Health Law Advisor

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying ...

As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable information (“PII”) and protected health information (“PHI”) continues to loom.

In order to isolate and contain the spread of COVID-19, one critical component of an ...

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting and thwarting potential threats through automated systems that continuously monitor network behavior and identify network abnormalities.  For example, AI may offer assistance in breach prevention by proactively ...

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.

Yet, California continues to push the envelope further.  Recently, California State Senator Jackson and Attorney ...

Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live ...

Our colleague Stuart M. Gerson at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space ...

Our colleague Stuart M. Gerson at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers in the health care industry: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare."

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health ...

The U.S. Department of Health and Human Services, Office of Civil Rights ("OCR"), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information ("PHI") that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR's new initiative to investigate smaller breaches as well.  OCR ...

By Arthur J. Fried, Patricia M. Wagner, Adam C. Solander, Evan Nagler, and Jonathan Hoerner

On September 2, 2015, the U. S. Department of Health and Human Services ("HHS") announced a $750,000 settlement with Cancer Care Group, P.C. ("CCG"), a radiation oncology practice in Indiana, for Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules violations. The alleged violations occurred in 2012, but a subsequent HHS Office for Civil Rights (OCR) investigation led to allegations from OCR that there was a lack of compliance with HIPAA Privacy and ...

Tuesday, March 24, 2015 at 12:00 p.m. – 1:00 p.m. EDT

The past year has demonstrated that no organization is immune to security incidents that could affect its employees, customers, and reputation.  Understanding the complex legal framework governing data privacy and developing a plan to mitigate risk can be the difference between an incident and a disaster.

Join Epstein Becker Green's Privacy & Security Practice for a comprehensive overview of data breach priorities impacting organizations that deal in electronic data.  Presenters will identify strategies to prepare for and ...

By Evan J. Nagler

The State of the Union Address, scheduled for January 20, 2015, will contain new initiatives related to privacy, White House officials say. The known initiatives are the introduction of a data breach reporting bill, a bill restricting the sale of student information, and a Consumer Privacy Bill of Rights.

SETTING A NATIONAL DATA BREACH REPORTING STANDARD

President Obama is planning on introducing a data breach bill that would standardize the reporting period nationwide at 30 days. The proposed Personal Data Notification and Protection Act would require ...