Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

Government and Microsoft In Agreement that Pending Case Mooted by CLOUD Act

On March 30, 2018, Solicitor General Noel J. Francisco filed a motion with the U.S. Supreme Court in United States v. Microsoft Corporation that seeks to vacate the judgment of the U.S. Court of Appeals for the Second Circuit in the case (which held in favor of Microsoft) and to remand the case with directions to dismiss it as moot. The motion was submitted in response to the passage of the CLOUD Act on March 23, 2018, and the Solicitor General’s subsequent letter to the Court on that same date …

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows:…

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding …

Connecticut Supreme Court Recognizes Common-Law Cause of Action for Unauthorized Disclosure of Confidential Medical Information

In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to a cause of action in tort, unless the disclosure is otherwise permitted by law.

In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the Court considered – for a second time – the …

Public Act 17-241 — An Act Concerning Fairness in Pharmacy and Pharmacy Benefits Manager Contracts

Connecticut Governor Dannel P. Malloy recently signed into law Public Act 17-241 (PA 17-241), which contains provisions concerning facility fees, the sending and receiving of electronic health records between hospitals and health care providers, and restrictions on contractual provisions between health care providers and insurance companies.

We recently covered  PA 17-241 in our Health Law Pulse, it can be accessed here.…

NJ Gov. Chris Christie Seeks to Ease HIPAA Restrictions in Cases of Opioid Overdose

Last week, New Jersey Governor Chris Christie told reporters that he is in talks with representatives from the U.S. Department of Health and Human Services and the U.S. Department of Justice about easing HIPAA restrictions in situations where individuals have experienced an opioid overdose. Gov. Christie chairs the presidential commission on opioid abuse. Speaking to reporters, Gov. Christie expressed an interest in letting “parents and loved ones know when people have been reversed with Narcan,” referring to a prescription medicine that can be used to reverse an overdose. HIPAA generally …

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.…

HHS Releases Health Care Industry Cybersecurity Task Force Report

This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing challenge of cyber-attacks targeting health care.”…

EHR Vendor Settles False Claims Act Suit for $155 Million

Electronic health record (EHR) vendor eClinicalWorks (eCW) recently entered into a settlement with the US Department of Justice (DOJ) and the Department of Health and Human Services’ Office of Inspector General (OIG) to resolve allegations under the federal False Claims Act (FCA) that eCW misrepresented its software and paid customers kickbacks to promote its products. The settlement imposes joint and several liability for payment on the EHR Vendor and three of its founders for $154.92 million, and liability for settlement payments individually by a developer ($50,000) and two project managers …

Connecticut Enacts Legislation Updating HIV Testing Laws

Connecticut Governor Dannel Malloy recently signed into law Public Act 17-6 (PA 17-6), a bill that makes certain revisions to state laws concerning human immunodeficiency virus (HIV) testing and syringe services programs pursuant to recommendations of the Department of Public Health (DPH). The substantive provisions of this legislation take effect July 1, 2017.

Currently, Conn. Gen. Stat. §19a-90 states that physicians furnishing prenatal care to pregnant women shall take (or cause to be taken) a blood sample within 30 days of the woman’s first examination, and again during the final …

Class Action Initiated Against Telehealth Provider for Disclosure of Sensitive Information

A class action was filed in Fort Lauderdale, Florida this week against a national telehealth provider, MDLive Inc. (MDLive) for its mobile app’s alleged secret capture of screenshots containing sensitive patient information without restricting access to medical providers who have a legitimate need to view the information. The lawsuit was filed by Utah resident, Joan Richards, who is seeking class certification of a class that she estimates will include thousands of other MDLive users and more than $5 million damages.…

Recent OCR Settlements

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.

The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and …

NY AG Announces Settlements with 3 Mobile-Health App Developers Over Privacy, Marketing Concerns

On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to measure vital signs or other indicators of health using only a smartphone’s camera and sensors, without any need for an external device.”

The Office of Attorney General (OAG) expressed concern that growing …

West Virginia University Medicine University Healthcare Patients Victims of Identity Theft

West Virginia University Medicine University Healthcare (WVUM) has confirmed that it is sending notification letters to over 7,400 of its patients seen at Berkeley Medical Center as a result of an unauthorized access to their information. It further confirmed that 113 of its patients have become the victims of identity theft as a result of the theft of patient records by an employee of Berkeley Medical Center (Berkeley).

