On July 26, Secretary of the U.S. Department of Health and Human Services (HHS) Alex Azar said that HHS will undertake an effort to reform federal health privacy rules, including those under HIPAA and the rules governing substance abuse treatment records at 42 C.F.R. Part 2 (Part 2). In speaking about efforts by the Trump Administration … Continue Reading
Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived … Continue Reading
On the heels of the Federal Trade Commission’s (“FTC”) third annual “PrivacyCon,” the Future of Privacy Forum hosted its eighth annual “Privacy Papers for Policymakers” event on Capitol Hill—a gathering in which academics present their original scholarly works on privacy-related topics to D.C. policy wonks who may have a hand in shaping laws and regulations … Continue Reading
Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle. In the first part of the series, the Digital Health team answers key regulatory questions … Continue Reading
On our sister blog, CovingtonDigitalHealth, our global cross-practice digital health team has launched a three-part series on the key questions the technology, life sciences and communications industries should be considering as they fit together the regulatory and commercial pieces of the complex digital health puzzle. Read the first post in the series here.… Continue Reading
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance. In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure … Continue Reading
By Christopher Hanson On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.” In a separate post, we reported on the January 22, 2016 draft version of this guidance document. The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and … Continue Reading
A new post over on Covington’s eHealth blog discusses HIPAA-related provisions in the Twenty-First Century Cures Act, signed by President Obama on December 13. These provisions direct HHS to consider HIPAA’s effects on mental health treatment and the availability of health data for research purposes. Read the full post here.… Continue Reading
On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the … Continue Reading
The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. Ransomware is a malicious software … Continue Reading
The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful. With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services. European healthcare is particularly affected by such restrictions. This has motivated a significant … Continue Reading
A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data. To find out more about the proposals and the consultation, please click here.… Continue Reading
Today we published a post on the Covington eHealth blog regarding a recent report by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC). The ONC report highlights “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by … Continue Reading
Last month, the FDA released a draft guidance document on the sharing of patient-specific data associated with medical devices, including information recorded, stored, processed, retrieved, and/or derived from the device. A new post on Covington’s Inside Medical Devices blog discusses the draft guidance and its implications for sharing patient information.… Continue Reading
A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone. This recent enforcement action should put business associates … Continue Reading
Last week, our colleague Shruti Barker published an article on the Inside Medical Devices Blog, discussing eight data security principles that companies participating in the Precision Medicine Initiative should aim to meet. The Administration’s guidance document additionally recommends a basic framework that organizations collecting, storing, and sharing patient information should adopt as current best practices. The … Continue Reading
The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year. Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy. In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.… Continue Reading
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has begun to audit covered entities and business associates for compliance with HIPAA. A new post on the Covington eHealth blog discusses recent developments in OCR’s efforts to move these audits forward.… Continue Reading
A new post on the Covington eHealth blog discusses the new web-based interactive tool released by the FTC, in conjunction with HHS and the FDA, to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy. As part of … Continue Reading
On Tuesday, February 9, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a proposed rule to update regulations at 42 C.F.R. Part 2 that protect the confidentiality of alcohol and drug abuse patient records. The regulations were originally promulgated in 1975 and last substantively updated in 1987. SAMHSA intends for these updates to … Continue Reading
On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS). We previously discussed the proposed rule here. Background: The NICS, maintained by … Continue Reading
