On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan for termination of the existing notifications of enforcement discretion related to the expiration of the COVID-19 public health emergency (PHE) on May 11, 2023.
Throughout 2021, we closely monitored the latest privacy laws and a surge of privacy, cybersecurity, and data asset management risks that affect organizations, small and large. As these laws continue to evolve, it is important for companies to be aware and compliant. We will continue to monitor these trends for 2022.
The attorneys of the Privacy, Cybersecurity & Data Asset Management group have written on a wide range of notable developments and trends that affect employers and health care providers. In case you missed any, we have assembled a recap of our top 10 blog posts of 2021, with links to each, below:
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate. These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.
On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million). This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people. The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months. Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people. Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls.
For those healthcare employers that have been resting on your laurels and viewing through rose-colored glasses your entity’s HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health) compliance efforts, the time has come to thoroughly clean your glasses and prepare for increased Office of Civil Rights (“OCR”) enforcement actions. Speaking at the recent National HIPAA Summit, the OCR’s Director, Leon Rodriguez, announced that the OCR intends to follow the Office of Inspector ...
Blog Editors
Recent Updates
- A Primer on Executive Orders and a Preview of the Road Ahead
- At Long Last, DEA’s Remote Prescribing Rules 2.0 Are (Really) Here! (Pending Further Consideration by the Incoming Administration . . .)
- Massachusetts District Court Applies “But-For Causation” Standard, Dismisses AKS-Based FCA Case After Evaluating Facts and Circumstances of Independent Contractor Arrangements
- DOJ’s False Claims Act Recoveries Top $2.9 Billion in FY 2024, but Health Care Numbers Dip—What Could FY 2025 Hold for Health Care Enforcement?
- Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook