In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data. This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine. The
Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind.
- The Florida and Michigan laws would amend personal data destruction rules for companies.
- The New York law would mandate data security and encryption measures.
- The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
- The Michigan bill includes a state version of the Federal Trade Commission’s Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures.
- The Kansas law would require state agencies to engage in periodic network security reviews.
- The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.
While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.
As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. …
As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).
The access highlights what should be a growing concern for health care industry employers: the…
In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment …
A British TV station investigation into India’s medical transcription industry, known as Business Process Outsourcing (BPO), uncovered unsettling news for British subjects, as well as American citizens. Medical records sent to India to be transcribed and computerized are being sold. The Economic Times report on the investigation out of New Delhi suspects a "hardening of stance on the…