Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, and other data privacy and security matters. Read his rc.com bio here.

Subscribe to all posts by Conor Duffy

HHS Office of the Assistant Secretary for Preparedness and Response Issues Series of Cybersecurity Updates in Response to WannaCry Attack

By Conor Duffy on May 22, 2017 Posted in Cybersecurity

In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on … Continue Reading

New Mexico Enacts Data Breach Notification Law

By Conor Duffy on May 3, 2017 Posted in Cybersecurity

Governor Susana Martinez recently signed into law the New Mexico “Data Breach Notification Act” (the Act), making New Mexico the 48th state (plus Puerto Rico and the District of Columbia) to adopt legislation mandating the provision of notice in the event of a data breach. The Act – which takes effect June 16, 2017 – … Continue Reading

NY AG Announces Settlements with Three Mobile-Health App Developers Over Privacy, Marketing Concerns

By Conor Duffy on March 27, 2017 Posted in Enforcement & Litigation, Health Information Privacy

On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to … Continue Reading

Florida Supreme Court Rejects PSQIA Preemption of Florida Constitution

By Conor Duffy on March 7, 2017 Posted in Enforcement & Litigation

On January 31, 2017, the Florida Supreme Court held that adverse medical incident reports produced in accordance with Florida law cannot constitute confidential and privileged patient safety work product (PSWP) under the federal Patient Safety & Quality Improvement Act of 2005 (PSQIA). In Jean Charles, Jr. et al. v. Southern Baptist Hospital of Florida, Inc. … Continue Reading

Second Circuit Denies En Banc Rehearing in Microsoft Email Case

By Conor Duffy on January 30, 2017 Posted in Enforcement & Litigation

On January 24, 2017, the U.S. Court of Appeals for the Second Circuit denied the Department of Justice’s request for an en banc rehearing in In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp. a/k/a Microsoft Corp. v. United States (No. 14-2985). The denial leaves in place … Continue Reading

21st Century Cures Act Includes Prohibition on Information Blocking and Mandates for Additional HIPAA Guidance

By Conor Duffy on December 5, 2016 Posted in Health Information Privacy, HIPAA and Health Information

On November 30, 2016, the U.S. House of Representatives voted strongly in favor of the 21st Century Cures Act (the Act), an expansive health bill that addresses the discovery and development of new medical therapies as well the delivery of health care treatment by providers. In 2015, the House had previously approved an earlier version … Continue Reading

Sixth Circuit: Substantial Risk of Harm and Mitigation Costs Sufficient to Confer Standing in Data Breach Case

By Conor Duffy on October 19, 2016 Posted in Data Breach, Enforcement & Litigation

On October 12, 2016, the U.S. Court of Appeals for the Sixth Circuit denied a petition for an en banc rehearing of its September 12 decision in Galaria, et al. v. Nationwide Mutual Insurance Company (Nos. 15-3386/3387). In that decision, a divided Sixth Circuit panel revived a suit against Nationwide arising from the 2012 theft … Continue Reading

CMS Issues Warning to Nursing Homes Regarding Abuse of Residents Via Social Media

By Conor Duffy on August 10, 2016 Posted in Enforcement & Litigation, Health Information Privacy, HIPAA and Health Information

On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) issued guidance to nursing homes in a letter to state survey agencies (Letter) that addresses nursing homes’ obligations to protect residents. The Letter focuses on potential psychosocial harm to nursing home residents caused by the sharing on social media of demeaning photographs or … Continue Reading

HHS: Ransomware attacks likely HIPAA breaches in absence of encryption

By Conor Duffy on July 20, 2016 Posted in HIPAA and Health Information, Uncategorized

On July 11, 2016, the U.S. Department of Health & Human Services (HHS) issued a Fact Sheet that provides guidance on (i) how HIPAA Security Rule compliance can assist health care organizations combat ransomware attacks, and (ii) the applicability of HIPAA’s Breach Notification Rule to ransomware attacks. This guidance is particularly timely due to the … Continue Reading

Connecticut Legislative Update: Public Act 16-77: An act concerning patient notices, designation of a health information technology officer, assets purchased for the state-wide health information exchange and membership of the state health information technology advisory council

By Pamela Del Negro, Conor Duffy and Guest Contributor on June 30, 2016 Posted in Health Information Privacy

This legislation (P.A. 16-77) makes substantive and technical changes related to Public Act 15-146, a major public health and health care bill passed by the Connecticut Legislature during its 2015 Legislative Session. CONNECTICUT HEALTH INSURANCE EXCHANGE CONSUMER INFORMATION WEBSITE Under current law, Connecticut’s Health Insurance Exchange (HIX) is required, within available resources, to establish and … Continue Reading

HHS guidance seeks to clarify scope of PSQIA

By Conor Duffy on June 15, 2016 Posted in Health Information Privacy, HIPAA and Health Information

On May 24, 2016, the Department of Health & Human Services (HHS) issued guidance (Guidance) to health care providers and patient safety organizations (PSOs) in an attempt to clarify the definition of patient safety work product (PSWP) under the Patient Safety and Quality Improvement Act of 2005 and its implementing regulations (collectively, the PSQIA). The … Continue Reading

