Just two days after disclosing publicly that it was “the target of a very sophisticated external cyber attack” in which the personal information of over 80 million customers was compromised, officials of Anthem Inc., the nation’s second largest health insurance company, are to brief staffers of the House Energy and Committee on the security breach. … Continue Reading
On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI. For more information about the briefing, visit Covington’s eHealth blog.… Continue Reading
Many individuals are covered by health insurance but are not the policy holders for that coverage (e.g., the policy holder is a spouse or parent of the covered individual). Routine communications sent by insurers, such as explanation of benefit letters or denial of claims notices, are often sent to the policy holder and may contain … Continue Reading
Please note that this event, originally scheduled for December 10, is being rescheduled for February 2015 – date TBC Covington’s London office will be hosting a breakfast seminar for clients on ‘Mitigating Information Loss in the Healthcare Industry: the Insider Threat’ with The Chertoff Group.… Continue Reading
By Randall Friedland According to a GAO report published September 16th, Healthcare.gov, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with … Continue Reading
On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule. The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates. In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the … Continue Reading
The Federal Trade Commission (FTC) recently announced a settlement with Accretive Health, Inc., a provider of medical billing and revenue management services to hospitals. The FTC’s complaint alleged that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, and this failure constituted an unfair act or practice in violation of Section 5 … Continue Reading
In the wake of the recent Target Corp. credit card data breach, Congress is once again turning its attention to data breach legislation. In a memorandum to Republican lawmakers on January 2, House Majority Leader Eric Cantor (R-Va.) stated that he intends to schedule legislation on security and breach notification requirements for federally facilitated healthcare … Continue Reading
The Federal Trade Commission (“FTC”) announced today that it will hold a series of three seminars in the spring focused on retail tracking, alternative scoring, and consumer health information. The seminars are designed to shed light on new trends in big data and their impact on consumer privacy, according to the FTC. The seminars will … Continue Reading
Last week, the FDA released a final version of its guidance document, Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff. For Chris Pruitt’s analysis of the guidance document on Covington’s InsideMedicalDevices blog, please click here.… Continue Reading
Last week, the FDA released a final version of its guidance document, Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff. For Chris Pruitt’s analysis of the guidance document on Covington’s InsideMedicalDevices blog, please click here.… Continue Reading
In a court filing on September 11, 2013, attorneys for the U.S. Department of Health and Human Services (HHS) announced that HHS intends to issue further guidance on certain new marketing restrictions under HIPAA, finalized last January as part of the final HITECH omnibus rule, and to delay enforcement of those new marketing restrictions until … Continue Reading
This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until … Continue Reading
This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, … Continue Reading
On 19 December 2012, the European Data Protection Supervisor (EDPS) and the Assistant Supervisor, M. Giovanni Buttarelli, published a new Opinion that sets out their views on the Commission proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use (the Regulation). The Commission proposal, released in July 2012, touches on a … Continue Reading
Recently, officials from the Office of the National Coordinator for Health Information Technology (ONC) in the Department of Health and Human Services stressed the need for data security in connection with providers’ use of mobile devices for health care delivery. Approximately 81 percent of physicians use smart phones or mobile devices. The need for data … Continue Reading
The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released a one-page message from OCR Director Leon Rodriguez encouraging patients to exercise the right to access their medical records. Generally, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) grants patients the right to request and receive a copy … Continue Reading
By Anna Kraus The Department of Health and Human Services (HHS) has submitted to the Office of Management and Budget (OMB) the long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The OMB has up to … Continue Reading
Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law. Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, … Continue Reading
The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World.” In that hearing, Subcommittee … Continue Reading
By Anna Kraus Last Thursday, the Office of Management and Budget (OMB) released the preliminary regulatory review plans of 30 federal agencies, including the Department of Health and Human Services (HHS). The regulatory review plans were mandated by President Obama in an executive order issued earlier this year, and are intended to identify initiatives to … Continue Reading
By Anna Kraus Last week, the Office of Inspector General (OIG) within the Department of Health and Human Services (HHS) issued two audit reports regarding federally mandated data security measures for health information. Both reports are highly critical of HHS’s efforts to protect the security of electronic health information. In the first report, available here, … Continue Reading
The U.S. Supreme Court heard oral argument last week in Sorrell v. IMS Health, Inc. As described in our earlier post, the case involves a constitutional challenge to a Vermont law prohibiting the use or sale of doctors’ identifying information in prescription records—i.e., prescriber-identifiable data—without the doctor’s express consent. The key legal issue, as framed … Continue Reading
Improper disposition of medical records appears to be an international problem. The Saskatchewan Information and Privacy Officer recently issued regulatory guidance to health care providers on complying with the province’s health data protection law. The guidance is being sent to all health regulatory bodies and health care organization privacy boards in Saskatchewan to remind them … Continue Reading
