The United States Department of Health and Human Services reached an agreement with Lifespan Health System Affiliated Covered Entity (Lifespan ACE) in which Lifespan agreed to pay $1,040,000 and adopt a corrective action plan in the wake of its data breach that exposed over 20,431 patients’ protected health information. The breach occurred when an employee’s unencrypted laptop was stolen which contained electronic protected health information (ePHI) including: patients’ names, medical record numbers, demographic information, and medication information.
Section 3221 of the CARES Act, signed into law on March 27, 2020, sets the stage for HHS to make significant changes to 42 C.F.R. Part 2, governing the confidentiality of Substance Use Disorder (“SUD”) records. Under the Act, HHS has 12 months to work with appropriate Federal agencies to make revisions to 42 C.F.R. Part 2 consistent with Section 3221’s mandates.
By now everyone has now heard of — and likely used — Zoom for staying connected during the COVID-19 pandemic. In what may have been a brilliant strategy to gain market share during adverse times, Zoom offered its videoconferencing service for free to schools, organizations, businesses, and individuals as a means of staying connected while the world is exercising social distancing and it seems as if everyone is now using Zoom.
The DC Federal District Court issued an opinion in Ciox Health, LLC v. Azar, et al., Case No. 18-CV-00040 (D.D.C. January 23, 2020) that reverses portions of guidance issued by the Office for Civil Rights (“OCR”) in 2016 related to the fees that a healthcare provider may charge for medical records that are requested by a patient and directed to a third party. The original HIPAA Privacy Rule included provisions that a “covered entity” (1) must provide patients the right to access his or her protected health information (“PHI”) within a designated record set and (2) could only charge a reasonable cost-based fee for such access. In 2009, the HITECH Act amended HIPAA to provide that a patient could request that the patient’s access to PHI maintained in an electronic health record (“EHR”) be directed to a third party. In 2013, the Omnibus Rule further broadened the third party directive and allowed patients to make this third party directive for access to PHI contained in any format. Lastly, in 2016, OCR issued guidance that applied the fee limitation from the original HIPAA Privacy Rule to situations in which the patient directs the PHI to a third party.
Our previous article “Does the CCPA Apply to My Company?”[i] outlined some questions to help determine if your company is included in the definition of business for the CCPA. Here, we give a brief overview of the law and discuss both its potential effects and enforcement.
The United States Department of Health and Human Services reached an agreement with Touchstone Medical Imaging in which Touchstone agreed to pay $3 million and adopt a corrective action plan in the wake of its data breach that exposed over 300,000 patients’ protected health information.
You read it correctly: The United States Government has deemed an online dating application to be a national security concern. The dating application Grindr has earned notoriety for being the gay equivalent to Tinder (a dating “hook up” application for straight people). Grindr has gained remarkable success. The application boasts of having 27 million registered users as well as an average of 3.3 million daily users.
Late last year California passed the California Consumer Privacy Act of 2018 (“CCPA”) aimed at granting certain rights and protections to California consumers and also imposing obligations and limitations on businesses in an effort to provide consumers more control over their personal information. The CCPA becomes effective January 1, 2020, and companies across the nation are marking their calendars in anticipation of privacy practice changes reminiscent of those ushered in by the European Union’s GDPR last year. Although the CCPA is often compared to the GDPR, the two privacy laws are different and compliance with one does not ensure compliance with the other. In undertaking compliance measures, the initial inquiry companies should analyze is the question of whether the CCPA applies to the company.
Does your organization provide substance use treatment services or receive information from a treatment program that identifies an individual as having a substance use disorder? If so, your organization may be subject to 42 C.F.R. Part 2 and may have obligations to amend contractual provisions to maintain compliance.
Lawyers, like others in business, must comply with the data security and data breach notification laws of the 50 states that are applicable to their practices. But, according to the American Bar Association, their obligations do not end there. On October 17, 2018, the ABA issued Ethics Opinion 483 titled Lawyers’ Ethical Obligations After an Electronic Data Breach or Cyberattack.