Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Category Archives: Health Privacy

Subscribe to Health Privacy RSS Feed

GAO Report Outlines Healthcare.gov’s Ongoing Privacy Issues

Posted in Health Privacy

By Randall Friedland According to a GAO report published September 16th, Healthcare.gov, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with… Continue Reading

Schedule of Panelists for FTC’s Upcoming Big Data & Discrimination Workshop

Posted in Advertising & Marketing, Emerging Technologies, Federal Trade Commission, Health Privacy, Marketing, United States

As we have previously reported, in less than two weeks the FTC will host its anticipated workshop on big data and discrimination.  Today the FTC announced a full agenda and panelists for the September 15th event, “Big Data: A Tool for Inclusion or Exclusion?” which will take place in Washington, D.C., at the Constitution Center. … Continue Reading

Ten Key Take-Aways From the White House Big Data Report

Posted in Health Privacy, Privacy Policies, United States

On Thursday, the White House Big Data Working Group, led by senior presidential advisor John Podesta, released a 79-page report that outlines a number of key observations and recommendations for privacy in both the private sector and government.  Although the report does not create binding law, it provides insight into the administration’s  priorities on a… Continue Reading

Two HIPAA Settlements Follow Stolen Laptops

Posted in Health Privacy

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule.  According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was… Continue Reading

FTC to Examine Impact of “Big Data” on Low-Income and Underserved Communities

Posted in Federal Trade Commission, Marketing, United States

This morning, the FTC announced that it would host a public workshop in September entitled “Big Data: A Tool for Inclusion or Exclusion?” in order to examine the increasing use of big-data analytics and its potential impact on low-income, diverse, and underserved American consumers.  The FTC noted that while predictive-analytic techniques produce tremendous benefits by… Continue Reading

HHS Releases New Tool to Assist with HIPAA Risk Assessments

Posted in Health Privacy

On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule.  The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates.  In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the… Continue Reading

WEDI Issues Guidance for Assessment of Potential Breaches under HIPAA

Posted in Health Privacy

Recently, the Workgroup for Electronic Data Interchange (WEDI) published a Breach Risk Assessment Issue Brief for stakeholders to use in analyzing whether a breach of  protected health information (PHI) has occurred under the Health Insurance Portability and Accountability Act (HIPAA).  Background Under HIPAA’s breach notification rule, covered entities and business associates are required to notify… Continue Reading

FTC Announces Settlement With Accretive Health Over Data Breach

Posted in Data Breaches, Data Security, Health Privacy

The Federal Trade Commission (FTC) recently announced a settlement with Accretive Health, Inc., a provider of medical billing and revenue management services to hospitals.  The FTC’s complaint alleged that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, and this failure constituted an unfair act or practice in violation of Section 5… Continue Reading

HHS Issues Proposed Rule on HIPAA and Firearm Background Check Reporting

Posted in Health Privacy

By Rachel Grunberger and Anna Kraus On January 7, 2014, the Department of Health and Human Services (HHS) published a notice of proposed rulemaking to modify the HIPAA Privacy Rule to expressly allow certain disclosures to the National Instant Criminal Background Check System (NICS).  As we previously reported, this was one of the executive actions in… Continue Reading

House Republicans Signal Push for Data Breach Legislation

Posted in Congress, Data Breaches, Health Privacy

In the wake of the recent Target Corp. credit card data breach, Congress is once again turning its attention to data breach legislation. In a memorandum to Republican lawmakers on January 2, House Majority Leader Eric Cantor (R-Va.) stated that he intends to schedule legislation on security and breach notification requirements for federally facilitated healthcare… Continue Reading

HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures

Posted in Health Privacy

By Rachel Grunberger and Anna Kraus On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire.  According to HHS, this is the first settlement… Continue Reading

HHS OIG Releases Report on HIPAA Enforcement Efforts

Posted in Health Privacy

Recently, the Office of Inspector General (OIG) at HHS released a report on the HIPAA enforcement efforts of HHS’s Office for Civil Rights (OCR).  Specifically, the OIG looked at whether OCR’s efforts to enforce HIPAA’s Security Rule were adequate.  The OIG’s findings may lead to increased enforcement efforts by OCR.  Background on the Security Rule… Continue Reading

Key Takeaways from Last Week’s FTC Workshop on Native Advertising: Many Questions and Few Answers

Posted in Marketing, Social Media, Uncategorized

By Katharine Goodloe and Morgan Kennedy Last week, the FTC hosted a public workshop on native advertising to examine how best to address occasions in which certain media outlets blur the traditional line between advertisements and editorial content.  The workshop brought together a collection of brand-name companies that use native advertising, content-placement companies that help… Continue Reading

FTC to Hold Seminars on Mobile Device Tracking, Alternative Scoring, and Consumer Health Information

Posted in Federal Trade Commission, Financial Privacy, Health Privacy, United States

The Federal Trade Commission (“FTC”) announced today that it will hold a series of three seminars in the spring focused on retail tracking, alternative scoring, and consumer health information.  The seminars are designed to shed light on new trends in big data and their impact on consumer privacy, according to the FTC.  The seminars will… Continue Reading

CA Governor Signs Bill Providing Online Protections For Minors

Posted in Advertising & Marketing, Children's Privacy, Marketing, Online, Social Media, State Legislatures, United States

Earlier this month, we blogged about the California Senate’s passage of the bill titled “Privacy Rights for California Minors in the Digital World”, which prohibits certain targeted advertising to California minors and requires that minors be allowed to delete materials they have posted online.  Yesterday, California Governor Jerry Brown signed the legislation, and it will… Continue Reading

HHS Issues Guidance on Refill Reminders under HIPAA

Posted in Health Privacy, Marketing

On September 19, HHS released additional guidance on the “refill reminder exception” in HIPAA, which allows — in some circumstances — paid communications regarding a drug or biologic currently prescribed to a patient. Background In January 2013, HHS finalized new restrictions on marketing as part of the final omnibus rule implementing changes to HIPAA under… Continue Reading

HHS to Issue Guidance on HIPAA Marketing Restrictions

Posted in Health Privacy, Litigation, Marketing

In a court filing on September 11, 2013, attorneys for the U.S. Department of Health and Human Services (HHS) announced that HHS intends to issue further guidance on certain new marketing restrictions under HIPAA, finalized last January as part of the final HITECH omnibus rule, and to delay enforcement of those new marketing restrictions until… Continue Reading

US Information Security and Privacy Board Expresses Concerns about Management of Cybersecurity in Wireless Medical Devices

Posted in Cybersecurity, Health Privacy

The US Information Security and Privacy Board (ISPAB) voiced concerns over potential harms resulting from a lack of controlled management of cybersecurity in wireless medical devices in response to FDA’s  draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”  ISPAB operates under the National Institute of Standards and Technology (NIST) in its… Continue Reading

HHS Announces $1.7 Million HIPAA Settlement With WellPoint

Posted in Health Privacy

On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules.  Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected… Continue Reading

HHS Releases Unofficial Set of Combined HIPAA Regulations

Posted in Health Privacy, United States

On June 11, the Department of Health and Human Services released an unofficial version of all of the HIPAA regulatory standards in one document.  The combined regulation text includes the following HIPAA standards: Transactions and Code Set Standards Identifier Standards Privacy Rule Security Rule Enforcement Rule Breach Notification Rule The document reflects the changes in… Continue Reading

HHS Settles HIPAA Privacy Case With California Medical Center

Posted in Health Privacy, United States

By Rachel Grunberger and Anna Kraus The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule.  Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP)…. Continue Reading