On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021. Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging, and ultrasounds.

According to HHS’s Health Sector Cybersecurity Coordination Center (HC3), the vulnerable systems “can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Health care organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.”

It is estimated that 130 health systems have not patched the PACS systems and are vulnerable.

HC3 recommended that “PACS security begins by checking and validating connections to ensure access is limited only to authorized users,” and that systems “should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS.

“Furthermore, whenever possible they should be placed behind a firewall and a virtual private network should be required to access them.” According to HC3, “[T]he vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third party software.”

Keeping up to date on patching vulnerabilities is vital for the security of health information of patients, and health systems that have not attended to the patching of the PACS vulnerabilities may wish to follow the recommendation of HC3.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Below is an excerpt of a legal update co-authored with Robinson+Cole’s Environmental, Energy + Telecommunications Group partners Megan Baroni and Jon Schaefer.

On June 21, 2021, the Occupational Safety and Health Administration (OSHA) adopted its COVID-19 Healthcare Emergency Temporary Standard (ETS). Employers providing health care services will be required to comply with new COVID-19 specific standards it specifies. The ETS applies to all settings where any employee provides “healthcare services” or “healthcare support services.” Read the legal update.

Last week, Diabetes, Endocrinology & Lipidology Center Inc. (DELC) of West Virginia reached a $5,000 settlement with the Office for Civil Rights (OCR) over  allegations that it failed to provide timely access to a patient’s health records. The OCR alleged that DELC waited more than two years to send a minor’s medical records to their parent, and the records were sent only after the OCR opened an investigation in response to the parent’s complaint. This alleged failure to provide timely access was a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires health care providers to respond to a patient’s request for access to health records within 30 days.

This is the 19th settlement for alleged right-of-access violations.

In addition to the $5,000 payment, DELC has agreed to implement a corrective action plan and submit to two years of monitoring.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

The Office for Civil Rights (OCR) last week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR. Continue Reading OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations

On May 10, 2021, Connecticut Governor Ned Lamont signed into law “An Act Concerning Telehealth” (the “Act”). The Act extends, until June 30, 2023, many of the COVID-19 related telehealth expansions issued by Governor Lamont through executive orders. A press release from the Governor’s Office expressed the Act’s purpose to extend the duration of the expansion of telehealth services permitted by Executive Order 7G (for our previous analysis of Executive Order 7G, see here). Among other things, the Act:

  • Expands the types of providers that can provide telehealth services to include: physicians, physicians assistants, physical therapists, chiropractors, clinical social workers, registered and advanced practice nurses, and others;
  • Until June 30, 2023, permits telehealth to be provided through audio-only technology and through store-and-forward technology;
  • Permits out of state licensed providers to provide telehealth services in Connecticut as long as they are providing such services pursuant to a relevant order issued by the Connecticut Commissioner of Public Health and maintain proper professional malpractice insurance;
  • Outlines the scope of permitted telehealth prescribing practices to permit prescribing schedule II and III non-opioid controlled substances for the treatment of a person with a psychiatric disability or substance use disorder;
  • Prohibits facility fees associated with telehealth services;
  • Allows providers to provide telehealth services from any location; and
  • Requires providers to accept as payment in full for telehealth services: (a) An amount equal to the Medicare reimbursement for such services if the provider determines the patient does not have health coverage for such services; or (b) The amount the patient’s health coverage reimburses, and any coinsurance, copayment, deductible or other out-of-pocket expense imposed by the patient’s health coverage, for such services if the provider determines the patient has health coverage for such services.

Connecticut’s Legislature has taken an interesting step in passing legislation that extends a COVID-19 related emergency order beyond the Governor’s emergency declaration. As states continue to ease restrictions and governors’ emergency powers end, it will be interesting to observe what emergency orders states’ legislatures extend or even make permanent. The Act is effective upon passage and lasts until June 30, 2023.

Below is an excerpt of an article co-authored with the Robinson+Cole Construction Law Group and published in Healthcare Facilities Today on March 31, 2021. 

The need to update and implement new processes for delivering healthcare in response to the COVID-19 pandemic has resulted in the adoption of more automation, remote access and monitoring technologies. It also has brought data analytics into treatment and the patient environment. Healthcare providers have shifted from traditional waiting rooms and in-person visits for routine needs to remote check-ins, check-ups and updates via personal health record applications.

Providers increasingly rely on smart grid technologies, cloud computing, medical devices and health monitors connected via the internet of things (IoT), bio-sensing wearables, touchless technology, telehealth, online scheduling applications, electronic health records, virtual and remote triages, AI-based predictive analytics and machine learning, and most recently, interactive floor-plan images used by regulatory inspectors.

These technologies and care-delivery approaches depend on seamless connected systems and instant access to data that create a recipe for cybervulnerability. Decades of HIPAA and extensive penalties for non-compliance ensure that healthcare organizations are cognizant of obligations to maintain the privacy of their patients’ personally identifiable information. Read the full article.

This post is also being shared on our Construction Law Zone blog. If you’re interested in getting updates on current developments and recent trends in all areas of construction law, we invite you to subscribe to the blog.

On March 14, 2021, Connecticut Governor Lamont issued Executive Order 10C (EO 10C), which extends provisions of Public Act 20-2 (PA 20-2), a law passed by the Connecticut legislature in July 2020 that “provided additional flexibility for the delivery of telehealth services and insurance coverage of these services” but was scheduled to expire March 15, 2021. As a result of EO 10C, the provisions of PA 20-2 that were scheduled to expire on March 15 will remain in effect through April 20, 2021, in part to give the state legislature more time to “address the ongoing need for” expanded access to telehealth services. Continue Reading Connecticut Extends Expansion of Access to Telehealth Services

On January 28, 2021, the Department of Health and Human Services (HHS) issued a Fifth Amendment to HHS’s Declaration under the Public Health Readiness and Emergency Preparedness Act (PREP Act) that provides liability immunity to certain individuals and entities arising from the manufacturing, distribution, administration or use of medical countermeasures (e.g., therapeutics and vaccines) against COVID-19. Continue Reading COVID-19 Vaccine Update: HHS Expands Pool of Eligible Vaccinators under PREP Act

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals. Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach