On June 27, 2023, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued its long-anticipated final rule amending the OIG’s civil monetary penalty (CMP) regulations as they relate to information blocking (CMP Final Rule or Rule). The CMP Final Rule was published in the Federal Register on July 3, 2023. … Continue Reading
The Federal Trade Commission (FTC) didn’t mince words. On September 2021, it called out the health app industry for failing to understand the agency’s Health Breach Notification Rule (HBNR) and for not disclosing its breaches. Apparently dissatisfied with the industry’s response, the agency enforced the HBNR against GoodRx for the first time since the rule … Continue Reading
The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced on July 15, 2022, that it has resolved 11 investigations conducted under the Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. These settlements remind providers that, as OCR Director Lisa J. Pino stated, “OCR is … Continue Reading
Healthcare providers are under siege, not only from the COVID-19 pandemic, but also from cyber criminals. Following reports of targeted email phishing attempts, the FBI issued a FLASH alert warning healthcare providers on April 21, 2020, that they are at heightened risk for cyber attacks that use COVID-19 as bait. The FBI’s FLASH alert follows … Continue Reading
Among the many obstacles facing businesses as a result of the COVID-19 pandemic are new cyberattacks targeting key infrastructure and industry in the United States. With all the compounding factors making this threat even more dangerous, the spike in cyberattacks was so significant that the International Criminal Police Organization (INTERPOL) has become involved and issued … Continue Reading
On January 28, 2020, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a notice (the OCR Notice) regarding individuals’ right of access to health records in response to a January 23, 2020 court ruling in the Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. Jan. 23, 2020) … Continue Reading
In May of 2018, the European Union enacted the General Data Protection Rules, or GDPR, a legal framework that outlines not only how companies may collect and process personal information of EU residents, but how that data is stored and used. Since its enactment, GDPR has triggered a global push towards compliance with those standards. … Continue Reading
Governor Desantis recently signed House Bill 831, which will require certain healthcare practitioners to “electronically transmit prescriptions”. Unfortunately, the legislature left this term undefined, creating some ambiguity as to what the law requires. While the legislature likely intended this law to require “electronic prescribing,” the statute does not say that, and therefore the term “electronically … Continue Reading
Congress has long attempted to grapple with issues of cyber-security, both within the healthcare field, and generally in the United States. The Health Insurance Portability and Accountability Act (HIPAA), as well as the Health Information Technology for Economic and Clinical Health Act (HITECH) have provided significant compliance requirements for healthcare entities in the area of … Continue Reading
As has been widely reported, on May 12, 2017, organizations around the world, including Britain’s National Health Service, found their data held hostage by actors using a new variant of ransomware called WannaCry. According to news reports, 200,000 computers in more than 150 countries have been hit by the cyberattack which appears to be spread … Continue Reading
April proved to be a busy month for the U.S. Department of Health and Human Services Office for Civil Rights (OCR) under its newly appointed director, Roger Severino. OCR announced three settlements of potential HIPAA violations totaling nearly $3,000,000.00 in fines. The settling parties include a wireless health services provider, a federally-qualified health center (FQHC), and … Continue Reading
Children’s Medical Center of Dallas (Children’s) was hit with a $3.2 million civil penalty from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) for failing to take steps to properly protect patient medical information. The civil penalty is the result of two data breaches caused by a lack of encryption … Continue Reading
Healthcare providers excel at providing care to their patients, not designing IT strategies. Even so, with the trend toward value-based payments increasing, more healthcare providers have turned to electronic health records (EHR) systems to help them fine-tune practice efficiency and improve patient outcomes. The EHR management systems options from which to choose can be dizzying, … Continue Reading
A group practice that was the victim of a silver-harvesting scam has agreed to pay the U.S. Department of Health and Human Services (“HHS”) $750,000 to settle charges that it released protected health information (“PHI”) of its patients to a third party vendor without first obtaining a written business associate agreement. Raleigh Orthopaedic Clinic, P.A. … Continue Reading
Last week, a federal court in Illinois encountered another example of unexpected events causing problematic privacy and data storage implications for a healthcare company. The non-profit organization responsible for maintaining the MetroChicago Health Information Exchange (the HIE) filed suit against its information technology support contractor and the contractor’s owner to prevent the contractor’s plan to … Continue Reading
Just in time for the Phase 2 audits, the Department of Health and Human Services Office for Civil Rights (OCR) quietly posted the updated HIPAA Audit Protocol on its website. The new audit protocol has been updated to include business associates who became subject to HIPAA following the 2013 HIPAA Omnibus Final Rule. The protocol … Continue Reading
The U.S. Food and Drug Administration (FDA), which is responsible for guidance on medical devices, has acknowledged that certain devices are susceptible to breaches. The FDA has identified cybersecurity vulnerabilities in medical devices that could allow unauthorized users to not only access patient information, but also to control the device. The FDA’s oversight comes at … Continue Reading
An Illinois circuit court judge has dismissed five of six claims in a consolidated class action against Advocate Health and Hospital Corporation arising from a data breach in July 2013. The judge’s dismissal with prejudice leaves only a negligence claim, based on a duty to reasonably safeguard information, pending against Advocate.… Continue Reading
In the latest challenge to a Florida law designed to promote early settlement of meritorious medical malpractice claims, the Florida First District Court of Appeal recently rejected a plaintiff’s arguments that 2013 amendments to the law violated the Florida Constitution. See Weaver v. Myers, Case No. 1D14-3178 (Fla. 1st DCA July 21, 2015). The court also … Continue Reading
On June 2, 2015, the Second District Illinois Appellate Court affirmed the decisions of two lower courts, which had dismissed breach of privacy cases for lack of standing. The cases were consolidated for the purposes of the appeal. Both cases were brought against Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (Advocate), an Illinois … Continue Reading
The Emergency Care Research Institute, (ECRI) Patient Safety Organization (PSO) has issued its 2015 “top 10 list” of safety concerns for multiple healthcare settings, such as hospitals, ambulatory care centers, doctor’s offices and nursing homes.[i] This year’s list is as follows:… Continue Reading
On December 17, 2014, the Centers for Medicare and Medicaid Services (“CMS”) announced that there would be reductions in Medicare reimbursement for health care providers who do not meet the CMS electronic health record (“EHR”) incentive program’s meaningful use requirements. This announcement comes in the wake of CMS’ decision in October to extend the hardship … Continue Reading
The Department of Justice’s recent settlement with a Chicago-based hospital system is the latest reflecting the agency’s continuing pursuit of claims against health care providers – small and large — who fail to provide adequate service to persons who are deaf or hearing-impaired. Under the settlement, Franciscan St. James Health is required to conduct disability assessments … Continue Reading
A federal appellate court recently concluded that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not preempt a Florida law that requires aggrieved patients to authorize the release of their protected health information as a presuit condition to suing a medical provider for negligence. See Murphy v. Dulay (11th Cir. Oct. 10, … Continue Reading