Conor Duffy

Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, and other data privacy and security matters. Read his rc.com bio here.

Subscribe to all posts by Conor Duffy

Missouri Hospital Diverts Patients, Shuts Down EHR due to Ransomware Attack

By Conor Duffy on Posted in Cybersecurity, Health Information Privacy
On July 9, 2018, Cass Regional Medical Center (CRMC) in Harrisonville, Missouri was hit with a ransomware attack that led to a complete shutdown of its electronic health record (EHR) and the diversion of trauma and stroke patients. According to CRMC, the attack affected CRMC’s internal communications system and “access to” its EHR. In response, … Continue Reading

Connecticut Expands Consumer Protections Against Identity Theft and Data Breaches

By Conor Duffy on Posted in Data Breach
On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90). This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies … Continue Reading

DOJ Announces Criminal Conviction of Physician for HIPAA Violation

By Conor Duffy on Posted in Enforcement & Litigation, HIPAA and Health Information
On April 30, 2018, a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the … Continue Reading

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

By Conor Duffy and Kathleen Porter on Posted in Enforcement & Litigation, International Privacy Laws
On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by … Continue Reading

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

By Conor Duffy on Posted in Enforcement & Litigation, HIPAA and Health Information
On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located … Continue Reading

Connecticut Supreme Court Recognizes Common-Law Cause of Action for Unauthorized Disclosure of Confidential Medical Information

By Conor Duffy on Posted in Enforcement & Litigation
In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to … Continue Reading

CMS Addresses Lingering Uncertainties and Raises Others via MACRA Information Blocking Guidance

By Conor Duffy on Posted in Health Information Privacy, HIPAA and Health Information
The Centers for Medicare & Medicaid Services (CMS) recently issued guidance intended to help clinicians eligible for the Merit-based Incentive Payment System (MIPS) navigate an attestation required thereunder concerning the prevention of information blocking. MIPS was implemented via CMS’s Quality Payments Program final rule with comment period released in 2016, and represents one avenue for … Continue Reading

Supreme Court to Hear Microsoft Emails Case

By Wystan Ackerman, Kathleen Porter and Conor Duffy on Posted in Enforcement & Litigation
In an order issued on October 16, 2017, the U.S. Supreme Court granted certiorari in United States v. Microsoft Corporation, a case with potentially far-reaching implications for the privacy of electronic data maintained by technology companies across the globe. The case, which Robinson+Cole has previously discussed here, here, and here, arises from a warrant obtained … Continue Reading

Supreme Court to Discuss Granting Review in Microsoft E-Mails Case October 6

By Conor Duffy on Posted in Enforcement & Litigation
The U.S. Supreme Court recently indicated that it will consider the federal government’s petition for a writ of certiorari in United States v. Microsoft Corp. at its conference scheduled for October 6, 2017. United States v. Microsoft is a “cutting edge” case that concerns the ability of law enforcement to obtain electronic documents stored abroad … Continue Reading

FTC Issues ‘Stick with Security’ Guidance Emphasizing Data Security Best Practices

By Conor Duffy on Posted in Data Security
The Acting Director of the FTC’s Bureau of Consumer Protection, Thomas B. Pahl, recently commenced a ‘Stick with Security’ series of blog posts that analyze the data security principles championed by the FTC in its Start with Security guidance. The posts are intended to impart lessons the FTC has learned via investigations and enforcement actions, … Continue Reading

HHS Office of the Assistant Secretary for Preparedness and Response Issues Series of Cybersecurity Updates in Response to WannaCry Attack

By Conor Duffy on Posted in Cybersecurity
In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on … Continue Reading

New Mexico Enacts Data Breach Notification Law

By Conor Duffy on Posted in Cybersecurity
Governor Susana Martinez recently signed into law the New Mexico “Data Breach Notification Act” (the Act), making New Mexico the 48th state (plus Puerto Rico and the District of Columbia) to adopt legislation mandating the provision of notice in the event of a data breach. The Act – which takes effect June 16, 2017 – … Continue Reading

