Archives: Privacy and Security

Subscribe to Privacy and Security RSS Feed

Public Act 17-241 — An Act Concerning Fairness in Pharmacy and Pharmacy Benefits Manager Contracts

Connecticut Governor Dannel P. Malloy recently signed into law Public Act 17-241 (PA 17-241), which contains provisions concerning facility fees, the sending and receiving of electronic health records between hospitals and health care providers, and restrictions on contractual provisions between health care providers and insurance companies.

We recently covered  PA 17-241 in our Health Law Pulse, it can be accessed here.…

NJ Gov. Chris Christie Seeks to Ease HIPAA Restrictions in Cases of Opioid Overdose

Last week, New Jersey Governor Chris Christie told reporters that he is in talks with representatives from the U.S. Department of Health and Human Services and the U.S. Department of Justice about easing HIPAA restrictions in situations where individuals have experienced an opioid overdose. Gov. Christie chairs the presidential commission on opioid abuse. Speaking to reporters, Gov. Christie expressed an interest in letting “parents and loved ones know when people have been reversed with Narcan,” referring to a prescription medicine that can be used to reverse an overdose. HIPAA generally …

OCR Issues Reminder on Security Incidents

Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.…

HHS Releases Health Care Industry Cybersecurity Task Force Report

This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing challenge of cyber-attacks targeting health care.”…

EHR Vendor Settles False Claims Act Suit for $155 Million

Electronic health record (EHR) vendor eClinicalWorks (eCW) recently entered into a settlement with the US Department of Justice (DOJ) and the Department of Health and Human Services’ Office of Inspector General (OIG) to resolve allegations under the federal False Claims Act (FCA) that eCW misrepresented its software and paid customers kickbacks to promote its products. The settlement imposes joint and several liability for payment on the EHR Vendor and three of its founders for $154.92 million, and liability for settlement payments individually by a developer ($50,000) and two project managers …

Connecticut Enacts Legislation Updating HIV Testing Laws

Connecticut Governor Dannel Malloy recently signed into law Public Act 17-6 (PA 17-6), a bill that makes certain revisions to state laws concerning human immunodeficiency virus (HIV) testing and syringe services programs pursuant to recommendations of the Department of Public Health (DPH). The substantive provisions of this legislation take effect July 1, 2017.

Currently, Conn. Gen. Stat. §19a-90 states that physicians furnishing prenatal care to pregnant women shall take (or cause to be taken) a blood sample within 30 days of the woman’s first examination, and again during the final …

Class Action Initiated Against Telehealth Provider for Disclosure of Sensitive Information

A class action was filed in Fort Lauderdale, Florida this week against a national telehealth provider, MDLive Inc. (MDLive) for its mobile app’s alleged secret capture of screenshots containing sensitive patient information without restricting access to medical providers who have a legitimate need to view the information. The lawsuit was filed by Utah resident, Joan Richards, who is seeking class certification of a class that she estimates will include thousands of other MDLive users and more than $5 million damages.…

Recent OCR Settlements

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.

The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and …

NY AG Announces Settlements with 3 Mobile-Health App Developers Over Privacy, Marketing Concerns

On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to measure vital signs or other indicators of health using only a smartphone’s camera and sensors, without any need for an external device.”

The Office of Attorney General (OAG) expressed concern that growing …

West Virginia University Medicine University Healthcare Patients Victims of Identity Theft

West Virginia University Medicine University Healthcare (WVUM) has confirmed that it is sending notification letters to over 7,400 of its patients seen at Berkeley Medical Center as a result of an unauthorized access to their information. It further confirmed that 113 of its patients have become the victims of identity theft as a result of the theft of patient records by an employee of Berkeley Medical Center (Berkeley).

The Berkeley employee removed patient information from the premises of WVUM through writing information on a pad. The FBI identified the link …

11th Circuit Invalidates Key Provisions in Florida Law Prohibiting Physician Inquiries About Patient Firearm Ownership

In Wollschlaeger v. Florida, No. 12-14009 (Feb. 16, 2017), the U.S. Court of Appeals for the Eleventh Circuit invalidated provisions of the Florida Firearms Owners’ Privacy Act that prohibited physicians from (i) asking patients if they (or their family members) own firearms or ammunition, (ii) documenting firearm ownership in patient medical records, and (iii) harassing patients about firearm ownership during examinations. The appellate court did not invalidate the Act’s antidiscrimination provision that prohibits physicians from discriminating against patients based solely on firearm ownership. Physicians who violated the Act were …

Florida Supreme Court Rejects PSQIA Preemption of Florida Constitution

On January 31, 2017, the Florida Supreme Court held that adverse medical incident reports produced in accordance with Florida law cannot constitute confidential and privileged patient safety work product (PSWP) under the federal Patient Safety & Quality Improvement Act of 2005 (PSQIA). In Jean Charles, Jr. et al. v. Southern Baptist Hospital of Florida, Inc. (No. SC15-2180), the Court endorsed a broad right of access under the Florida Constitution for patients to obtain adverse medical incident reports from health care facilities, a right commonly exercised by plaintiffs in medical malpractice …

Vanderbilt University Medical Center PHI Breached by Patient Transporters

Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters.

