Health Law Advisor

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...

New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council.  The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements: 

• Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
• Develop a response plan for potential cybersecurity ...

On October 18, 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which is tasked with enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), issued two new guidance documents pertaining to privacy and security risks associated with the use of telehealth services. One guidance document, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” is aimed at health care providers (the ...

The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Introduction

Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”  

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19^th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan for termination of the existing notifications of enforcement discretion related to the expiration of the COVID-19 public health emergency (PHE) on May 11, 2023. 

On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

The U.S. Supreme Court is expected to imminently issue its opinion in the case Dobbs v. Jackson Women’s Health Organization (“Dobbs”). If the Court rules in a manner to overturn Roe v. Wade, states will have discretion in determining how to regulate abortion services.^[1] Such a ruling would overturn nearly 50 years of precedent, leaving patients, reproductive health providers, health plans, pharmacies, and may other stakeholders to navigate a host of uncharted legal issues. Specifically, stakeholders will likely need to untangle the web of cross-state legal issues that may emerge.

How can health care employers use non-competes and other restrictive covenants to protect trade secrets? Attorneys Erik Weibust and Katherine Rigby explore the options available to employers, in an article for Law360.

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The ...

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and ...

Only a few days remain before the enforcement delay that the Centers for Medicare & Medicaid Services (CMS) exercised due to COVID-19 will end and the agency will require certain payors to publish a Patient Access application programming interface (“API”) and a Provider Directory API under the requirements of the CMS Interoperability and Patient Access Final Rule. Starting on July 1, 2021, all health plans that offer Medicare Advantage, Medicaid and Children’s Health Insurance Program (CHIP) and most Qualified Health Plans offered through the Federally-facilitated ...

The roll out of the Office of the National Coordinator’s (ONC) 21^st Century Cures Act Interoperability and Information Blocking Rules is reminiscent of the way HIPAA has rolled out over the course of the past 25 years. As of May 1, 2021, Actors have been required to comply with the Information Blocking rules. However, it will take some time before all Actors know who they are and for complaints of Information Blocking to be determined to be actual instances of Information Blocking, by which time the penalties that have not yet been finalized may also need to be adjusted.

While ONC defined ...

Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways.  Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any ...

Our colleagues Brian Cesaratto and Alexander Franchilli of Epstein Becker Green have a new post on Workforce Bulletin that will be of interest to our readers: “NAME:WRECK” Cybersecurity Vulnerability Highlights Importance of Newly Issued IoT Act".

The following is an excerpt:

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout ...

Medical providers are often asked, or feel obligated, to disclose confidential information about patients.  This blog post discusses when disclosures of confidential medical information involve law enforcement, but the general principles discussed herein are instructive in any scenario.  To protect patient confidentiality and avoid costly civil liability arising from improper disclosures, it is imperative that providers ask questions to assess the urgency of any request and to understand for what purpose the information is sought by authorities.  Knowing what questions to ask at the outset prepares providers to make informed decisions about disclosing confidential information in a manner that balances the obligation to maintain patient confidentiality and trust with legitimate law enforcement requests for information aimed at protecting the public.

On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying ...

As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable information (“PII”) and protected health information (“PHI”) continues to loom.

In order to isolate and contain the spread of COVID-19, one critical component of an ...

As consumerism in healthcare increases, companies and the individuals they serve are increasingly sharing data with third-party application developers that provide innovative ways to manage health and wellness, among numerous other products that leverage individuals’ identifiable health data.  As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective.  Navigating this policy ‘tug of war’ will be critical for organizations to comply with the rules, but also maintain consumer confidence.

On March 17, 2020 the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that it would “exercise its enforcement discretion and will waive any potential penalties for HIPAA violations” for health care providers who are serving patients using “everyday communications technologies.”  The OCR issued this guidance to ensure providers could make use of available technologies and communication apps in order to facilitate virtual visits with patients.

Specifically, the guidance provides (emphasis added):

A covered health care provider ...

While providers struggle to provide health care to their patients amid the coronavirus contagion concerns, recent regulatory and reimbursement changes will help ease the path to the provision of healthcare via telehealth.

On March 6, 2020, President Donald Trump signed into law an $8.3 billion emergency coronavirus disease 2019 (“COVID-19”) response funding package. In addition to providing funding for the development of treatments and public health funding for prevention, preparedness, and response, the bill authorizes the U.S. Secretary of Health and Human Services, Alex Azar (referred to herein as the “Secretary”), to waive Medicare restrictions on the provision of services via telehealth during this public health emergency.

Greater utilization of telehealth during the COVID-19 outbreak will reduce providers’ and patients’ exposure to the virus in health care facilities. Telehealth is especially useful for mild cases of illness that can be managed at the patient’s home, thereby decreasing the volume of individuals seeking care in facilities. To further facilitate the increased utilization of telehealth, the Centers for Disease Control’s interim guidance for healthcare facilities notes that healthcare providers can communicate with patients by telephone if formal telehealth systems are not available. This allows providers to have greater flexibility when telehealth technology providers lack the bandwidth to accommodate this increase in telehealth utilization or are otherwise unavailable.

In a recent blog post, colleagues in our Employment, Labor & Workforce Management practice addressed the legal framework pertaining to coronavirus (COVID-19) risks in the workplace.  As the number of cases continues to the climb in the U.S., it is imperative that HIPAA covered entities and their business associates are aware of their privacy and security responsibilities in the midst of this public health emergency.  EBG provides this guidance on how to effectively respond to the coronavirus public health crisis while navigating patient privacy issues.

As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019.  A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019.  The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  

Our Employee Benefits and Executive Compensation practice now offers on-demand “crash courses” on diverse topics. You can access these courses on your own schedule. Keep up to date with the latest trends in benefits and compensation, or obtain an overview of an important topic addressing your programs.

In each compact, 15-minute installment, a member of our team will guide you through a topic. This on-demand series should be of interest to all employers that sponsor benefits and compensation programs.

In our newest installment, Tzvia Feiertag, Member of the ...

The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and ...

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify ...

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts ...

On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool.  According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule.  ONC states that the updated tool includes additional features such as:

• Enhanced user interface
• Modular workflow
• Custom assessment logic
• Progress ...

In the tech world, blockchain technology appears to be the panacea to all problems.  As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow ...

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a ...

The pace of health care transactions is robust, purchase price multiples are increasing, and many health care businesses are taking advantage of a sellers’ market.  Recently, our clients have increasingly turned to representation and warranty (“R&W”) insurance, finding a market more amenable to the nuances of health care deals than in the past. In the right deal, R&W insurance can limit risk to both seller and buyer and increase value to a seller by allowing for “walk-away” or “naked” deals.  R&W insurance may also be used as a tool by a buyer to increase the ...

Last week's "WannaCry" worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick ...

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities. Therefore, in advising their companies ...

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies ...

The increased use of portable electronic devices in the workplace and the popularity of social media pose unique challenges for health care employers, particularly when the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) conflict with the NLRB’s position on policies that could infringe upon an employee’s right to engage in concerted activity under the NLRA.

HIPAA governs the use and disclosure of protected health information (“PHI”) by health care providers. HIPAA violations may occur when health care employees post ...

The U.S. Department of Health and Human Services, Office of Civil Rights ("OCR"), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information ("PHI") that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR's new initiative to investigate smaller breaches as well.  OCR ...

By Arthur J. Fried, Patricia M. Wagner, Adam C. Solander, Evan Nagler, and Jonathan Hoerner

On September 2, 2015, the U. S. Department of Health and Human Services ("HHS") announced a $750,000 settlement with Cancer Care Group, P.C. ("CCG"), a radiation oncology practice in Indiana, for Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules violations. The alleged violations occurred in 2012, but a subsequent HHS Office for Civil Rights (OCR) investigation led to allegations from OCR that there was a lack of compliance with HIPAA Privacy and ...

One thing's certain – the vast and growing supply of data contained in electronic medical records systems will play a significant role in improving the speed and efficiency of research into new treatments in the years to come.  The challenge will be striking an appropriate balance between the unquestionable promise of this data to enable research – research that will enhance available treatments and save lives – with the rights of individual patients in the privacy of their health information.  Attempts to strike that balance are at the heart of current legislative, regulatory ...

On Tuesday, September 1, 2015, from 1:00 PM to 2:00 PM ET, George Breen, Chair of Epstein Becker Green's National Health Care and Life Sciences Practice Steering Committee, will co-present "Opportunities and Obstacles: Preparing for the Transition to the ICD-10 Code Set," a webinar hosted by Bloomberg BNA.

With the transition to the ICD-10 code set coming in October, the health-care industry is grappling with adopting new technology and making last-minute preparations. The switch to ICD-10 also presents new opportunities to increase productivity and improve patient ...

Our colleague Mollie K. O'Brien at Epstein Becker Green wrote an advisory on a new law that will increase the protection of personal information under HIPPA by mandating encryption on all computerized data collected by health insurance carriers: "Beyond HIPAA: New Jersey Law Requires Encryption of Personal Data by Health Insurance Carriers." Following is an excerpt:

In response to data breaches that have occurred across the United States, several of which involved the theft of laptop computers, beginning August 1, 2015, health insurance carriers in New Jersey will be obligated ...

On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature ...

By Adam Solander, Ali Lakhani and Wenxi Li

The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities.  While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.

By Patricia Wagner, Ali Lakhani and Jonathan Hoerner

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency's Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 ("Breach Report"). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services ...

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of ...

By Brandon Ge and Alaap Shah

The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been ...

By Marshall Jackson and Alaap Shah

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk ...

   By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically ...

By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered.  It seems to be business as usual, as your health care organization continues to digitize its operations.  You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices.  However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive ...

By:  Alaap Shah and Ali Lakhani

The Good: 

“Hey Doc, just shoot me a text . . .”

The business case supporting text messaging in a health care environment is compelling - it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery.  As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI ...

Below is a re-print of an article that we recently wrote for the Advisory Board Company’s 2013 third quarter General Counsel Agenda. To view the original publication in the General Counsel Agenda, click here.

For hospitals, the promise of telehealth has spurred innovation across multiple service lines and led to the emergence of a number of new delivery models such as telestroke, teleradiology, telepsychiatry, telepathology, teleICU and remote patient monitoring.  While many of these programs are leading to significant improvements in access to health care services, quality ...

Telehealth creates unique health information management challenges for various reasons, including: aggregating large data sets (i.e. remote monitoring); using and storing numerous file formats (video, audio, text, digital images, film); establishing safeguards for sharing data with virtual providers and distant sites; determining the appropriate location for data storage (if more than one provider or entity is involved); and more.  All of these challenges create issues relating to medical record management, maintenance, ownership, and storage.

In the past, it was easier ...

We all know that telehealth is going mainstream.  The numbers speak for themselves.  A leading research firm predicts that 2.8 million patients worldwide used home-based remote monitoring devices in 2012—expected to increase to 9.4 million connections globally by 2017.  Another firm projects that the number of patients using telehealth services in the United States will grow to 1.3 million in 2017, up from 227,000 in 2012.  Even less rosy projections predict growth to 2 million patients worldwide by 2017.  The news is even better in subspecialties like telepsychiatry   that are ...

In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws.  However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA.  Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s ...

As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI).  To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures.  From locks, to security guards, to alarm systems ...

Our colleagues at Epstein Becker Green have issued a client alert: "HIPAA Omnibus Rule's Impact on Notices of Privacy Practices," by Patricia M. Wagner, Brandon C. Ge, and Alaap B. Shah.

Following is an excerpt:

This health reform alert summarizes the key changes to the Notice of Privacy Practices ("NPP") requirements in the revised Health Insurance Portability and Accountability Act ("HIPAA") regulations (the "Omnibus Rule") as well as what covered entities need to do to be compliant. Because many covered entities may have modified their NPPs based on the Notice of Proposed ...

Several colleagues and I recently wrote Health Reform: Key Compliance Actions for the New HIPAA Privacy Regulations, an alert published by the Implementing Health and Insurance Reform team of Epstein Becker Green.

In it, we summarized areas in which employers should consider taking action prior to September 2013 to facilitate compliance with the new requirements.  Here are our top five action items for covered entities and business associates to focus on in their Omnibus Rule compliance efforts:

1. Review Business Associate Relationships, and Update Business Associate ...

Our colleagues at Epstein Becker Green have issued a client alert: "Key Compliance Actions for the New HIPAA Privacy Regulations," by Patricia M. Wagner, Pamela D. Tyner, and Leah A. Roffman.

Following is an excerpt:

As noted in previous Epstein Becker Green health reform alerts, on January 25, 2013, the long-awaited final omnibus rule (“Omnibus Rule”) issued by the U.S. Department of Health and Human Services was published in the Federal Register. The Omnibus Rule makes sweeping changes to the privacy and security regulations under the Health Insurance Portability and ...

Our colleagues Mark E. Lutes, Robert J. Hudock, and Patricia M. Wagner have issued an alert on modifications to the HIPAA privacy, security, and enforcement rules. Following is an excerpt:

On January 17, 2013, the Department of Health and Human Services released the highly anticipated, 563 page, Health Insurance Portability and Accountability Act (“HIPAA”) regulations (the “Final Rule”) that have been delayed for over 3 years. The Final Rule will be published in the Federal Register on January 25, 2013. The Final Rule addresses many of the compliance issues and ...

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides standards for the use and disclosure of "individually identifiable health information," dubbed protected health information, or PHI.  PHI is information, including demographic information, that relates to an individual's physical or mental health, the provision of health care to the individual, or payment for the provision of health care to the individual.  Such information constitutes PHI if it identifies the individual or if there is a reasonable basis to believe it can be ...

While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy ...

The recent discovery of a security flaw that allows Skype accounts to essentially be hijacked has again raised the issue of the security of web-based platforms—and whether providers can meet their HIPAA obligations when using these communication tools.  The issue of Skype and similar platforms and HIPAA compliance is one that I am often asked about.  In a previous post, I addressed the issue and concluded that providers who wish to use Skype or similar platforms proceed with great caution.  I noted that the use of web-based platforms, especially those that are proprietary, may make it ...

By Ross K. Friedberg and Ophir Stemmer

This year we’ve seen a continuation of the trend toward heightened regulation and enforcement of the privacy and security requirements under the Health Information Portability andAccountability Act (“HIPAA”) and under other state and federal health privacy laws. Although there have not been any significant changes to federal health privacy laws this year, federal enforcement activity continues to be strong.

This post provides a summary of the developments in privacy and security law throughout the past year; discusses the ...

by Joel Rush and Dawn Helak

All indications are that international telemedicine is well positioned for strong growth over the next several years. The global healthcare marketplace is ripe with opportunities for U.S. based healthcare systems and providers to take advantage of the expanding use of telemonitoring systems and other telemedicine technologies to deliver top flight healthcare to patients across the globe.

However, wherever there are opportunities, there are challenges. In addition to the economic and financial barriers to launching an international telemedicine ...

With a new era of active enforcement of the HIPAA privacy and security laws upon us, companies need to figure out early-on whether they are regulated under HIPAA, either as covered entities or business associates.  However, determining whether a company is subject to the HIPAA privacy and security requirements is not always straightforward, especially for companies in the health technology space.  There are two ways in which a company can become subject to HIPAA: (1) it functions as a health plan, health care provider or health care clearinghouse which could potentially make it a HIPAA ...

Mobile application (“app”) development is the new boon for technology companies of all sizes, and the phrase “There’s an app for that” tells the story of just how much this market has grown and matured.  Most of the early app development focused on low risk opportunities—those involving free or low-cost social media or gaming apps.  While protecting privacy and security of personally-identifiable information is generally important, privacy and security concerns typically do not rank as high priorities in decision-making when developing these types of apps.

By ...

by Pamela Tyner

They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception. Texas House Bill 300 (“HB 300″) amends the Texas Medical Records Privacy Act (“Texas Act”) and takes effect on September 1, 2012. HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

Read ...

I’m sure most of you know about BYOB, but do you know about BYOD (Bring Your Own Device).  This is the term used when a company chooses to forgo issuing company-owned mobile computing devices (think smartphones and tablets), and encourages its employees to use their own personal mobile devices for business purposes.  And in the healthcare context, BYOD has important implications.

For better or for worse, many companies have opted to institute a BYOD policy for a number of reasons.  Here are just a few rationales for BYOD:

• Employees likely already have a smartphone or tablet or both.

They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception.  Texas House Bill 300 ("HB 300") amends the Texas Medical Records Privacy Act ("Texas Act") and takes effect on September 1, 2012.  HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health ("HITECH") Act by:

•revising the definition of a ...

Is Skype HIPAA-compliant? This is probably the question I get asked the most. For the sake of this post, I am using the term Skype to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology.

As with so many things, the answer is complicated. But the question itself is misleading. Many vendors and manufacturers market their technology and products using terms such as “HIPAA compliant.”

However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities ...

Epstein Becker Green has been designated by the Health Information Trust Alliance (HITRUST) as a Common Security Framework (CSF) Assessor. This will allow the firm to provide health care organizations with privacy and security risk assessments to protect the entities from breaches of protected health information (PHI). The health care industry has accepted the HITRUST CSF as the most widely adopted security framework. Epstein Becker Green is the first law firm to become a CSF Assessor and the designation exemplifies the firm's distinct capability to identify and address risk for ...

by Pamela D. Tyner

Social media have become de rigueur globally.  Today, millions maintain connections with their friends, relatives and business acquaintances via Facebook, Twitter, LinkedIn, blogs and YouTube.  Recent studies indicate that social media popularity even predicts polling popularity and the stock market.  Translated to the healthcare arena, healthcare facilities and organizations are now trained to promote their business by communicating effectively via social media.  In addition, patients, physicians and employees of healthcare facilities and ...

Written By:  Ana S. Salper

Social media has revolutionized how we communicate with one another. From Facebook to Twitter, YouTube to blogs, social networking sites have permeated the workplace in ways that have significant implications for all employers.

Social media is both a source for marketing and promoting companies and products as well as an enterprise risk factor if not used appropriately or in a compliant way. In the health care industry, with the Health Insurance Portability and Accountability Act (“HIPAA”) and other privacy laws at stake, employers must have a ...