The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA”) enforcement activity. Enforcement actions in 2018 resulted in the assessment of $28.7 million in civil money penalties. Enforcement activity focused primarily on breaches of electronic protected … Continue Reading
The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”). The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health. The Directorate General decided to create this Q&A … Continue Reading
Hospitals and other health care organizations are attractive targets for cyber-attacks, in part because their databases contain medical records and other sensitive information. Breaches of this information could have very serious implications for patients. Moreover, electronics connected to a health care facility’s network keep people alive, distribute medicines, and monitor vital signs. As a result, … Continue Reading
In early November, the Dutch Supervisory Authority released an injunction imposed against the public insurance body Uitvoeringsinstituut Werkgeversverzekering (“UWV”) last July. The UWV allows employers to submit data about their employees for social security purposes. The data includes dates of employee absences due to general illness (and when an employee is pregnant or gave birth, … Continue Reading
On October 23, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership will organize a workshop entitled, “Can GDPR Work for Health Research.” In the first session, the workshop will discuss the implications of the General Data Protection Regulation (“GDPR”) on clinical … Continue Reading
On July 26, Secretary of the U.S. Department of Health and Human Services (HHS) Alex Azar said that HHS will undertake an effort to reform federal health privacy rules, including those under HIPAA and the rules governing substance abuse treatment records at 42 C.F.R. Part 2 (Part 2). In speaking about efforts by the Trump Administration … Continue Reading
Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived … Continue Reading
On the heels of the Federal Trade Commission’s (“FTC”) third annual “PrivacyCon,” the Future of Privacy Forum hosted its eighth annual “Privacy Papers for Policymakers” event on Capitol Hill—a gathering in which academics present their original scholarly works on privacy-related topics to D.C. policy wonks who may have a hand in shaping laws and regulations … Continue Reading
Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle. In the first part of the series, the Digital Health team answers key regulatory questions … Continue Reading
On our sister blog, CovingtonDigitalHealth, our global cross-practice digital health team has launched a three-part series on the key questions the technology, life sciences and communications industries should be considering as they fit together the regulatory and commercial pieces of the complex digital health puzzle. Read the first post in the series here.… Continue Reading
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance. In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure … Continue Reading
By Christopher Hanson On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.” In a separate post, we reported on the January 22, 2016 draft version of this guidance document. The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and … Continue Reading
A new post over on Covington’s eHealth blog discusses HIPAA-related provisions in the Twenty-First Century Cures Act, signed by President Obama on December 13. These provisions direct HHS to consider HIPAA’s effects on mental health treatment and the availability of health data for research purposes. Read the full post here.… Continue Reading
On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the … Continue Reading
The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. Ransomware is a malicious software … Continue Reading
The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful. With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services. European healthcare is particularly affected by such restrictions. This has motivated a significant … Continue Reading
A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data. To find out more about the proposals and the consultation, please click here.… Continue Reading
Today we published a post on the Covington eHealth blog regarding a recent report by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC). The ONC report highlights “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by … Continue Reading
Last month, the FDA released a draft guidance document on the sharing of patient-specific data associated with medical devices, including information recorded, stored, processed, retrieved, and/or derived from the device. A new post on Covington’s Inside Medical Devices blog discusses the draft guidance and its implications for sharing patient information.… Continue Reading
A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone. This recent enforcement action should put business associates … Continue Reading
Last week, our colleague Shruti Barker published an article on the Inside Medical Devices Blog, discussing eight data security principles that companies participating in the Precision Medicine Initiative should aim to meet. The Administration’s guidance document additionally recommends a basic framework that organizations collecting, storing, and sharing patient information should adopt as current best practices. The … Continue Reading
The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year. Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading
