Last week, the Consumer Electronics Association (“CEA”) announced its Guiding Principles on the Privacy and Security of Personal Wellness Data, a set of baseline, voluntary guidelines for private-sector organizations that handle the type of data often produced by wearable technologies. The Guiding Principles are categorized into eight areas and generally include the following recommendations: Security. Robust… Continue Reading
A new post on Covington’s Inside Medical Devices blog discusses a new portal recently launched by HHS seeking questions from mobile health application developers. The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications. To read the post, click here.
The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system. The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016.
On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct… Continue Reading
By Bianca Nunes Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality… Continue Reading
Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies. The OTA is seeking comments on its draft framework by September 14. The framework acknowledges that not all requirements may be applicable… Continue Reading
May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention. The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier. In parallel, the French data protection authority announced… Continue Reading
The Office of the National Coordinator for Health Information (ONC) recently released an updated Guide to Privacy and Security of Electronic Health Information. The guide aims to help individuals, providers, and the health IT community understand the role of HIPAA for interoperability of health information. This guide updates the previous version issued by the ONC… Continue Reading
As we discussed in two prior posts (here and here), the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would relax limitations on payment for PHI disclosed for research purposes and that would expand the purposes for which covered… Continue Reading
As we discussed in a prior post, the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would allow remote access to PHI for purposes preparatory to research and that would permit individuals to make a one-time authorization of the… Continue Reading
On April 29, 2015, the U.S. House Energy and Commerce Committee released a revised discussion draft of the 21st Century Cures Act (“Cures”). The Cures bill would make several changes to existing federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health… Continue Reading
A small Denver pharmacy agreed to a $125,000 settlement with the U.S. Department of Health and Human Services (HHS) after HHS alleged that the pharmacy failed to dispose of paper records that contained patient information in accordance with HIPAA. According to the Resolution Agreement, the HHS Office for Civil Rights (OCR) received a report from… Continue Reading
Just two days after disclosing publicly that it was “the target of a very sophisticated external cyber attack” in which the personal information of over 80 million customers was compromised, officials of Anthem Inc., the nation’s second largest health insurance company, are to brief staffers of the House Energy and Committee on the security breach. … Continue Reading
On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI. For more information about the briefing, visit Covington’s eHealth blog.
Many individuals are covered by health insurance but are not the policy holders for that coverage (e.g., the policy holder is a spouse or parent of the covered individual). Routine communications sent by insurers, such as explanation of benefit letters or denial of claims notices, are often sent to the policy holder and may contain… Continue Reading
In response to the recent Ebola outbreak and other events, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance regarding the use and sharing of patient information in emergency situations. The guidance emphasizes that HIPAA requirements are not suspended during an emergency. However, the Privacy Rule includes several… Continue Reading
By Randall Friedland According to a GAO report published September 16th, Healthcare.gov, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with… Continue Reading
As we have previously reported, in less than two weeks the FTC will host its anticipated workshop on big data and discrimination. Today the FTC announced a full agenda and panelists for the September 15th event, “Big Data: A Tool for Inclusion or Exclusion?” which will take place in Washington, D.C., at the Constitution Center. … Continue Reading
On Thursday, the White House Big Data Working Group, led by senior presidential advisor John Podesta, released a 79-page report that outlines a number of key observations and recommendations for privacy in both the private sector and government. Although the report does not create binding law, it provides insight into the administration’s priorities on a… Continue Reading
Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri. The center was… Continue Reading
This morning, the FTC announced that it would host a public workshop in September entitled “Big Data: A Tool for Inclusion or Exclusion?” in order to examine the increasing use of big-data analytics and its potential impact on low-income, diverse, and underserved American consumers. The FTC noted that while predictive-analytic techniques produce tremendous benefits by… Continue Reading
On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule. The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates. In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the… Continue Reading
Recently, the Workgroup for Electronic Data Interchange (WEDI) published a Breach Risk Assessment Issue Brief for stakeholders to use in analyzing whether a breach of protected health information (PHI) has occurred under the Health Insurance Portability and Accountability Act (HIPAA). Background Under HIPAA’s breach notification rule, covered entities and business associates are required to notify… Continue Reading
From electronic surveillance to healthcare privacy to drones, Congress is planning to consider a wide range of privacy legislation this year. The Edward Snowden leaks about the National Security Agency and the recent data breaches at retailers are likely to keep privacy and data security on the top of many lawmakers’ agendas. After the jump… Continue Reading