Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

Laws Affecting Health Care Entities in Connecticut Take Effect October 1, 2018

On October 1, 2018, a number of new laws affecting health care entities in Connecticut became effective. Below please find a brief description of some of the newly-effective provisions, as well as links to our analyses of the changes.…

Connecticut Expands Consumer Protections Against Identity Theft and Data Breaches

On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90).  This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies from charging fees for consumers to place or remove security freezes. This law takes effect on October 1, 2018.…

Connecticut Legislature Operationalizes New Health Oversight Agency: The Office of Health Strategy

On May 14, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-91 “An Act Concerning the Office of Health Strategy” (PA 18-91), a bill that operationalizes the Office of Health Strategy (OHS), a new health oversight agency in Connecticut. OHS is a division of the Department of Public Health (DPH) “for administrative purposes only” that was provisionally established by the Connecticut General Assembly within the budget implementer bill passed in a special session in late 2017 and accorded responsibility for developing and implementing a …

DOJ Announces Criminal Conviction of Physician for HIPAA Violation

On April 30, 2018 a Massachusetts physician was convicted of a criminal violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as one count of obstruction of a criminal health care investigation, in a Massachusetts federal court. The convictions relate to the purported sharing of confidential patient information by the physician with pharmaceutical sales representatives that allowed the pharmaceutical company to target patients with specific conditions (and to correspondingly facilitate the receipt of prior authorizations for the company’s drugs from patients’ insurers).…

Government and Microsoft In Agreement that Pending Case Mooted by CLOUD Act

On March 30, 2018, Solicitor General Noel J. Francisco filed a motion with the U.S. Supreme Court in United States v. Microsoft Corporation that seeks to vacate the judgment of the U.S. Court of Appeals for the Second Circuit in the case (which held in favor of Microsoft) and to remand the case with directions to dismiss it as moot. The motion was submitted in response to the passage of the CLOUD Act on March 23, 2018, and the Solicitor General’s subsequent letter to the Court on that same date …

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows:…

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding …

Connecticut Supreme Court Recognizes Common-Law Cause of Action for Unauthorized Disclosure of Confidential Medical Information

In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to a cause of action in tort, unless the disclosure is otherwise permitted by law.

In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the Court considered – for a second time – the …

Public Act 17-241 — An Act Concerning Fairness in Pharmacy and Pharmacy Benefits Manager Contracts

Connecticut Governor Dannel P. Malloy recently signed into law Public Act 17-241 (PA 17-241), which contains provisions concerning facility fees, the sending and receiving of electronic health records between hospitals and health care providers, and restrictions on contractual provisions between health care providers and insurance companies.

We recently covered  PA 17-241 in our Health Law Pulse, it can be accessed here.…

NJ Gov. Chris Christie Seeks to Ease HIPAA Restrictions in Cases of Opioid Overdose

Last week, New Jersey Governor Chris Christie told reporters that he is in talks with representatives from the U.S. Department of Health and Human Services and the U.S. Department of Justice about easing HIPAA restrictions in situations where individuals have experienced an opioid overdose. Gov. Christie chairs the presidential commission on opioid abuse. Speaking to reporters, Gov. Christie expressed an interest in letting “parents and loved ones know when people have been reversed with Narcan,” referring to a prescription medicine that can be used to reverse an overdose. HIPAA generally …

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.…

HHS Releases Health Care Industry Cybersecurity Task Force Report

This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing challenge of cyber-attacks targeting health care.”…

EHR Vendor Settles False Claims Act Suit for $155 Million

Electronic health record (EHR) vendor eClinicalWorks (eCW) recently entered into a settlement with the US Department of Justice (DOJ) and the Department of Health and Human Services’ Office of Inspector General (OIG) to resolve allegations under the federal False Claims Act (FCA) that eCW misrepresented its software and paid customers kickbacks to promote its products. The settlement imposes joint and several liability for payment on the EHR Vendor and three of its founders for $154.92 million, and liability for settlement payments individually by a developer ($50,000) and two project managers …

Connecticut Enacts Legislation Updating HIV Testing Laws

Connecticut Governor Dannel Malloy recently signed into law Public Act 17-6 (PA 17-6), a bill that makes certain revisions to state laws concerning human immunodeficiency virus (HIV) testing and syringe services programs pursuant to recommendations of the Department of Public Health (DPH). The substantive provisions of this legislation take effect July 1, 2017.

Currently, Conn. Gen. Stat. §19a-90 states that physicians furnishing prenatal care to pregnant women shall take (or cause to be taken) a blood sample within 30 days of the woman’s first examination, and again during the final …

Class Action Initiated Against Telehealth Provider for Disclosure of Sensitive Information

A class action was filed in Fort Lauderdale, Florida this week against a national telehealth provider, MDLive Inc. (MDLive) for its mobile app’s alleged secret capture of screenshots containing sensitive patient information without restricting access to medical providers who have a legitimate need to view the information. The lawsuit was filed by Utah resident, Joan Richards, who is seeking class certification of a class that she estimates will include thousands of other MDLive users and more than $5 million damages.…

Recent OCR Settlements

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.

The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and …

NY AG Announces Settlements with 3 Mobile-Health App Developers Over Privacy, Marketing Concerns

On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to measure vital signs or other indicators of health using only a smartphone’s camera and sensors, without any need for an external device.”

The Office of Attorney General (OAG) expressed concern that growing …

West Virginia University Medicine University Healthcare Patients Victims of Identity Theft

West Virginia University Medicine University Healthcare (WVUM) has confirmed that it is sending notification letters to over 7,400 of its patients seen at Berkeley Medical Center as a result of an unauthorized access to their information. It further confirmed that 113 of its patients have become the victims of identity theft as a result of the theft of patient records by an employee of Berkeley Medical Center (Berkeley).

The Berkeley employee removed patient information from the premises of WVUM through writing information on a pad. The FBI identified the link …

11th Circuit Invalidates Key Provisions in Florida Law Prohibiting Physician Inquiries About Patient Firearm Ownership

In Wollschlaeger v. Florida, No. 12-14009 (Feb. 16, 2017), the U.S. Court of Appeals for the Eleventh Circuit invalidated provisions of the Florida Firearms Owners’ Privacy Act that prohibited physicians from (i) asking patients if they (or their family members) own firearms or ammunition, (ii) documenting firearm ownership in patient medical records, and (iii) harassing patients about firearm ownership during examinations. The appellate court did not invalidate the Act’s antidiscrimination provision that prohibits physicians from discriminating against patients based solely on firearm ownership. Physicians who violated the Act were …

Florida Supreme Court Rejects PSQIA Preemption of Florida Constitution

On January 31, 2017, the Florida Supreme Court held that adverse medical incident reports produced in accordance with Florida law cannot constitute confidential and privileged patient safety work product (PSWP) under the federal Patient Safety & Quality Improvement Act of 2005 (PSQIA). In Jean Charles, Jr. et al. v. Southern Baptist Hospital of Florida, Inc. (No. SC15-2180), the Court endorsed a broad right of access under the Florida Constitution for patients to obtain adverse medical incident reports from health care facilities, a right commonly exercised by plaintiffs in medical malpractice …

Vanderbilt University Medical Center PHI Breached by Patient Transporters

Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters.

According to the announcement, VUMC audited its medical records (as it is required to do by  HIPAA), and found that two individuals who worked as patient transporters accessed 3,247 patient records between May of 2015 and December of 2016 and were unauthorized to do so. The information accessed included data from adults and minors, including names, dates of birth, …

LexBlog