Category Archives: HIPAA, Privacy, and Data Security

Subscribe to HIPAA, Privacy, and Data Security RSS Feed

New Year, New HIPAA Security Rule Requirements? OCR Proposes Sweeping Changes for HIPAA Security Rule To Bolster Cybersecurity

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently proposed a sweeping rewrite of the HIPAA Security Rule that, if finalized, will require that many Covered Entities and their Business Associates (Regulated Entities) invest significant resources to comply with new, less flexible requirements designed to strengthen the cybersecurity posture … Continue Reading

NYDFS Highlights Strategies to Combat AI Cybersecurity Risks

The increased use of artificial intelligence (AI) in the banking, insurance, and financial services industries has led the New York State Department of Financial Services (NYDFS or Department) to publish an Industry Letter on October 16, 2024, that highlights cybersecurity risks resulting from the use of AI, the dangers posed by threat actors utilizing AI, … Continue Reading

New York Focuses on Healthcare Cybersecurity: Recent Regulatory and Enforcement Activities

The healthcare sector has seen an alarming uptick in cybersecurity incidents, including ransomware attacks, in recent years. In response to these cybersecurity threats, New York State is ramping-up efforts to protect patient data by issuing new cybersecurity regulations governing “general hospitals” and by requiring that a healthcare provider spend $2.25 million to improve its internal … Continue Reading

FTC’s Updated Health Breach Notification Rule Puts Health App Developers on Notice

The Federal Trade Commission’s (FTC) years-long effort to modernize its Health Breach Notification Rule (HBNR) in the midst of a swiftly changing technological landscape appears to be coming to an end. On Thursday, May 30, 2024, the FTC published its final rule implementing the HBNR. And so begins a new robust enforcement landscape for health and wellness … Continue Reading

Attention, Group Health Plans: New HIPAA Privacy Rule Governing Reproductive Health Care Information Imposes Obligations, Deadlines

It is critical for employers and plan fiduciaries/administrators to stay informed of HIPAA privacy and security-related legal developments because most employer sponsored group health plans — regardless of the employer’s industry or size — are considered covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Therefore, individually identifiable medical information that … Continue Reading

OCR Will Focus on You if You Don’t Focus on Cybersecurity

With a couple of “firsts,” the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is signaling that it is cracking down on healthcare organizations that fail to identify and address cybersecurity vulnerabilities as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA Rules). On October 31, 2023, … Continue Reading

OCR and FTC Issue Warning to Hospital Systems and Telehealth Providers about Tracking Technologies

On July 20, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) announced they were sending a joint letter to approximately 130 unidentified hospital systems and telehealth providers highlighting the agencies’ concerns about the use of tracking technologies on websites and mobile apps in … Continue Reading

Health Apps Beware: FTC Clarifies Health Breach Notification Rule with Significant Proposed Changes

Direct-to-consumer health and wellness applications are forewarned: the Federal Trade Commission (FTC) is proposing changes to the Health Breach Notification Rule (HBNR), 16 C.F.R. part 318, that, if finalized, would cement the HBNR’s applicability to a broad swath of direct-to-consumer health and wellness applications (apps) and confirm that a breach of security includes not only … Continue Reading

OCR’s Proposed Rule Finds Fertile Ground for Enhanced Reproductive Privacy Protection

The Department of Health and Human Services Office for Civil Rights (OCR) issued a proposed rule on April 17, 2023, to amend provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to strengthen privacy protections for individuals’ protected health information (PHI) related to reproductive healthcare (the Proposed Rule). The Proposed Rule would … Continue Reading

The FTC Sends Another Warning to Digital Healthcare Platforms About Use of Tracking Pixels

The Federal Trade Commission (FTC) continues to prioritize the protection of consumers’ digital health information. The agency has demonstrated this commitment through enforcement actions against GoodRx and BetterHelp for sharing consumer health information for advertising purposes (see our blog posts on each respective action here and here), and in a post published by the FTC … Continue Reading

FTC Cracks Down on BetterHelp’s Sharing of Health Information for Advertising 

Following its February settlement with GoodRx, the Federal Trade Commission (FTC) has fired another shot across the bow in its ongoing campaign to protect consumers’ digital health information. Earlier this month the FTC announced a consent order with BetterHelp, Inc., an online mental health counseling service, to resolve alleged violations of the Federal Trade Commission … Continue Reading

FTC’s Enforcement Action Against GoodRx Breathes New Life into Decade Old Regulation

