These days, news stations are frequently running stories concerning people being treated for COVID-19, the providers working tirelessly to care for them, and politicians visiting health care facilities for a first-hand look at the crisis. In response to the media interest, the Office for Civil Rights (OCR) issued guidance on May 5, 2020 to healthcare … Continue Reading
On March 9, 2020, the Department of Health and Human Services (HHS) announced final rules seeking to give patients more access to, and control of, their health data. The final rules were issued by the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS). The ONC rule is … Continue Reading
The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now … Continue Reading
Every year, we remind our readers that the HIPAA data breach notification regulations require covered entities to notify the Office for Civil Rights (OCR) of any reportable data breaches that involved fewer than 500 individuals and have not already been self-reported within 60 days following the calendar year. That means that covered entities are required … Continue Reading
Health care organizations continue to be a popular target for hackers. According to information from the U.S. Department of Health & Human Services (HHS), more than 30 reports of data breaches were filed by health care entities in the first month and a half of 2020. Although a few reported breaches involved theft or improper … Continue Reading
On February 3, 2020, the U.S. Department of Health and Human Services (HHS) issued a bulletin (the Bulletin) to remind covered entities and business associates of how patient information may be shared under HIPAA in the event of an emergency, such as an outbreak of infectious disease. The Bulletin was issued in response to the … Continue Reading
A point of sale vendor for at least three cannabis dispensaries in the United States exposed the personal data of at least 30,000 cannabis users, including full names, photo IDs, dates of birth, telephone numbers, home addresses, medical ID numbers, email addresses, signatures, cannabis variety and quantity purchased, and sales figures when it failed to … Continue Reading
Concern over the spreading coronavirus from China is legitimate and real. The World Health Organization (WHO) has declared the coronavirus a global health emergency, and the United States and other countries are limiting travel of individuals from the affected areas in China. As we have seen with other public concerns, cyber criminals and threat actors … Continue Reading
The U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) issued an Important Notice Regarding Individuals’ Right of Access to Health Records through its email list serve on January 29, 2020. In the Notice, OCR addressed the recent memorandum Opinion issued in Ciox Health v. Azar, et al, No. 18-cv-00040 (D.D.C. January 23, 2020). In that case, … Continue Reading
Some app developers know more about our health than our doctors do. Take, for instance, FitBit, which is attached to our wrist and measuring in real time our temperature, our heart rate, our steps and whether we have had enough exercise for our age in a day. Some people sleep with their phones on their … Continue Reading
Following the escalation of tensions between the United States and Iran in the past week, the Health Information Sharing and Analysis Center (H-ISAC) is warning hospitals and health systems that Iran could attack health organizations, which are considered critical infrastructure, and that they make sure their systems are being updated with patches. H-ISAC further recommended … Continue Reading
On December 12, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its second “HIPAA Right of Access Initiative” settlement of alleged HIPAA violations. The HIPAA Right of Access Initiative is a new effort in 2019 by OCR to monitor compliance with HIPAA requirements addressing patient rights to promptly … Continue Reading
Arizona-based Banner Health has agreed to settle for up to $6 million a class action case filed against it following a 2016 incident that compromised the personal information of 3 million individuals. The breach compromised data on two information technology systems at the health system, including patient information and health insurance information on one system, … Continue Reading
On November 27, 2019, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a $2.175 million dollar settlement with a hospital system to resolve alleged violations of HIPAA’s Breach Notification Rule and Privacy Rule. The settlement is noteworthy as it represents OCR’s fourth HIPAA settlement in excess of $1 million … Continue Reading
The Office for Civil Rights (OCR) announced that it has fined the Texas Health and Human Services Commission (TXHHS) $1.6 million for HIPAA violations. This is one of the few fines the OCR has levied against a state agency. The fine centers around a data breach that TXHHS self-reported to the OCR in June 2015 … Continue Reading
In accordance with the Inflation Adjustment Act, the Department of Health and Human Services (HHS) has updated its regulations to reflect required annual inflation-related increases to civil monetary penalties, including those for certain violations of HIPAA’s “administrative simplification” provisions. The final regulations became effective on November 5, 2019, the date they were published in the … Continue Reading
On the heels of an FDA committee report concerning cybersecurity issues with medical devices [view related post] the U.S. Food and Drug Administration (FDA) issued an alert regarding cybersecurity vulnerabilities, referred to as “URGENT/11,” that could introduce risks for some medical devices and hospital networks. According to the FDA’s October 1st notice, the URGENT/11 vulnerabilities … Continue Reading
Consistent with our experience, security firm McAfee has confirmed in a report that ransomware attacks have doubled in 2019. Medical providers have been hit hard this year, and one provider, Wood Ranch Medical, located in California, is permanently closing following a ransomware attack. Wood Ranch was hit with a ransomware attack over the summer, and … Continue Reading
Everyone knows how I feel about those home genetic testing kits—most people don’t understand that when they send their DNA to a private company that it is not protected by HIPAA or any other law, and the company can legally use and disclose it, including selling it to other companies. Understand what companies are doing … Continue Reading
The Patient Engagement Advisory Committee (Committee) to the Food and Drug Association (FDA) met recently to discuss cybersecurity in medical devices. Medical devices are increasingly connected to the internet, hospital networks, and other medical devices to provide features designed to improve healthcare and increase providers’ ability to treat patients. However, as medical devices become more … Continue Reading
On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated … Continue Reading
As readers of this blog know, data breaches in the health care industry are all too common. Healthcare organizations are an attractive target for hackers because of the nature and amount of personal information that they possess. Therefore, it is perhaps not surprising that healthcare organizations have the highest costs associated with data breaches. They … Continue Reading
Following an investigation led by the Washington Attorney General, Premera Blue Cross has agreed to pay $10 million to 30 states after experiencing a data breach in 2014 that compromised the Protected Health Information of over 10 million individuals. $5.4 million of the settlement amount will be paid to the Washington State Attorney General’s Office … Continue Reading
When you next lie down to sleep, the bed may not your secrets keep. So-called “smart” beds, mattress pads, sleep apps, and fitness trackers with sleep options are collecting data on those who use them and sending that personal information back to manufacturers. The data gathered can include biometric information (i.e., heart rate, respiration), sleep … Continue Reading