OIG laments failure to comprehensively address EHR fraud

By Conor Duffy on April 18, 2016 Posted in HIPAA and Health Information

The U.S. Department of Health & Human Services (HHS) Office of Inspector General (OIG) recently released a compendium (Compendium) of its top unimplemented recommendations. The Compendium comprises 25 unimplemented past OIG recommendations that the OIG believes could have a positive impact on HHS programs in terms of cost savings and/or quality improvements. The Compendium’s recommendations … Continue Reading

Physical therapy provider’s patient testimonials lead to $25,000 OCR settlement and admission of civil liability

By Conor Duffy on March 9, 2016 Posted in Health Information Privacy, HIPAA and Health Information

On February 16, 2016, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it had entered into an agreement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT), a physical therapy practice located in California, to resolve HIPAA violations arising from CPT’s impermissible disclosure of protected health information … Continue Reading

HHS issues new guidance on individual access to PHI under HIPAA

By Conor Duffy on January 13, 2016 Posted in HIPAA and Health Information

On January 7, 2015, HHS issued new guidance (Guidance) regarding an individual’s right to access his or her health information under HIPAA’s Privacy Rule. The Guidance emphasizes that HIPAA, while protecting the privacy and confidentiality of individuals’ health information, also recognizes the importance of providing individuals with access to their health information. The Guidance reviews … Continue Reading

PSQIA held to preempt Florida constitutional right to access adverse medical incident reports

By Conor Duffy on November 19, 2015 Posted in Enforcement & Litigation

On October 28, 2015, the District Court of Appeal in the First District of Florida held in Southern Baptist Hospital, Inc. v. Jean Charles, Jr. et al. that the federal Patient Safety and Quality Improvement Act of 2005 (PSQIA) preempts a provision of the Florida Constitution that provides patients with a broad right of access … Continue Reading

OIG report spurs OCR to announce phase 2 audits

By Conor Duffy on October 8, 2015 Posted in HIPAA and Health Information

On September 29, it was revealed that the HHS Office for Civil Rights (OCR) will commence Phase 2 of its HIPAA audit program in “early 2016.” OCR’s revelation regarding the Phase 2 audits, which had been the subject of significant industry speculation, came in response to two related reports on OCR’s oversight and enforcement of … Continue Reading

OCR settlement reiterates importance of proactive security rule compliance

By Conor Duffy on September 16, 2015 Posted in Enforcement & Litigation, Health Information Privacy, HIPAA and Health Information

On September 2, 2015, the U.S. Department of Health & Human Services (HHS) announced that Cancer Care Group, P.C. (CCG), a physician practice located in Indiana, agreed to pay $750,000 as part of a settlement to resolve alleged violations of HIPAA’s Security and Privacy Rules. The HHS Office for Civil Rights (OCR) initiated an investigation … Continue Reading

House Passes Medical Innovation Bill That Would Revise HIPAA

By Conor Duffy on July 27, 2015 Posted in HIPAA and Health Information

On July 10, the U.S. House of Representatives approved the 21st Century Cures Act (the Act), a bill intended to support advancements in medical innovation. The Act includes measures aimed at spurring medical research, reducing the regulatory burden on medical device development, improving health information interoperability, and expanding telehealth coverage. In order to facilitate collaborative … Continue Reading

Connecticut legislation requires consumer health information website

By Pamela Del Negro and Conor Duffy on July 9, 2015 Posted in Health Information Privacy

-Contributed by R+C’s Health Law Group Effective October 1, 2015, this legislation requires the Connecticut Health Insurance Exchange (HIX) to establish, by July 1, 2016, a consumer health information website that contains information comparing the quality, price, and cost of health care services among health care providers in Connecticut. The HIX website must include price … Continue Reading

Connecticut legislation establishes statewide Health Information Exchange

By Pamela Del Negro and Conor Duffy on July 9, 2015 Posted in Health Information Privacy

-Contributed by R+C’s Health Law Group Effective October 1, 2015, this legislation contains several provisions to encourage the free exchange of patient health information among providers and consumers. Hospitals, health systems, and electronic health record (EHR) providers are prohibited from “health information blocking,” and this legislation establishes that such action is an unfair trade practice. … Continue Reading

CMS Proposes Final Meaningful Use Objectives and Measures in EHR incentive programs Stage 3 Proposed Rule

By Conor Duffy on May 19, 2015 Posted in Health Information Privacy, HIPAA and Health Information, Uncategorized

On March 30, 2015, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule (Proposed Rule) setting forth meaningful use criteria for Stage 3 of the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs). CMS intends for Stage 3 to be the final stage of the EHR Incentive Programs, and … Continue Reading

JAMA Releases Study Analyzing Scope and Characteristics of Recent Data Breaches

By Conor Duffy on May 7, 2015 Posted in Health Information Privacy

Reports of security breaches involving health care information have become increasingly prevalent in recent years, and such breaches seem to be continually growing in scope and magnitude. In the April 14, 2015, issue of JAMA, the Journal of the American Medical Association, three California researchers led by Dr. Vincent Liu (hereinafter Liu et al.) sought … Continue Reading

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law (i.e., jurisdictions other than Connecticut, Massachusetts, and various federal courts).