On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

Last month, Washington Governor Jay Inslee signed the My Health My Data Act (“MHMDA” or the “Act”) into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents (“consumers”) regarding certain personal information. The MHMDA’s unique features are unlike any privacy law we have seen in the last few years – making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know. Continue Reading What You Need to Know About Washington State’s New “My Health My Data” Act

The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:

  • when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
  • when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws.  This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
  • as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.

Continue Reading I’m Done With My Data, Now What?

Following the publication of the U.S. Supreme Court opinion in Dobbs v. Jackson Women’s Health Organization, on June 29, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) issued guidance regarding disclosures of protected health information (PHI) concerning reproductive health procedures such as abortion. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the disclosure of PHI by most health care providers, as well as employer-sponsored health plans, (Covered Entities), generally restricting the use or disclosure of PHI without the individual’s authorization other than in specifically excepted circumstances. Specifically, HIPAA does permit Covered Entities to disclose PHI without a patient’s authorization (or in some instances, notice and an opportunity to object), including 1) Disclosures required by law; 2) Disclosures for law enforcement purposes; and 3) Disclosures to avert a serious threat to health or safety. In the guidance, HHS notes that under each of these exceptions, HIPAA permits but does not require disclosure of PHI by a Covered Entity. HHS further reasserts that any disclosure made pursuant to one of the above permitted disclosures must be limited to the minimum PHI necessary to respond to the permitted disclosure request.
Continue Reading A HIPAA Right to Privacy Remains: Federal Government Issues Guidance and Orders Following Supreme Court Decision in Dobbs

In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
Continue Reading HIPAA: Its Confidentiality Protections (And Limits)

The town of Westport, Connecticut, is the latest administration to face the challenge of balancing privacy concerns while combating the COVID-19 pandemic. By April 17, 2020, there were 183 confirmed cases of COVID-19 in Westport. For the sake of public health, Westport announced its intent to collaborate with the company Draganfly to use drone technology to monitor social distancing. Draganfly’s drones are allegedly able to detect fevers, heart and respiratory rates, and people sneezing and coughing. The drones would aid in the fight against COVID-19 by alerting officials of any locations where crowds were not properly social distancing, using biometric readings to analyze population patterns.

Photo credit:  Draganfly Screenshot as reported in Hartford Courant, April 23, 2020.  Continue Reading Connecticut Town’s Drone Program Grounded: What Businesses Can Learn from Latest Battle Balancing Privacy and the Public Good

The Office for Civil Rights (OCR) announced a settlement agreement for $5.5 million dollars with Florida’s Memorial Healthcare Systems (MHS) stemming from allegations it failed to protect patient data. The privacy violation arose out of the unauthorized access of 115,143 patients by MHS employees. The information that was compromised consisted of names, dates of birth and social security numbers. A majority of these impermissible actions occurred when a former employee’s login credentials were used from 2011-2012 which affected 80,000 individuals.
Continue Reading HIPAA’S Privacy Rule: Having a Policy – But Not Enforcing It – Costs Provider $5.5 Million

The Office of Civil Rights (OCR) first HIPAA settlement of 2017 is based on a failure to report a breach of health information in a timely manner. The settlement was reached with Presence Health, a large health care network that operates in approximately 150 locations in Illinois. Presence Health has agreed to settle the potential violations by paying a fine of $475,000 and implementing a corrective action plan to deal with this problem in the future.

The settlement stems from
Continue Reading OCR Penalizes Slow Data Breach Response

On Monday, March 21, 2016, the Health and Human Services Office for Civil Rights (“OCR”) began the long-awaited Phase II of OCR’s random audit program to determine compliance with the patient privacy provisions included in the Health Insurance Portability and Accountability Act (“HIPPA”). As we discussed earlier here, these audits will extend beyond simply covered entities and will also include business associates.

Covered entities and business associates will receive an email from OCR entitled “Audit Entity Contact Verification.”  This
Continue Reading HIPAA Phase II Audits Begin