cybersecurity

Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

By Conor Duffy, Michael Lisitano & Guest Contributor on July 13, 2021

Posted in Government Enforcement, Health Information Exchanges and Electronic Medical Records (EMRs), HIPAA, Hospitals and Health Systems, Legislation, Physicians and Allied Health Professionals, Privacy and Security

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

Physician Self-Referral Law (Stark), Anti-Kickback Statute, and Beneficiary Inducement CMPs – HHS Releases Final Rules

By Melissa (Lisa) Thompson & Conor Duffy on November 21, 2020

Posted in Fraud and Abuse, Health Information Exchanges and Electronic Medical Records (EMRs), Health Information Technology, Healthcare Technology, Hospitals and Health Systems, Managed Care, Medicare and Medicaid, Office of Inspector General, Pharmacy Law, Physicians and Allied Health Professionals, Stark Law, Telehealth, Telemedicine

On November 20, 2020, the Department of Health & Human Services (HHS) released heavily anticipated final rules revising the regulatory exceptions to the Physician Self-Referral Law (also known as the Stark Law), the Anti-Kickback Statute (AKS) safe harbors, and the Beneficiary Inducements Civil Monetary Penalties (CMP) regulations. The changes to the regulations go into effect on January 19, 2021 (except for one change to the Physician Self-Referral Law that becomes effective January 1, 2022). In a separate rule also released November 20th, HHS removed safe harbor protection for rebates involving prescription pharmaceuticals and created a new safe harbor for certain point-of-sale reductions in price on prescription pharmaceuticals and pharmacy benefit manager service fees.

The full text of each rule is available below.

Final Physician Self-Referral Law Rule, Centers for Medicare & Medicaid Services (CMS): https://public-inspection.federalregister.gov/2020-26140.pdf
Final AKS Rule and Beneficiary Inducements CMP Regulations, Office of Inspector General (OIG): https://public-inspection.federalregister.gov/2020-26072.pdf
Final Rule on Rebate/Point-of-Sale Price Reductions Safe Harbor, OIG: https://public-inspection.federalregister.gov/2020-25841.pdf?utm_campaign=pi+subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

Continue Reading Physician Self-Referral Law (Stark), Anti-Kickback Statute, and Beneficiary Inducement CMPs – HHS Releases Final Rules

CMS Extends Timeline for Finalizing Changes to Physician Self-Referral (Stark) Law Regulations to August 2021

By Conor Duffy on August 31, 2020

Posted in Academic Medical Centers, COVID-19, False Claims Act, Fraud and Abuse, Government Enforcement, Hospitals and Health Systems, Legislation, Medicare and Medicaid, Physicians and Allied Health Professionals, Privacy and Security, Reimbursement, Stark Law

On August 24, 2020, the Centers for Medicare & Medicaid Services (CMS) announced an “extension of the timeline” for publication of a final rule addressing changes to the Physician Self-Referral Law (or Stark Law) regulations. In its announcement, CMS set a new deadline of August 31, 2021 for publication of a final rule.
Continue Reading CMS Extends Timeline for Finalizing Changes to Physician Self-Referral (Stark) Law Regulations to August 2021

Health Care Providers Continue to Be Hit with Ransomware and Phishing

By Linn Foster Freedman on July 10, 2020

Posted in Privacy and Security

It doesn’t matter in which state you are located, how many patients you treat, what kind of medicine you practice or how many employees you have, if you are a health care provider, you are being targeted and hackers are successful in victimizing you.

That’s my take on the recent Becker’s Health IT article that…

HHS Issues Cybersecurity Practices for Health Care Industry

By Linn Foster Freedman on January 8, 2019

Posted in Privacy and Security

Just before the new year, the Department of Health and Human Resources (HHS) released voluntary cybersecurity practices for health care organizations, which consists of a main document, two technical volumes, and resources and templates that were compiled by more than 150 cybersecurity and health care experts.
Continue Reading HHS Issues Cybersecurity Practices for Health Care Industry

FDA Guidance on Cybersecurity in Medical Devices

By Robinson+Cole's Health Law Group on December 28, 2016

Posted in Medical Devices

On December 28, 2016, the Food and Drug Administration (FDA) issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The guidance clarified aspects of the reporting requirements under Part 806 (21 CFR part 806), which require device manufacturers and importers to report certain device corrections and removals to the FDA. Most actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “routine updates and patches” that do not require advance notification or reporting. However, actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health must be reported to the Agency. The guidance:

Clarified the changes to devices that are considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health); and
Outlined circumstances where FDA does not intend to enforce reporting requirements under Part 806 for specific vulnerabilities with uncontrolled risk.

Continue Reading FDA Guidance on Cybersecurity in Medical Devices

Health Law Diagnosis