The Berkeley employee removed patient information from the premises of WVUM through writing information on a pad. The FBI identified the link …

11th Circuit Invalidates Key Provisions in Florida Law Prohibiting Physician Inquiries About Patient Firearm Ownership

In Wollschlaeger v. Florida, No. 12-14009 (Feb. 16, 2017), the U.S. Court of Appeals for the Eleventh Circuit invalidated provisions of the Florida Firearms Owners’ Privacy Act that prohibited physicians from (i) asking patients if they (or their family members) own firearms or ammunition, (ii) documenting firearm ownership in patient medical records, and (iii) harassing patients about firearm ownership during examinations. The appellate court did not invalidate the Act’s antidiscrimination provision that prohibits physicians from discriminating against patients based solely on firearm ownership. Physicians who violated the Act were …

Florida Supreme Court Rejects PSQIA Preemption of Florida Constitution

On January 31, 2017, the Florida Supreme Court held that adverse medical incident reports produced in accordance with Florida law cannot constitute confidential and privileged patient safety work product (PSWP) under the federal Patient Safety & Quality Improvement Act of 2005 (PSQIA). In Jean Charles, Jr. et al. v. Southern Baptist Hospital of Florida, Inc. (No. SC15-2180), the Court endorsed a broad right of access under the Florida Constitution for patients to obtain adverse medical incident reports from health care facilities, a right commonly exercised by plaintiffs in medical malpractice …

Vanderbilt University Medical Center PHI Breached by Patient Transporters

Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters.

According to the announcement, VUMC audited its medical records (as it is required to do by  HIPAA), and found that two individuals who worked as patient transporters accessed 3,247 patient records between May of 2015 and December of 2016 and were unauthorized to do so. The information accessed included data from adults and minors, including names, dates of birth, …

Horizon BCBS of New Jersey Pays State $1.1 million for HIPAA violations

We often forget that state AG’s have jurisdiction under the HIPAA Omnibus Rule to levy fines and penalties against HIPAA covered entities for violations. This is because the Office for Civil Rights has traditionally taken the primary role in enforcing HIPAA. But Horizon Blue Cross Blue Shield of New Jersey (Horizon) was reminded of the AG’s ability to enforce HIPAA when it recently agreed to pay a $1.1 million fine to the New Jersey Division of Consumer Affairs for an incident that occurred in November of 2013  involving the theft …

Joint Commission Bans Secure Text Messaging for Patient Care Orders

The Joint Commission recently clarified that patient care orders may not be transmitted by secure text message.  The Joint Commission initially prohibited the practice in 2011 but subsequently allowed practitioners to send orders through a secure text messaging system if certain conditions were met.   In this most recent clarification, The Joint Commission states that concerns remain even when using secure messaging platforms.

The clarification includes several recommendations developed by The Joint Commission in cooperation with the Centers for Medicare & Medicaid Services (CMS).  In addition to the ban on secure …

W2 Phishing Scam Hits Citizens Memorial Hospital

We continue to see all industries hit with W2 phishing scams, including the health care industry.

Citizens Memorial Hospital, located in Bolivar, Missouri, was hit with the scam when one of its employees believed that an email received from another employee was legitimate, and sent the W2s of its employees from 2016 to a hacker. Usually, the W2s are used by the hackers to then file false tax returns seeking a quick tax refund before the taxpayer files his or her return.

Employees continue to fall victim to the scheme …

$5.5 Million HIPAA Settlement Emphasizes Importance of Audit Controls of Access by OHCA Affiliates

On February 16, 2017, the Office for Civil Rights (OCR) announced a $5.5 million settlement with South Broward Hospital District d/b/a Memorial Healthcare System (Healthcare System), to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Healthcare System is a nonprofit corporation that operates several hospitals, an urgent care center, a nursing home, and ancillary health care facilities throughout south Florida.  The Healthcare System is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA).…

HHS Delays Effective Date of New Part 2 Regulations

On February 15, 2017, the U.S. Department of Health & Human Services announced that it had delayed the effective date of the Substance Abuse and Mental Health Services final rule announced in January regarding the Confidentiality of Substance Abuse Disorder Patient Records (commonly known as the 42 C.F.R. Part 2 regulations).  The final rule – which had been scheduled to take effect February 17, 2017 – will now take effect March 21, 2017.

HHS made this delay in accordance with the new administration’s “Regulatory Freeze Pending Review” memorandum issued January …

LexBlog