health care providers

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful.  With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services.

European healthcare is particularly affected by such restrictions.  This has motivated a significant group of organizations and policymakers to come together and launch a collective “call to action” to European policymakers, urging greater support and reforms to enable broader use of cloud computing in healthcare.  The Call to Action was previewed at eHealth Week 2016 in June.
Continue Reading EU Organizations Call for More Support for Cloud Computing in Healthcare

This week, the Medical Identity Fraud Alliance (“MIFA”) released its 2014 Fifth Annual Study on Medical Identity Theft, finding that in the last year, medical identity theft incidents increased by 21.7% from 2013.  The study is annually conducted to determine the pervasiveness of medical identity theft in the United States, how it affects the lives of victims, and what steps should be taken by consumers, healthcare providers, and governments to reduce the incidence of this crime.  Medical identity theft is defined by the report as occuring “when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and/or goods, including attempts to commit fraudulent billing.”  In this study, medical identity theft also is deemed to occur when an individual shares his or her health insurance credentials with others.
Continue Reading Study Shows Increase in Medical Identity Theft

On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule.  The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates.  In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the confidentiality and integrity of electronic protected health information (e-PHI).

A provision of the Security Rule requires covered entities and business associates to conduct a risk assessment, in which they review the safeguards currently in place and identify potential vulnerabilities in security policies, processes, and systems.  To help organizations comply with this sometimes onerous requirement, HHS has released an online template that will walk users step-by-step through the questions that must be asked as part of a required risk assessment.  HHS notes that the tool will help entities document the current state of their security system as well as develop proper risk remediation plans. Continue Reading HHS Releases New Tool to Assist with HIPAA Risk Assessments

Following the release of the President’s plan to reduce gun violence, the Office for Civil Rights within the Department of Health and Human Services (HHS) issued a “Message to Our Nation’s Health Care Providers” regarding HIPAA and reporting threats of violence. 

In the letter, which was prompted by the recent mass shootings in Newtown, Connecticut, and Aurora, Colorado, HHS states that it wants to ensure that health care providers are aware that the HIPAA Privacy Rule does not prevent them from disclosing necessary information about a patient to law enforcement, family members of the patient, or other persons, when the health care provider believes the patient “presents a serious danger to himself or other people.”Continue Reading HHS Issues Message to Nation’s Health Care Providers About HIPAA and Threats to Health and Safety