Photo of Linn Foster Freedman

Linn Freedman is chair of the firm’s Data Privacy + Security Team. She is also an active member of firm’s Health Law Group, education practice, Environmental + Utilities Group, Insurance + Reinsurance Group, and Business Litigation Group. Her practice focuses on data privacy and security law, responses to data breaches, compliance with federal and state privacy and security laws, breach notification laws, and assisting clients with regulatory investigations.

Ms. Freedman is experienced in providing counsel to health care organizations, Regional Health Information Organizations, and privacy and security issues related to interoperability of electronic health records. She has litigated complex cases, including privacy cases, and class action data breach litigation in state, federal, and appellate courts, government investigations, and serves as general counsel of the Rhode Island Quality Institute. Read her full rc.com bio here.

The World Health Organization (WHO) recently published “Ethics and Governance of Artificial Intelligence for Health: Guidance on large multi-modal models” (LMMs), which is designed to provide “guidance to assist Member States in mapping the benefits and challenges associated with the use of for health and in developing policies and practices for appropriate development

On October 31, 2023, the Office for Civil Rights (OCR) issued a press release announcing that it has settled with Doctors’ Management Services for $100,000 following a ransomware attack that compromised the protected health information of 206,695 individuals.

According to the press release, “this marks the first ransomware agreement OCR has reached.”  The facts underlying

HIPAA requires that covered entities notify the Office for Civil Rights (OCR) of any breaches of unsecured protected health information that affects less than 500 individuals in a calendar year within 60 days following the end of the calendar year.

Therefore, all breaches that affected less than 500 individuals that occurred in 2022 and have

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.Continue Reading Privacy Tip – Health Care Sector Continues to Be Hit with Ransomware

Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.Continue Reading Connecticut’s Privacy Law Signed by Governor

A federal district court in Montana has confirmed that HIPAA precludes a private right of action for patients to claim an unauthorized access, use, or disclosure of protected health information.  Nonetheless, the court denied the defendant covered entity’s motion to dismiss the complaint, holding that the plaintiff could move forward with state-specific claims of invasion of privacy, negligence, negligent infliction of emotional distress, and violation of Montana’s Consumer Protection Act because the federal law does not bar the suit under state law. The court held that, although HIPAA does not allow private lawsuits to be brought for unauthorized disclosure of health information, it does not preempt state law remedies that offer stronger protections than HIPAA.
Continue Reading No Private Right of Action under HIPAA, but State Law Claims May Still be Asserted

The Office for Civil Rights (OCR) recently announced that it has entered into the 20th settlement under its Right of Access Initiative. The settlement with Children’s Hospital and Medical Center in Nebraska includes an $80,000 payment by the hospital for failing to provide a mother with timely access to her daughter’s medical records.

According

In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging,

The Office for Civil Rights (OCR) last week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.
Continue Reading OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach