Although it’s been 2 years since the Dobbs v. Jackson Women’s Health decision from the Supreme Court, various state legislatures and courts have tried to define the new post-Roe landscape. This effort includes new and revised laws to amend existing privacy laws to protect consumer health data. You can find out more on our
California legislature proposes ‘urgency statute’ to revise CCPA’s health care and research exemptions
By Kimberly Gold & Alexis Cocco on
As currently drafted, the California Consumer Privacy Act (“CCPA”) leaves many questions unresolved regarding how the law applies to data collected and used in the health care and life sciences industries, particularly in the research context. Clinical research sponsors and other industry participants have raised concerns about how the CCPA may impede care delivery and…
Proposed CCPA amendment would provide significant clarity to health care and life sciences companies
By Alexis Cocco & Kimberly Gold on
Despite intensive lobbying from industry groups, multiple amendments before its effective date, and extensive proposed regulations from the California attorney general, the California Consumer Privacy Act (CCPA) went into effect earlier this month with still many questions left unanswered:
- What compromises will be made regarding employee and business-to-business data?
- Will there be further insight into loyalty programs?
- Does the use of third-party cookies constitute a sale?
- What is the extent of the health care and research exemptions?
New OCR fact sheet clarifies HIPAA liability for business associates
By Kimberly Gold & Vicki Tankle on
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a fact sheet clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. The fact sheet outlines 10 specific circumstances for which OCR has authority to take enforcement…
OCR releases new FAQs on use of health apps
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when…
HHS reexamines prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s penalty structure
By Brad Rostolsky, Kimberly Gold & James F. Hennessy on
The U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”) on April 26, 2019, confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. Effective immediately, the maximum penalty that the HHS…
OCR’s Latest Health Breach Investigations Yield Big Settlements
By Gerard Stegmaier, Mark H. Francis & Erika Kweon on
In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but they included significant fines and mandated that additional measures be taken to protect PHI.
One of the investigations was triggered by alleged untimely notification of a breach of the PHI of 836 individuals by a large health care network. The health care network discovered that paper-based operating room schedules with PHI went missing from one of its surgery centers October 22, 2013, but did not notify the OCR until January 31, 2014. The notification delay was apparently because of miscommunication between its workforce members. Citing the 60-day notice deadline in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), the OCR investigation concluded that the notifications to OCR that affected individuals (on February 3, 2014) and required media outlets (on February 5, 2014) were roughly 40 days overdue. OCR also reviewed notifications provided by the health care network in regard to smaller breach incidents in 2015 and 2016, and concluded that those notifications were not timely either.
Continue Reading OCR’s Latest Health Breach Investigations Yield Big Settlements
OIG Report Indicates OCR Not Overseeing and Enforcing HIPAA Security Rule
By Nancy Halstead & Brad Rostolsky on
A November 21, 2013 report published by the Office of the Inspector General (OIG) concluded that The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not fully enforcing the HIPAA Security Rule and laid out recommendations for the OCR to implement. The OIG’s report also concluded separately that OCR is…
Theft of Unencrypted Flash Drive Causes OCR to Issue Settlement and Corrective Action Plan for Physician Practice
By Brad Rostolsky on
This post was also written by John E. Wyand.
The Department of Health and Human Services’ Office for Civil Rights (OCR) opened an investigation of Adult & Pediatric Dermatology, P.C. (APDerm) after a report was made regarding the theft of an unencrypted flash drive. To settle potential violations of the Health Insurance Portability and Accountability…
State Attorneys General Maintain Sharp Focus on Privacy
Though the National Association of Attorneys General (NAAG) Presidential Initiative “Privacy in a Digital Age” expired in June 2013 when a new NAAG president took over, the state attorneys general have maintained their sharp focus on all things privacy, with no signs that that focus will shift anytime soon. Most recent case in…