The Federal Trade Commission (FTC) didn’t mince words. On September 2021, it called out the health app industry for failing to understand the agency’s Health Breach Notification Rule (HBNR) and for not disclosing its breaches. Apparently dissatisfied with the industry’s response, the agency enforced the HBNR against GoodRx for the first time since the rule … Continue Reading

Healthcare Providers: Add OCR’s Latest Right of Access Settlements to Your Summer Reading List

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced on July 15, 2022, that it has resolved 11 investigations conducted under the Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. These settlements remind providers that, as OCR Director Lisa J. Pino stated, “OCR is … Continue Reading

ALERT! Your COVID-19 Policies and Procedures Need a BOOSTER!

Employers who are conducting automatic COVID-19 testing of employees or gathering test results of employees’ families should beware: the Equal Employ­ment Opportunity Commission (“EEOC”) has issued new guidance limiting the former and has penalized a healthcare practice recently for doing the latter.… Continue Reading

OCR Releases Guidance on HIPAA Compliance When Providing Audio-Only Telehealth

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released new guidance (the “Guidance”) to help ensure that individuals may continue to benefit from audio-only telehealth services and clarify for health care providers and health plans how they can provide such services while complying with the HIPAA Privacy, Security, … Continue Reading

Help Wanted: OCR Seeks Public Input on “Recognized Security Practices” and Sharing Settlements with Harmed Individuals Under the HITECH Act

Covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have the chance to provide input on two amendments to the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently … Continue Reading

Biden Administration Unveils Long-Awaited COVID-19 Rules For Large Employers and Healthcare Workers

The wait is over for employers seeking clarity on the details of the Biden Administration’s vaccine and testing rules for private employers, first announced by President Biden in early September and now slated to take effect alongside federal contractor vaccine requirements on January 4, 2022. The first rule, issued by the Occupational Safety and Health … Continue Reading

FTC Warns Health App Vendors: Comply with the Health Breach Notification Rule or Pay the Penalty!

Vendors of health applications (“health apps”) and connected devices that collect or use individuals’ health information, along with their service providers, are now on notice that they must provide timely notice to consumers and the Federal Trade Commission (FTC) when there is a security breach compromising health information. In response to the proliferation of health … Continue Reading

Providers: Cyberattacks Are Still Coming–Are You Prepared?

Cyberattacks against healthcare providers accounted for 79% of all reported data breaches in 2020. (See here). The U.S. Department of Health and Human Services’ (HHS) Office of the Assistant Secretary for Preparedness and Response (ASPR) responded last month by releasing a comprehensive guide to protect providers against this growing vulnerability entitled “Healthcare System Cybersecurity Readiness … Continue Reading

Ransomware Targeting Hospitals and Healthcare Providers

While fighting a surge of new coronavirus infections in many parts of the country, healthcare providers must also be prepared to defend against ransomware. On October 28, 2020, the FBI, the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning of  “credible information … Continue Reading

New FBI Alert to Healthcare Providers – Beware of COVID-19 Phishing Campaigns

Healthcare providers are under siege, not only from the COVID-19 pandemic, but also from cyber criminals.  Following reports of targeted email phishing attempts, the FBI issued a FLASH alert warning healthcare providers on April 21, 2020, that they are at heightened risk for cyber attacks that use COVID-19 as bait.  The FBI’s FLASH alert follows … Continue Reading

California Telehealth Updates

California has joined the growing ranks of states, as well as the federal government, in efforts to facilitate the efficient provision of healthcare services during the pandemic. Accordingly, in response to federal agency updates with respect to relaxations to existing requirements related to telehealth services, California’s Governor Gavin Newsom issued an Executive Order No. 43-20 … Continue Reading

The CARES Act Impacts to Employer-Sponsored Health and Welfare Benefit Plans

Health and welfare benefit plans and insurers are affected by various provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) passed on March 27, 2020. In addition to provisions impacting tax-qualified retirement plans and executive compensation (summarized here), the CARES Act affects coverage of diagnostic testing, preventive services, telehealth services, and drug reimbursement. … Continue Reading

OCR COVID-19 Updates on HIPAA and Anti-Discrimination Laws

Hospitals will have a limited waiver of HIPAA sanctions and penalties during the COVID-19 outbreak as a result of a bulletin issued on March 16, 2020 by the U.S. Department of Health and Human Services. The Office of Civil Rights also issued a reminder that even during a medical emergency like the COVID-19 pandemic, all … Continue Reading
LexBlog