On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.
Continue Reading HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation

On February 16, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance

On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.Continue Reading CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR

On October 31, 2023, the Department of Health and Human Services announced the issuance of a settlement agreement with Doctors’ Management Services, a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules.
Continue Reading HHS Announces First HIPAA Settlement Agreement Involving Ransomware Attack

On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.”
Continue Reading FTC and HHS Update Consumer Health Data Privacy and Security Guide

On September 13, 2023, the National Coordinator for Health Information Technology and the Office for Civil Rights at the U.S. Department of Health and Human Services released version 3.4 of the Security Risk Assessment Tool under the Health Insurance Portability and Accountability Act Security Rule.
Continue Reading ONC and HHS OCR Release Updated HIPAA Security Risk Assessment Tool

On June 2 and June 5, 2023, the Connecticut and Nevada state legislatures, respectively, voted in favor of sending legislation to their governors for signature that would impose restrictions, among others, on the processing of consumer health data, including geofencing provisions. Nevada S.B. 370 was signed by Nevada Governor Joe Lombardo on June 16, 2023.
Continue Reading Connecticut and Nevada Legislatures Pass Health Data Laws