HIPAA/Health

Stethoscope head lying on medical formThe US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually.
Continue Reading Orthopedic Clinic Settles with HHS OCR for $1.5 Million Over Claims of Systemic HIPAA Noncompliance

Healthcare and Medicine TechnologyThe Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently modified 42 CFR Part 2 regulations which sets forth federal confidentiality rules governing substance use disorder information.  While these changes bring Part 2 closer in alignment to HIPAA, the additional modifications that the CARES Act requires (which will require aligning Part 2’s consent requirements more

What even might actually manage to have more geeks than Comic-Con?

PrivacyCon!

Ok, probably not, but on July 21, 2020 the FTC hosted their fifth annual PrivacyCon event, and for the first time it was entirely online. This event is designed to provide researched information on various important privacy topics. The FTC curates the event content based on submitted materials and moderates each session. This year’s topics were (1) health apps, (2) artificial intelligence, (3) Internet of Things devices, (4) privacy and security of specific technologies such as digital cameras and virtual assistants, (5) international privacy, and (6) miscellaneous privacy and security issues.
Continue Reading Key Takeaways from the FTC’s PrivacyCon

As explained in a recent post published on Squire Patton Bogg’s Anticorruption Blog, the DOJ is pursuing providers who submit false claims under the electronic health records initiative.  This enforcement action should serve as a reminder to examine carefully attestations of EHR compliance, including the requirement to complete a HIPAA-required security risk assessment.

The Food and Drug Administration (FDA) has recently issued several cybersecurity and medical device initiatives as part of the agency’s increased focus on digital health. These initiatives include draft cybersecurity guidance for medical devices, increased coordination with the Department of Homeland Security, and the promotion of artificial intelligence. Elliot Golding and Jennifer Tharp provided an

In an article posted in Law360 Expert Analysis on May 22, 2018, Squire Patton Boggs partner Elliot Golding describes how the rise of health care smart devices and tracking apps has intensified the focus on data privacy and cybersecurity within the health care industry.  Subsequently, new and proposed government and regulatory initiatives are underway.

Additional

Elliot Golding, in a podcast interview with Healthcare InfoSecurity, discusses progressing healthcare privacy and security issues, especially complex issues involving Internet of Things (IoT) devices. Topic points include, new risks when connected devices link to legacy systems, the applicable regulatory environment, and other important issues companies operating in the health care space need

As some companies may have experienced already, the French Public Health Code (Article L.1111-8) requires that services providers hosting certain types of health/medical data (in French “hébergeurs de données de santé” or “HDS”) be accredited for this activity.

The accreditation procedure is changing, effective 1 April 2018, from an authorisation procedure to a certification
Continue Reading France Issues New Rules for the Accreditation of Health Data Hosting Services Providers

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance.
Continue Reading States Increase HIPAA Enforcement