NY AG Announces Settlements with Three Mobile-Health App Developers Over Privacy, Marketing Concerns

By Conor Duffy on Posted in Enforcement & Litigation, Health Information Privacy
On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to … Continue Reading

Florida Supreme Court Rejects PSQIA Preemption of Florida Constitution

By Conor Duffy on Posted in Enforcement & Litigation
On January 31, 2017, the Florida Supreme Court held that adverse medical incident reports produced in accordance with Florida law cannot constitute confidential and privileged patient safety work product (PSWP) under the federal Patient Safety & Quality Improvement Act of 2005 (PSQIA). In Jean Charles, Jr. et al. v. Southern Baptist Hospital of Florida, Inc. … Continue Reading

21st Century Cures Act Includes Prohibition on Information Blocking and Mandates for Additional HIPAA Guidance

By Conor Duffy on Posted in Health Information Privacy, HIPAA and Health Information
On November 30, 2016, the U.S. House of Representatives voted strongly in favor of the 21st Century Cures Act (the Act), an expansive health bill that addresses the discovery and development of new medical therapies as well the delivery of health care treatment by providers. In 2015, the House had previously approved an earlier version … Continue Reading

Sixth Circuit: Substantial Risk of Harm and Mitigation Costs Sufficient to Confer Standing in Data Breach Case

By Conor Duffy on Posted in Data Breach, Enforcement & Litigation
On October 12, 2016, the U.S. Court of Appeals for the Sixth Circuit denied a petition for an en banc rehearing of its September 12 decision in Galaria, et al. v. Nationwide Mutual Insurance Company (Nos. 15-3386/3387). In that decision, a divided Sixth Circuit panel revived a suit against Nationwide arising from the 2012 theft … Continue Reading

CMS Issues Warning to Nursing Homes Regarding Abuse of Residents Via Social Media

By Conor Duffy on Posted in Enforcement & Litigation, Health Information Privacy, HIPAA and Health Information
On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) issued guidance to nursing homes in a letter to state survey agencies (Letter) that addresses nursing homes’ obligations to protect residents. The Letter focuses on potential psychosocial harm to nursing home residents caused by the sharing on social media of demeaning photographs or … Continue Reading

HHS: Ransomware attacks likely HIPAA breaches in absence of encryption

By Conor Duffy on Posted in HIPAA and Health Information, Uncategorized
On July 11, 2016, the U.S. Department of Health & Human Services (HHS) issued a Fact Sheet that provides guidance on (i) how HIPAA Security Rule compliance can assist health care organizations combat ransomware attacks, and (ii) the applicability of HIPAA’s Breach Notification Rule to ransomware attacks. This guidance is particularly timely due to the … Continue Reading

Connecticut Legislative Update: Public Act 16-77: An act concerning patient notices, designation of a health information technology officer, assets purchased for the state-wide health information exchange and membership of the state health information technology advisory council

By Pamela Del Negro, Conor Duffy and Guest Contributor on Posted in Health Information Privacy
This legislation (P.A. 16-77) makes substantive and technical changes related to Public Act 15-146, a major public health and health care bill passed by the Connecticut Legislature during its 2015 Legislative Session. CONNECTICUT HEALTH INSURANCE EXCHANGE CONSUMER INFORMATION WEBSITE Under current law, Connecticut’s Health Insurance Exchange (HIX) is required, within available resources, to establish and … Continue Reading

HHS guidance seeks to clarify scope of PSQIA

By Conor Duffy on Posted in Health Information Privacy, HIPAA and Health Information
On May 24, 2016, the Department of Health & Human Services (HHS) issued guidance (Guidance) to health care providers and patient safety organizations (PSOs) in an attempt to clarify the definition of patient safety work product (PSWP) under the Patient Safety and Quality Improvement Act of 2005 and its implementing regulations (collectively, the PSQIA). The … Continue Reading
LexBlog