Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.
On February 28, 2022, the Office of the National Coordinator for Health Information Technology (ONC) issued data on information blocking claims received since April 5, 2021, the effective date of information blocking regulations enacted under the 21st Century Cures Act (Cures Act). As a reminder, in accordance with the Cures Act’s prohibition on certain information blocking practices, in 2020 ONC issued a pair of rules (available here and here) to implement information blocking regulations (now found at 45 CFR Part 171). Due to COVID-related delays, ONC ultimately set a compliance date for such regulations of April 5, 2021. ONC is now sharing preliminary data on the information blocking claims received for the first time.
Continue Reading ONC Information Blocking Data Show Majority of Claims Against Health Care Providers
A federal district court in Montana has confirmed that HIPAA precludes a private right of action for patients to claim an unauthorized access, use, or disclosure of protected health information. Nonetheless, the court denied the defendant covered entity’s motion to dismiss the complaint, holding that the plaintiff could move forward with state-specific claims of invasion of privacy, negligence, negligent infliction of emotional distress, and violation of Montana’s Consumer Protection Act because the federal law does not bar the suit under state law. The court held that, although HIPAA does not allow private lawsuits to be brought for unauthorized disclosure of health information, it does not preempt state law remedies that offer stronger protections than HIPAA.
Continue Reading No Private Right of Action under HIPAA, but State Law Claims May Still be Asserted
The Office for Civil Rights (OCR) recently announced that it has entered into the 20th settlement under its Right of Access Initiative. The settlement with Children’s Hospital and Medical Center in Nebraska includes an $80,000 payment by the hospital for failing to provide a mother with timely access to her daughter’s medical records.
On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.
Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).
Both laws take effect October 1, 2021. …
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations
In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging,…
Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over allegations that it failed to provide timely access to a patient’s health records. The OCR alleged that DELC waited more than two years to send a minor’s medical records to their…
The Office for Civil Rights (OCR) last week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.
The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.
Continue Reading OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations
Below is an excerpt of an article co-authored with the Robinson+Cole Construction Law Group and published in Healthcare Facilities Today on March 31, 2021.
The need to update and implement new processes for delivering healthcare in response to the COVID-19 pandemic has resulted in the adoption of more automation, remote access and monitoring technologies. It…
On March 14, 2021, Connecticut Governor Lamont issued Executive Order 10C (EO 10C), which extends provisions of Public Act 20-2 (PA 20-2), a law passed by the Connecticut legislature in July 2020 that “provided additional flexibility for the delivery of telehealth services and insurance coverage of these services” but was scheduled to expire March 15, 2021. As a result of EO 10C, the provisions of PA 20-2 that were scheduled to expire on March 15 will remain in effect through April 20, 2021, in part to give the state legislature more time to “address the ongoing need for” expanded access to telehealth services.
Continue Reading Connecticut Extends Expansion of Access to Telehealth Services