HHS Settles with Shasta Regional Medical Center

Posted on June 18, 2013 by Hunton & Williams LLP

On June 13, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $275,000 settlement with Shasta Regional Medical Center (“Shasta”) that pertained to impermissible disclosures of protected health information (“PHI”) by Shasta officials to the media, as well as to Shasta’s entire workforce.

Continue reading…

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, Privacy Rule, Protected Health Information, Workplace Privacy

FDA Issues Safety Communication and Guidance on Cybersecurity for Medical Devices

Posted on June 14, 2013 by Hunton & Williams LLP

On June 13, 2013, the Food and Drug Administration (“FDA”) published a safety communication and guidance regarding the vulnerability of medical devices to cyberattacks. The safety communication, Cybersecurity for Medical Devices and Hospital Networks, is intended for “[m]edical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff; and biomedical engineers.” The safety communication notes that because medical devices can be connected to other devices and the Internet, such devices are exposed to cyber attacks that might result from malware infections, the exploitation of weak password protections, a lack of updated security patches and security vulnerabilities in software installed on medical devices.

Continue reading…

Tags: Cybersecurity, Health Privacy, Mobile Device

HHS Announces Settlement with Idaho State University

Posted on May 23, 2013 by Hunton & Williams LLP

On May 21, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $400,000 settlement with Idaho State University (“ISU”) for a breach that affected 17,500 individuals.

The ISU settlement relates to servers that had their firewall protections disabled, which left the electronic protected health information (“ePHI”) of patients at ISU’s Pocatello Family Medicine Clinic unsecured for at least ten months. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that ISU allegedly had not complied with HIPAA Security Rule requirements, including by conducting an incomplete and inadequate risk analysis and by failing to “adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.”

Continue reading…

Tags: Department of Health and Human Services, Enforcement, Health Privacy, HIPAA, HITECH Act, Protected Health Information, Security Rule

FTC Seeks Input on The Internet of Things

Posted on April 19, 2013 by Hunton & Williams LLP

On April 17, 2013, the Federal Trade Commission issued a press release seeking public input on “The Internet of Things” – the ability of numerous “everyday devices to communicate with each other and with people.” The FTC will accept comments through June 1, 2013, in advance of a public workshop to be held in Washington, D.C. on November 21, 2013.

Continue reading…

Tags: Centre for Information Policy Leadership, Consumer Protection, Cybersecurity, Federal Trade Commission, Health Privacy, Information Security, Internet, Mobile Device, Online Privacy

Court of Appeals Rules that HIPAA Preempts Florida Law

Posted on April 12, 2013 by Hunton & Williams LLP

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

Continue reading…

Tags: Florida, Health Privacy, HIPAA, Privacy Rule, Protected Health Information, U.S. State Law

Article 29 Working Party Clarifies Purpose Limitation Principle; Opines on Big and Open Data

Posted on April 9, 2013 by Hunton & Williams LLP

On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of big data and open data.

Continue reading…

Tags: Advertisement, Article 29 Working Party, Behavioral Advertising, CCTV, Data Transfer, EU Data Protection Directive, EU Regulation, European Union, Geolocation, Health Privacy, International, Online Privacy, Opt-In Consent, Smart Metering

Business Associate Compliance with the New HIPAA Rules

Posted on April 3, 2013 by Hunton & Williams LLP

On January 17, 2013, the U.S. Department of Health and Human Services issued a final omnibus rule modifying prior regulations enacted pursuant to the Health Insurance Portability and Accountability Act of 1996. Among the key changes that will come into effect this September is the addition of a provision that dramatically increases the number of organizations directly subject to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. In an article published in the March/April issue of Storage & Destruction Business Magazine, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Ryan P. Logan and Melinda L. McLellan, senior associates on the firm’s Privacy and Data Security team, discuss how the newly-adopted HIPAA Rules will impact business associates and outline steps that records and information management companies should take to prepare for the upcoming changes.

Download a PDF copy of the article.

Tags: Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Lisa Sotto, Melinda McLellan, Privacy Rule, Protected Health Information, Ryan Logan, Security Breach, Security Rule

European Data Privacy Day Expert Panel Provides 30-Year Retrospective on UK Data Protection

Posted on February 1, 2013 by Hunton & Williams LLP

On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984. Continue reading…

Tags: Bridget Treacy, Christopher Graham, Data Controller, Data Protection Act, Data Protection Authority, Enforcement, European Union, Events, Health Privacy, Information Commissioners Office, Information Security, International, Penalty, Richard Thomas, Rosemary Jay, Security Breach, United Kingdom

FTC Settles Alleged Breach of Consumers’ Personal Information

Posted on January 28, 2013 by Hunton & Williams LLP

On January 28, 2013, the Federal Trade Commission announced a proposed settlement agreement with CBR Systems, Inc. (“CBR”), an operator of a cord blood bank, which collects personal information about consumers and physicians through its websites and in connection with the provision of its services, including names, addresses, dates of birth, Social Security numbers, credit card numbers and health information.

Continue reading…

Tags: Consumer Protection, Enforcement, Federal Trade Commission, Health Privacy, Security Breach, Social Security Number

New HIPAA Omnibus Rule: A Compliance Guide

Posted on January 25, 2013 by Hunton & Williams LLP

The wait is over. On January 17, 2013, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released its long-anticipated megarule (“Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. These amendments implement and expand on the requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. Coming into compliance will require significant effort and attention by covered entities and business associates alike. Below we highlight some of the more significant aspects of the Omnibus Rule and provide critical compliance tips.

Continue reading…

Tags: Aaron Simpson, Department of Health and Human Services, Health Privacy, HIPAA, HITECH Act, Lisa Sotto, Privacy Rule, Protected Health Information, Ryan Logan, Security Breach, Security Rule