Health Law Advisor

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

This month’s post focuses on how timely FDA decisions are in categorizing new diagnostics under the Clinical Laboratory Improvements Amendments of 1988 (CLIA). The answer is that, on average, the agency does okay, but they also sometimes may miss their own guideline by a wide margin.  I use the word “may” there because the FDA data set is inadequate to support a firm conclusion.  I’ll explain more about that below, but this is another case of FDA releasing incomplete data that frustrates data analytics.

In this episode of the Diagnosing Health Care Podcast:  How does the U.S. Department of Justice (DOJ) intend to leverage its enforcement authority under the False Claims Act to advance DOJ’s recently announced Civil Cyber-Fraud Initiative?

On March 22, 2022, the Occupational Safety and Health Administration (OSHA) announced that it had partially reopened the comment period for its permanent standard to protect health care and health care support workers from exposure to COVID-19 in the workplace.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

In this episode of the Diagnosing Health Care Podcast:  The interoperability and information-blocking rules have imposed new regulations and requirements on health information exchanges (HIEs). How are HIEs responding to these new regulations in a space they have been in for decades? In this episode of our special series on interoperability, hear from Dan Paoletti, CEO of the Ohio Health Information Partnership.

From our Thought Leaders in Health Law video series:  The U.S. Department of Justice (DOJ) collected $5.6 billion in False Claims Act recoveries in fiscal year (FY) 2021.

That is over twice as much as 2020, and a record 90 percent of the total was collected from the health care and life sciences industries.

I recommend against relying on any data I provide in today’s post.  I hope the data are at least somewhat accurate.  But they are not nearly as accurate as they should be, or as they could be, if FDA just released a key bit of information they have been promising to share for years.

One of the ways data scientists can provide insights is by grafting together data from different sources that paint a picture not seen elsewhere.  What I want to do is join the clinical trial data at www.clinicaltrials.gov with the data maintained by FDA of approved drugs, called drugs@FDA.  But I can’t, at least not with much accuracy.

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.