The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: HIPAA

  • From Vol. 3 No.3 (Feb. 8, 2017)

    Lessons From the Continued Uptick in HIPAA Enforcements 

    The U.S. Department of Health and Human Services’ Office for Civil Rights has had an active start to 2017. The agency announced resolution agreements with MAPFRE Life Insurance of Puerto Rico and Presence Health as well as a final determination against Children’s Medical Center of Dallas that includes a $3.2 million civil monetary penalty. The actions highlight the need for companies to issue timely breach notifications, complete promised actions, and take swift remedial action to address known vulnerabilities. This article explains the three actions, provides advice on working with HHS, and examines 2017 regulatory expectations. “One thing that’s evident from these and other settlements is that once OCR is doing an investigation, it is not going to look only at the issue in question. It will open the door to a wider assessment of your HIPAA policies and procedures and practices. Once you’re in the spotlight, expect the spotlight to shine more broadly.” Lisa Sotto, a partner at Hunton & Williams, told The Cybersecurity Law Report. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    HIPAA Privacy Rule Permits Disclosures to Firearm Background Check System

    The current firearm background check system just became a little stronger thanks to the Department of Health and Human Services. The Department issued a Final Rule amending the HIPAA Privacy Rule to allow certain covered entities to disclose PHI about individuals prohibited from possessing or receiving firearms to the National Instant Background Check System without the individual’s prior consent. Lynn Sessions, a BakerHostetler partner, spoke with The Cybersecurity Law Report about the Final Rule, its implications and processes covered entities should put in place to mitigate risk. The Final Rule became effective February 6, 2016. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS

    The Department of Health and Human Services’ Office for Civil Rights recently entered into two significant settlements, one with a healthcare insurance company and the other with a hospital, to resolve HIPAA charges.  Triple-S Management Corporation and its relevant subsidiaries agreed to pay a $3.5 million fine and take a series of corrective steps following several breaches involving protected health information.  Lahey Clinic Hospital, Inc. agreed to pay $850,000 and adhere to an action plan following the theft of a device that contained patient electronic protected health information.  Although there are still “a relatively small number of [OCR settlements] each year . . . the penalties have been steadily rising and I expect they will continue to do so,” Robert Belfort, a partner at Manatt, told The Cybersecurity Law Report.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part Two of Two)

    Companies in the life sciences and health information technology industry face unique data privacy and security concerns based on the highly sensitive personal health information that they handle.  In our continued coverage of a recent health sector data privacy and security webinar, WilmerHale partners Barry Hurewitz and Jonathan Cedarbaum address HIPAA’s nuances, including requirements for business associates and its applicability in medical research.  They also highlight the latest regulatory guidance regarding medical and mobile devices, and move beyond HIPAA to examine current state and international regulations.  In part one, Hurewitz discussed security issues specific to life science and health information technology companies and provided a federal regulatory overview.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part One of Two)

    The health sector is faced with a web of complex regulations due to the particular sensitivity of the information it handles.  During a recent webinar, WilmerHale partners discussed special health data regulatory considerations at state, federal and international levels and how health care companies can navigate them.  In this article, the first in a two-part series, Barry Hurewitz examines the security issues specific to life sciences and health information technology companies, and provides an overview of the applicable regulatory standards at the federal levels, with a focus on HIPAA.  The second article will feature Hurewitz and Jonathan Cedarbaum’s coverage of the regulatory landscape as it relates to business associate agreements, medical research and recent developments regarding mobile devices, as well as special considerations of health data privacy regulation at the state and international levels.  See “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Steps to Take Following a Healthcare Data Breach

    The prevalence, size and cost of healthcare breaches is skyrocketing, with hackers gaining sophistication and regulators becoming more active.  It is a rare covered entity that has not had to report a data breach to patients/members and the U.S. Department of Health & Human Services Office for Civil Rights since the Health Information Technology and Economic Clinical Health Act became effective in 2009.  To assist healthcare companies in understanding and responding to data breaches in this regulatory environment, in a guest article, BakerHostetler partner Lynn Sessions discusses: the enforcement climate; the legal definition of a healthcare breach; strategies for handling unsecured personal health information; notification requirements and best notification procedures; activating a breach response team; mitigating the impact of a breach; and what’s next in cybersecurity for the healthcare industry.

    Read Full Article …