On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued new guidance (Guidance) on the use of remote communication technologies to deliver audio-only telehealth in accordance with HIPAA. Per OCR, the Guidance is intended to ensure continued access for patients to audio-only telehealth in a secure and compliant manner, particularly once OCR’s notification of enforcement discretion (previously discussed here) tied to the COVID-19 pandemic is rescinded (i.e., once the HHS-declared COVID-19 public health emergency is ended).Continue Reading HHS Issues HIPAA Guidance to Support Audio-Only Telehealth Services

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to a cause of action in tort, unless the disclosure is otherwise permitted by law.

In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the Court considered – for a second time – the legal implications arising from the defendant’s mailing of the plaintiff’s medical records in 2005 to a probate court in response to a subpoena without providing notice to the plaintiff, filing a motion to quash the subpoena, or appearing in court as requested under the subpoena.  Previously, in 2014 the Court held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) did not preempt state law negligence claims arising from the alleged breach of confidentiality by the defendant in this case, and further that the HIPAA privacy and security standards can inform the applicable standard of care to the extent it is common practice in Connecticut for health care providers to comply with HIPAA. In that decision, the Court expressly reserved judgment as to whether Connecticut law actually recognized a negligence action arising from a health care provider’s alleged breach of its duty of confidentiality to a patient. In this case, the Court was tasked with resolving that question after a trial court subsequently granted summary judgment for the defendants on remand following the Court’s 2014 decision. In granting summary judgment, the trial court explained that no Connecticut court had previously recognized a common-law privilege for physician-patient communications, and that such a determination was better left to the Supreme and Appellate courts or the legislature.Continue Reading Connecticut Supreme Court Recognizes Common-Law Cause of Action for Unauthorized Disclosure of Confidential Medical Information

In Wollschlaeger v. Florida, No. 12-14009 (Feb. 16, 2017), the U.S. Court of Appeals for the Eleventh Circuit invalidated provisions of the Florida Firearms Owners’ Privacy Act that prohibited physicians from (i) asking patients if they (or their family members) own firearms or ammunition, (ii) documenting firearm ownership in patient medical records, and (iii) harassing patients about firearm ownership during examinations. The appellate court did not invalidate the Act’s antidiscrimination provision that prohibits physicians from discriminating against patients based solely on firearm ownership. Physicians who violated the Act were subject to disciplinary action by the Florida Board of Medicine, which promulgated regulations in 2014 and 2016 setting forth mandatory penalties for violations.
Continue Reading 11th Circuit Invalidates Key Provisions in Florida Law Prohibiting Physician Inquiries About Patient Firearm Ownership