Conor Duffy

Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, and other data privacy and security matters. Read his rc.com bio here.

Subscribe to all posts by Conor Duffy

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic. The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), … Continue Reading

HHS Issues Timely Reminder of Applicability of HIPAA to Outbreak Situations

On February 3, 2020, the U.S. Department of Health and Human Services (HHS) issued a bulletin (the Bulletin) to remind covered entities and business associates of how patient information may be shared under HIPAA in the event of an emergency, such as an outbreak of infectious disease. The Bulletin was issued in response to the … Continue Reading

OCR Announces Second $85,000 Settlement for Alleged Violations of the Individual Right of Access under HIPAA

On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second “HIPAA Right of Access Initiative” settlement of alleged HIPAA violations. The HIPAA Right of Access Initiative is a new effort in 2019 by OCR to monitor compliance with HIPAA requirements addressing patient rights to promptly … Continue Reading

Misdirected Hospital Bills Lead to $2.175 Million HIPAA Settlement

On November 27, 2019, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a $2.175 million dollar settlement with a hospital system to resolve alleged violations of HIPAA’s Breach Notification Rule and Privacy Rule. The settlement is noteworthy as it represents OCR’s fourth HIPAA settlement in excess of $1 million … Continue Reading

For First Time Ever, Government Brings HIPAA Enforcement Action Alleging Violations of Right to Access Medical Records

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response … Continue Reading

Spurred by Opioid Crisis, Government Proposes Additional Changes to Substance Use Disorder Confidentiality Regulations to Facilitate Provision of Coordinated Care

On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated … Continue Reading

OIG Issues Alert to Warn of ‘Free’ Genetic Testing Scams Seeking to Steal Information

On June 3, 2019, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a fraud alert to notify consumers about genetic testing fraud schemes (the Alert). According to the OIG, fraudulent actors are using the provision of free genetic testing kits to obtain Medicare information from unwitting consumers, and then … Continue Reading

OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations

In a development that may – understandably – have been overlooked by many heading into Memorial Day weekend, on May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Fact Sheet on Direct Liability of Business Associates under the Health Insurance Portability and Accountability Act (HIPAA). … Continue Reading

HHS Exercises Discretion to Reduce Maximum Annual Civil Money Penalties for Certain HIPAA Violations

On April 26, 2019, the U.S. Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion (Notice) regarding imposition of Civil Money Penalties (CMPs) under HIPAA. In the Notice, HHS announces that it has revisited its prior interpretation of the standards for assessment of CMPs under the HITECH Act, and is exercising … Continue Reading

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) … Continue Reading

Department of Justice Announces Significant False Claims Act Settlements Tied to Electronic Health Records Arrangements

The Department of Justice (DOJ) recently announced two high-dollar False Claims Act (FCA) enforcement actions involving allegedly fraudulent arrangements tied to the implementation and use of electronic health record systems (EHRs). The respective settlements enable recovery by DOJ of over $100 million, and immediately precede the government’s recent proposal of new rules to promote the … Continue Reading

Physician Convicted of HIPAA Violation Receives Probation

According to reports, a Georgia-based physician who previously pleaded guilty to criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) received six months of probation from a Massachusetts federal judge earlier this week. The physician – a pediatric cardiologist – pleaded guilty in February, 2018 to a misdemeanor count of wrongful disclosure of … Continue Reading

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s … Continue Reading

New Jersey AG Announces $200,000 Settlement with Business Associate and Permanent Ban for BA’s Owner due to 2016 Data Breach Affecting Over 1,650 Patients

On November 2, 2018, the New Jersey Attorney General announced a settlement worth up to $200,000 with a former medical transcription company responsible for a breach affecting medical records of up to 1,654 patients of a New Jersey physician network for which the company acted as a business associate. Please see our analysis of an … Continue Reading

Federal Legislation Enables Consumers to Obtain Security Freezes on Credit Reports Free of Charge

Federal legislation recently took effect that prohibits consumer reporting agencies from charging a fee to place or remove (lift) a security freeze on a consumer credit report in response to a consumer request. The “Economic Growth, Regulatory Relief, and Consumer Protection Act” (the Act) was passed on May 24, 2018. The Act includes important updates … Continue Reading

OIG Announces New Multidisciplinary Cybersecurity Team

The Office of Inspector General (OIG) recently announced the creation of a cybersecurity team focused on combating threats within the Department of Health & Human Services (HHS), and within the health care industry. The team includes auditors, evaluators, investigators, and attorneys with experience in cybersecurity matters, and its work is intended to build on the … Continue Reading

Years-Long Exposure of Sensitive Client Information Results in $200,000 Settlement with New York Attorney General

In late August, the Attorney General of the State of New York announced a $200,000 settlement with a New York-based non-profit organization that provides services to developmentally disabled individuals and their families after concluding that the organization exposed sensitive personal information of its clients on the Internet for almost three years. The settlement is the … Continue Reading

Missouri Hospital Diverts Patients, Shuts Down EHR due to Ransomware Attack

On July 9, 2018, Cass Regional Medical Center (CRMC) in Harrisonville, Missouri was hit with a ransomware attack that led to a complete shutdown of its electronic health record (EHR) and the diversion of trauma and stroke patients. According to CRMC, the attack affected CRMC’s internal communications system and “access to” its EHR. In response, … Continue Reading

Connecticut Expands Consumer Protections Against Identity Theft and Data Breaches

On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90). This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies … Continue Reading

DOJ Announces Criminal Conviction of Physician for HIPAA Violation

On April 30, 2018, a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the … Continue Reading

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by … Continue Reading
LexBlog