earlier this week. The physician – a pediatric cardiologist – pleaded guilty in February, 2018 to a misdemeanor count of wrongful disclosure of … Continue Reading

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

By Conor Duffy on December 19, 2018 Posted in Health Information Privacy, HIPAA and Health Information

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s … Continue Reading

New Jersey AG Announces $200,000 Settlement with Business Associate and Permanent Ban for BA’s Owner due to 2016 Data Breach Affecting Over 1,650 Patients

By Conor Duffy on November 7, 2018 Posted in Data Breach, Enforcement & Litigation, HIPAA and Health Information

On November 2, 2018, the New Jersey Attorney General announced a settlement worth up to $200,000 with a former medical transcription company responsible for a breach affecting medical records of up to 1,654 patients of a New Jersey physician network for which the company acted as a business associate. Please see our analysis of an … Continue Reading

Federal Legislation Enables Consumers to Obtain Security Freezes on Credit Reports Free of Charge

By Conor Duffy on October 24, 2018 Posted in Data Breach, Data Security

Federal legislation recently took effect that prohibits consumer reporting agencies from charging a fee to place or remove (lift) a security freeze on a consumer credit report in response to a consumer request. The “Economic Growth, Regulatory Relief, and Consumer Protection Act” (the Act) was passed on May 24, 2018. The Act includes important updates … Continue Reading

OIG Announces New Multidisciplinary Cybersecurity Team

By Conor Duffy on October 11, 2018 Posted in Cybersecurity, Health Information Privacy

The Office of Inspector General (OIG) recently announced the creation of a cybersecurity team focused on combating threats within the Department of Health & Human Services (HHS), and within the health care industry. The team includes auditors, evaluators, investigators, and attorneys with experience in cybersecurity matters, and its work is intended to build on the … Continue Reading

Years-Long Exposure of Sensitive Client Information Results in $200,000 Settlement with New York Attorney General

By Conor Duffy on September 24, 2018 Posted in Data Breach, Enforcement & Litigation, HIPAA and Health Information

In late August, the Attorney General of the State of New York announced a $200,000 settlement with a New York-based non-profit organization that provides services to developmentally disabled individuals and their families after concluding that the organization exposed sensitive personal information of its clients on the Internet for almost three years. The settlement is the … Continue Reading

Missouri Hospital Diverts Patients, Shuts Down EHR due to Ransomware Attack

By Conor Duffy on July 11, 2018 Posted in Cybersecurity, Health Information Privacy

On July 9, 2018, Cass Regional Medical Center (CRMC) in Harrisonville, Missouri was hit with a ransomware attack that led to a complete shutdown of its electronic health record (EHR) and the diversion of trauma and stroke patients. According to CRMC, the attack affected CRMC’s internal communications system and “access to” its EHR. In response, … Continue Reading

Connecticut Expands Consumer Protections Against Identity Theft and Data Breaches

By Conor Duffy on June 26, 2018 Posted in Data Breach

On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90). This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies … Continue Reading

DOJ Announces Criminal Conviction of Physician for HIPAA Violation

By Conor Duffy on May 2, 2018 Posted in Enforcement & Litigation, HIPAA and Health Information

On April 30, 2018, a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the … Continue Reading

Government and Microsoft In Agreement that Pending Case Mooted by CLOUD Act

By Kathleen Porter and Conor Duffy on April 4, 2018 Posted in Enforcement & Litigation

On March 30, 2018, Solicitor General Noel J. Francisco filed a motion with the U.S. Supreme Court in United States v. Microsoft Corporation that seeks to vacate the judgment of the U.S. Court of Appeals for the Second Circuit in the case (which held in favor of Microsoft) and to remand the case with directions … Continue Reading

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

By Conor Duffy and Kathleen Porter on March 28, 2018 Posted in Enforcement & Litigation, International Privacy Laws

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by … Continue Reading

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

By Conor Duffy on February 15, 2018 Posted in Enforcement & Litigation, HIPAA and Health Information

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located … Continue Reading

Connecticut Supreme Court Recognizes Common-Law Cause of Action for Unauthorized Disclosure of Confidential Medical Information

By Conor Duffy on January 18, 2018 Posted in Enforcement & Litigation

In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to … Continue Reading

CMS Addresses Lingering Uncertainties and Raises Others via MACRA Information Blocking Guidance

By Conor Duffy on November 2, 2017 Posted in Health Information Privacy, HIPAA and Health Information

The Centers for Medicare & Medicaid Services (CMS) recently issued guidance intended to help clinicians eligible for the Merit-based Incentive Payment System (MIPS) navigate an attestation required thereunder concerning the prevention of information blocking. MIPS was implemented via CMS’s Quality Payments Program final rule with comment period released in 2016, and represents one avenue for … Continue Reading

Supreme Court to Hear Microsoft Emails Case

By Wystan Ackerman, Kathleen Porter and Conor Duffy on October 18, 2017 Posted in Enforcement & Litigation

In an order issued on October 16, 2017, the U.S. Supreme Court granted certiorari in United States v. Microsoft Corporation, a case with potentially far-reaching implications for the privacy of electronic data maintained by technology companies across the globe. The case, which Robinson+Cole has previously discussed here, here, and here, arises from a warrant obtained … Continue Reading

Supreme Court to Discuss Granting Review in Microsoft E-Mails Case October 6

By Conor Duffy on September 21, 2017 Posted in Enforcement & Litigation

The U.S. Supreme Court recently indicated that it will consider the federal government’s petition for a writ of certiorari in United States v. Microsoft Corp. at its conference scheduled for October 6, 2017. United States v. Microsoft is a “cutting edge” case that concerns the ability of law enforcement to obtain electronic documents stored abroad … Continue Reading

FTC Issues ‘Stick with Security’ Guidance Emphasizing Data Security Best Practices

By Conor Duffy on August 15, 2017 Posted in Data Security

The Acting Director of the FTC’s Bureau of Consumer Protection, Thomas B. Pahl, recently commenced a ‘Stick with Security’ series of blog posts that analyze the data security principles championed by the FTC in its Start with Security guidance. The posts are intended to impart lessons the FTC has learned via investigations and enforcement actions, … Continue Reading

Solicitor General Urges Supreme Court Review of Second Circuit Microsoft Decision

By Conor Duffy on July 13, 2017 Posted in Enforcement & Litigation

On June 23, 2017, the Office of the Solicitor General (OSG) filed a petition for a writ of certiorari with the United States Supreme Court requesting reversal of a 2016 decision in which the U.S. Court of Appeals for the Second Circuit quashed a warrant obtained by the Department of Justice (DOJ) under the Stored … Continue Reading

HHS Office of the Assistant Secretary for Preparedness and Response Issues Series of Cybersecurity Updates in Response to WannaCry Attack

By Conor Duffy on May 22, 2017 Posted in Cybersecurity

In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on … Continue Reading

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law (i.e., jurisdictions other than Connecticut, Massachusetts, and various federal courts).