According to the announcement, VUMC audited its medical records (as it is required to do by  HIPAA), and found that two individuals who worked as patient transporters accessed 3,247 patient records between May of 2015 and December of 2016 and were unauthorized to do so. The information accessed included data from adults and minors, including names, dates of birth, …

Horizon BCBS of New Jersey Pays State $1.1 million for HIPAA violations

We often forget that state AG’s have jurisdiction under the HIPAA Omnibus Rule to levy fines and penalties against HIPAA covered entities for violations. This is because the Office for Civil Rights has traditionally taken the primary role in enforcing HIPAA. But Horizon Blue Cross Blue Shield of New Jersey (Horizon) was reminded of the AG’s ability to enforce HIPAA when it recently agreed to pay a $1.1 million fine to the New Jersey Division of Consumer Affairs for an incident that occurred in November of 2013  involving the theft …

Joint Commission Bans Secure Text Messaging for Patient Care Orders

The Joint Commission recently clarified that patient care orders may not be transmitted by secure text message.  The Joint Commission initially prohibited the practice in 2011 but subsequently allowed practitioners to send orders through a secure text messaging system if certain conditions were met.   In this most recent clarification, The Joint Commission states that concerns remain even when using secure messaging platforms.

The clarification includes several recommendations developed by The Joint Commission in cooperation with the Centers for Medicare & Medicaid Services (CMS).  In addition to the ban on secure …

W2 Phishing Scam Hits Citizens Memorial Hospital

We continue to see all industries hit with W2 phishing scams, including the health care industry.

Citizens Memorial Hospital, located in Bolivar, Missouri, was hit with the scam when one of its employees believed that an email received from another employee was legitimate, and sent the W2s of its employees from 2016 to a hacker. Usually, the W2s are used by the hackers to then file false tax returns seeking a quick tax refund before the taxpayer files his or her return.

Employees continue to fall victim to the scheme …

$5.5 Million HIPAA Settlement Emphasizes Importance of Audit Controls of Access by OHCA Affiliates

On February 16, 2017, the Office for Civil Rights (OCR) announced a $5.5 million settlement with South Broward Hospital District d/b/a Memorial Healthcare System (Healthcare System), to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Healthcare System is a nonprofit corporation that operates several hospitals, an urgent care center, a nursing home, and ancillary health care facilities throughout south Florida.  The Healthcare System is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA).…

HHS Delays Effective Date of New Part 2 Regulations

On February 15, 2017, the U.S. Department of Health & Human Services announced that it had delayed the effective date of the Substance Abuse and Mental Health Services final rule announced in January regarding the Confidentiality of Substance Abuse Disorder Patient Records (commonly known as the 42 C.F.R. Part 2 regulations).  The final rule – which had been scheduled to take effect February 17, 2017 – will now take effect March 21, 2017.

HHS made this delay in accordance with the new administration’s “Regulatory Freeze Pending Review” memorandum issued January …

TCPA Violations Claimed Against San Diego Hospital

Rady Children’s Hospital-San Diego (Hospital) was hit with a proposed class action in California federal court this week for alleged violations of the Telephone Consumer Protection Act (TCPA) for autodialed debt-collection calls to consumers’ cell phones. The complaint states that “[the Hospital], either directly or through their agents, illegally contacted plaintiffs and the class members via their cellular telephones by using an ATDS [(i.e.,an automated telephone dialing system)], thereby causing plaintiffs and the class members to incur certain cellular telephone charges or reduce cellular telephone time for which plaintiffs and …

Second Circuit Denies En Banc Rehearing in Microsoft Email Case

On January 24, 2016, the U.S. Court of Appeals for the Second Circuit denied the Department of Justice’s request for an en banc rehearing in In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp. a/k/a Microsoft Corp. v. United States (No. 14-2985). The denial leaves in place a controversial decision by a three judge panel that quashed a warrant obtained by the DOJ under the Stored Communications Act (SCA) seeking the contents of a Microsoft customer’s emails. The majority panel …

21st Century Cures Act – Implications for Investigators and Research Sites

Below is a summary of some of the key provisions relevant to investigators and research sites included in the recently enacted, bipartisan 21st Century Cures Act, including human subjects protections and the privacy and security of health information used in clinical research.  Among other requirements, the Act:

*requires the Department of Health and Human Services (HHS) to harmonize the U.S. Food and Drug Administration (FDA) Human Subjects Regulations with the HHS Human Subject Regulations (the Common Rule), which should help streamline research that falls under both sets of regulations;…

OCR’s HIPAA Guidance on Cloud Computing

On October 6, 2016, the Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance).  The Guidance was intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance noted in part that:

  • CSPs that create, receive, maintain or transmit electronic protected health information (ePHI) are classified as “business associates” under HIPAA. If a covered entity or business associate uses a CSP to perform any of these functions, it must enter
LexBlog