Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

Allscripts Announces $145 Million Preliminary Settlement with DOJ Related to an Investigation of Practice Fusion, a Recently Acquired EHR Company

In its second quarter Securities Exchange Commission (SEC) filing, Allscripts addressed its announced agreement in principle with the Department of Justice (DOJ) to resolve investigations into certain alleged practices of Practice Fusion, an electronic health records (EHR) vendor acquired by Allscripts in February 2018 for $100 million. Allscripts indicated the agreement is still subject to further negotiation and government approval, and would likely include additional non-monetary terms, including a deferred prosecution agreement, if a finalized settlement is reached.…

SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements

On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”…

CMS Announces Pilot Program for Clinicians to View Claims Data of Medicare Beneficiaries

On July 30, 2019, the Centers for Medicare & Medicaid Services (CMS) announced “Data at the Point of Care” (DPC), a pilot program that will provide clinicians with access to claims data. The pilot program follows on the heels of the recently proposed Interoperability and Patient Access Proposed Rule, which would require regulated health plans to make patient data available through an application programming interface (API). These actions are also part of the MyHealthEData initiative spearheaded by the White House Office of American Innovation.…

Health Care Organizations Have Highest Costs for Data Breaches

As readers of this blog know, data breaches in the health care industry are all too common. Health care organizations are an attractive target for hackers because of the nature and amount of personal information that they possess.

Therefore, it is perhaps not surprising that healthcare organizations have the highest costs associated with data breaches. They also have significantly higher costs as compared to other industries.

According to the 2019 Cost of a Data Breach Report recently released by the Ponemon Institute and IBM Security, which was based on in-depth …

OIG Issues Alert to Warn of ‘Free’ Genetic Testing Scams Seeking to Steal Information

On June 3, 2019, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a fraud alert to notify consumers about genetic testing fraud schemes (the Alert). According to the OIG, fraudulent actors are using the provision of free genetic testing kits to obtain Medicare information from unwitting consumers, and then using the stolen information for purposes of fraudulent billing and/or identity theft.…

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued …

OCR Issues Request for Information Regarding Modification of HIPAA To Promote Care Coordination and Transition to Value-Based Care

On December 14, 2018 the Department of Health & Human Services Office for Civil Rights (OCR) published a Request for Information (RFI) soliciting public input on updates to regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) with the goals of removing “regulatory obstacles” and decreasing “regulatory burdens” in furtherance of the health care industry’s transition to value-based care models.

In the RFI, OCR requests input on whether and how the HIPAA regulations (i) can be modified to remove regulatory obstacles and burdens to efficient care coordination and …

Laws Affecting Health Care Entities in Connecticut Take Effect October 1, 2018

On October 1, 2018, a number of new laws affecting health care entities in Connecticut became effective. Below please find a brief description of some of the newly-effective provisions, as well as links to our analyses of the changes.…

Connecticut Expands Consumer Protections Against Identity Theft and Data Breaches

On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90).  This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies from charging fees for consumers to place or remove security freezes. This law takes effect on October 1, 2018.…

Connecticut Legislature Operationalizes New Health Oversight Agency: The Office of Health Strategy

On May 14, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-91 “An Act Concerning the Office of Health Strategy” (PA 18-91), a bill that operationalizes the Office of Health Strategy (OHS), a new health oversight agency in Connecticut. OHS is a division of the Department of Public Health (DPH) “for administrative purposes only” that was provisionally established by the Connecticut General Assembly within the budget implementer bill passed in a special session in late 2017 and accorded responsibility for developing and implementing a …

DOJ Announces Criminal Conviction of Physician for HIPAA Violation

On April 30, 2018 a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the physician with pharmaceutical sales representatives that allowed the pharmaceutical company to target patients with specific conditions (and to correspondingly facilitate the receipt of prior authorizations for the company’s drugs from patients’ insurers).…

Government and Microsoft In Agreement that Pending Case Mooted by CLOUD Act

On March 30, 2018, Solicitor General Noel J. Francisco filed a motion with the U.S. Supreme Court in United States v. Microsoft Corporation that seeks to vacate the judgment of the U.S. Court of Appeals for the Second Circuit in the case (which held in favor of Microsoft) and to remand the case with directions to dismiss it as moot. The motion was submitted in response to the passage of the CLOUD Act on March 23, 2018, and the Solicitor General’s subsequent letter to the Court on that same date …

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows:…

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding …

Connecticut Supreme Court Recognizes Common-Law Cause of Action for Unauthorized Disclosure of Confidential Medical Information

In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to a cause of action in tort, unless the disclosure is otherwise permitted by law.

In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the Court considered – for a second time – the …

Public Act 17-241 — An Act Concerning Fairness in Pharmacy and Pharmacy Benefits Manager Contracts

Connecticut Governor Dannel P. Malloy recently signed into law Public Act 17-241 (PA 17-241), which contains provisions concerning facility fees, the sending and receiving of electronic health records between hospitals and health care providers, and restrictions on contractual provisions between health care providers and insurance companies.

We recently covered  PA 17-241 in our Health Law Pulse, it can be accessed here.…

NJ Gov. Chris Christie Seeks to Ease HIPAA Restrictions in Cases of Opioid Overdose

Last week, New Jersey Governor Chris Christie told reporters that he is in talks with representatives from the U.S. Department of Health and Human Services and the U.S. Department of Justice about easing HIPAA restrictions in situations where individuals have experienced an opioid overdose. Gov. Christie chairs the presidential commission on opioid abuse. Speaking to reporters, Gov. Christie expressed an interest in letting “parents and loved ones know when people have been reversed with Narcan,” referring to a prescription medicine that can be used to reverse an overdose. HIPAA generally …

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.…

HHS Releases Health Care Industry Cybersecurity Task Force Report

This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing challenge of cyber-attacks targeting health care.”…

EHR Vendor Settles False Claims Act Suit for $155 Million

Electronic health record (EHR) vendor eClinicalWorks (eCW) recently entered into a settlement with the US Department of Justice (DOJ) and the Department of Health and Human Services’ Office of Inspector General (OIG) to resolve allegations under the federal False Claims Act (FCA) that eCW misrepresented its software and paid customers kickbacks to promote its products. The settlement imposes joint and several liability for payment on the EHR Vendor and three of its founders for $154.92 million, and liability for settlement payments individually by a developer ($50,000) and two project managers …

Connecticut Enacts Legislation Updating HIV Testing Laws

Connecticut Governor Dannel Malloy recently signed into law Public Act 17-6 (PA 17-6), a bill that makes certain revisions to state laws concerning human immunodeficiency virus (HIV) testing and syringe services programs pursuant to recommendations of the Department of Public Health (DPH). The substantive provisions of this legislation take effect July 1, 2017.

Currently, Conn. Gen. Stat. §19a-90 states that physicians furnishing prenatal care to pregnant women shall take (or cause to be taken) a blood sample within 30 days of the woman’s first examination, and again during the final …

LexBlog