Last month, the FDA released a draft guidance document on the sharing of patient-specific data associated with medical devices, including information recorded, stored, processed, retrieved, and/or derived from the device. A new post on Covington’s Inside Medical Devices blog discusses the draft guidance and its implications for sharing patient information.… Continue Reading
The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year. Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading
On Tuesday, February 9, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a proposed rule to update regulations at 42 C.F.R. Part 2 that protect the confidentiality of alcohol and drug abuse patient records. The regulations were originally promulgated in 1975 and last substantively updated in 1987. SAMHSA intends for these updates to … Continue Reading
On Tuesday, the FTC announced the agenda for PrivacyCon, which is being billed as a “first-of-its-kind event” that will facilitate discussions between researchers and academics about privacy and security. The FTC also released abstracts for the research that will be presented at the conference, scheduled for January 14. PrivacyCon follows a call from the FTC … Continue Reading
On Friday, November 13, Federal Trade Commission (FTC) Chief Administrative Law Judge Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD, on the ground that the Commission’s staff had failed to carry its burden of demonstrating a “likely substantial injury” to consumers resulting from LabMD’s allegedly “unfair” data security practices. While Judge Chappell’s … Continue Reading
The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system. The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. … Continue Reading
On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct … Continue Reading
May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention. The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier. In parallel, the French data protection authority announced … Continue Reading
The Office of the National Coordinator for Health Information (ONC) recently released an updated Guide to Privacy and Security of Electronic Health Information. The guide aims to help individuals, providers, and the health IT community understand the role of HIPAA for interoperability of health information. This guide updates the previous version issued by the ONC … Continue Reading
The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps. (See more here, and here … Continue Reading
Just two days after disclosing publicly that it was “the target of a very sophisticated external cyber attack” in which the personal information of over 80 million customers was compromised, officials of Anthem Inc., the nation’s second largest health insurance company, are to brief staffers of the House Energy and Committee on the security breach. … Continue Reading
On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI. For more information about the briefing, visit Covington’s eHealth blog.… Continue Reading
Many individuals are covered by health insurance but are not the policy holders for that coverage (e.g., the policy holder is a spouse or parent of the covered individual). Routine communications sent by insurers, such as explanation of benefit letters or denial of claims notices, are often sent to the policy holder and may contain … Continue Reading
Please note that this event, originally scheduled for December 10, is being rescheduled for February 2015 – date TBC Covington’s London office will be hosting a breakfast seminar for clients on ‘Mitigating Information Loss in the Healthcare Industry: the Insider Threat’ with The Chertoff Group.… Continue Reading
By Randall Friedland According to a GAO report published September 16th, Healthcare.gov, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with … Continue Reading
On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule. The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates. In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the … Continue Reading
The Federal Trade Commission (FTC) recently announced a settlement with Accretive Health, Inc., a provider of medical billing and revenue management services to hospitals. The FTC’s complaint alleged that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, and this failure constituted an unfair act or practice in violation of Section 5 … Continue Reading
In the wake of the recent Target Corp. credit card data breach, Congress is once again turning its attention to data breach legislation. In a memorandum to Republican lawmakers on January 2, House Majority Leader Eric Cantor (R-Va.) stated that he intends to schedule legislation on security and breach notification requirements for federally facilitated healthcare … Continue Reading
Last week, the FDA released a final version of its guidance document, Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff. For Chris Pruitt’s analysis of the guidance document on Covington’s InsideMedicalDevices blog, please click here.… Continue Reading
Last week, the FDA released a final version of its guidance document, Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff. For Chris Pruitt’s analysis of the guidance document on Covington’s InsideMedicalDevices blog, please click here.… Continue Reading
In a court filing on September 11, 2013, attorneys for the U.S. Department of Health and Human Services (HHS) announced that HHS intends to issue further guidance on certain new marketing restrictions under HIPAA, finalized last January as part of the final HITECH omnibus rule, and to delay enforcement of those new marketing restrictions until … Continue Reading
This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until … Continue Reading
This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, … Continue Reading
On 19 December 2012, the European Data Protection Supervisor (EDPS) and the Assistant Supervisor, M. Giovanni Buttarelli, published a new Opinion that sets out their views on the Commission proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use (the Regulation). The Commission proposal, released in July 2012, touches on a … Continue Reading
