On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.Continue Reading FTC Finalizes Broader Changes to the Health Breach Notification Rule
HIPAA/HITECH Act
Illinois Supreme Court: Collection of Biometric Data for Health Care Treatment, Payment, or Operations Is Exempt from BIPA
On November 30, 2023, the Illinois Supreme Court issued a much-anticipated decision in Mosby v. The Ingalls Memorial Hospital, answering a certified question about whether biometric information collected from health care workers is protected by the Illinois Biometric Information Privacy Act (BIPA) if that information is used for purposes related to health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Court ruled that when health care worker data is collected for purposes of health care treatment, payment, or operations under HIPAA, the information is excluded from protection under BIPA.
Mosby involved a putative class action claim brought by nurses whose biometric information allegedly was collected to identify them before dispensing medication to patients. The trial court and Illinois Appellate Court had ruled that these collections were covered by BIPA because BIPA’s exclusions for “health care treatment, payment, or operations under HIPAA” were directed at protecting patient data, not health care worker data.Continue Reading Illinois Supreme Court: Collection of Biometric Data for Health Care Treatment, Payment, or Operations Is Exempt from BIPA
GDPR in the USA? New State Legislation Is Making This Closer to Reality
The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored the GDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.
Continue Reading GDPR in the USA? New State Legislation Is Making This Closer to Reality
HIPAA Civil Penalty Annual Limits Plummet
Recognizing that different levels of culpability warrant different annual civil penalty limits, the Department of Health and Human Services adopted a notification April 23, 2019, to be published in the Federal Register April 30, 2019, that reduces the majority of the caps on annual civil penalties. See 45 C.F.R. Part. 160.
Continue Reading HIPAA Civil Penalty Annual Limits Plummet
OCR: Ransomware Attack Often Is a Data Breach
It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.
Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks.
Continue Reading OCR: Ransomware Attack Often Is a Data Breach
Data Breach Risks and Best Practices for Small and Mid-Size Health Care Providers
As published in State Bar of Michigan Health Care Law Section
“In recent years, the likelihood of suffering a data breach has risen significantly for American companies across numerous industries. Health care providers, in particular, have been targeted due to the value of the sensitive information they hold regarding their patients and employees, including birth…
Delay of HIPAA Phase Two Audits: Preparing for the Inevitable
The American Recovery and Reinvestment Act of 2009 (ARRA) tasked the Office of Civil Rights (OCR) (the division of the Department of Health and Human Services responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) and regulations promulgated thereto) with conducting audits of covered entities and business associates for compliance with HIPAA. Phase One concluded in 2012, and covered entities and business associates have since been waiting for the rollout of Phase Two. The Phase Two audits will be the first time business associates may find themselves face-to-face with OCR, as Phase One audits did not include business associates. The protocol for Phase Two audits is to include changes to the regulations from the 2013 Omnibus Final Rule, which vastly expanded the types of entities falling within the definition of “business associate” and implemented regulations prescribed by the Health Information Technology for Economic and Clinical Health Act (HITECH) subjecting business associates to liability under HIPAA for compliance with the Security Rule and most of the Privacy Rule.
Phase Two audits were expected to begin in late 2014, but Jocelyn Samuels, the Director of OCR, recently announced that budgetary and staffing considerations have further delayed the rollout of Phase Two audits. Without specifying a specific date upon which the Phase Two audits would commence, Ms. Samuels did not downplay the imminence of such audits, explaining that the audits would begin “expeditiously.”Continue Reading Delay of HIPAA Phase Two Audits: Preparing for the Inevitable