Photo of Tara Carrier

Tara Carrier

Tara Carrier is an associate in Covington’s Boston office, where she is a member of the Health Care and White Collar Defense and Investigations Practice Groups. Tara focuses her practice on representing clients in the life sciences and health care industries in a variety of regulatory and compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. In addition, Tara has experience representing clients in government investigations and conducting targeted internal investigations covering a broad range of health care compliance issues. She also counsels clients on mitigating compliance risks and implementing and operating under HHS OIG Corporate Integrity Agreements.

Tara is an author of the U.S. chapter of a global treatise on drug pricing and reimbursement.

In addition to her life sciences practice, Tara maintains an active pro bono practice, with a particular focus on reproductive rights.

In a new post on the Covington Digital Health blog, our colleagues discuss a recent amendment to California’s Confidentiality of Medical Information Act (“CMIA”) that expands the scope of the law to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services.  Continue Reading California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements:
Continue Reading California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency.
Continue Reading HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency