Demonstrating a continued focus on information security, the Food and Drug Administration (FDA) published draft guidance on Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices. As the title indicates, the draft guidance focuses on issues manufacturers should address in the development and design of medical devices prior to sale to consumers. This draft guidance … Continue Reading
In honor of Data Privacy Day, we provide the following “Top 10 for 2016.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2016. EU/U.S. Data Transfer (status of Safe Harbor). On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled … Continue Reading
In honor of National Data Privacy Day, we provide the following “Top 15 for 2015.” While the list is by no means exhaustive, it does provide some hot topics for businesses to consider in 2015. Inside Threats for Healthcare Providers and Business Associates. While news reports of security risks often focus on hackings and breaches … Continue Reading
In honor of National Data Privacy Day, we provide the following “Top 14 for 2014.” While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2014. Location Based Tracking. As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with … Continue Reading
Today, the Centers for Medicare and Medicaid Services (CMS) requested an "emergency review" of its recently proposed rule that "[Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach." We reported on the proposed … Continue Reading
Click on the link in this post for high-level compliance roadmap concerning the Omnibus Privacy Rule under HIPAA and HITECH for covered plans, providers and business associates.… Continue Reading
Breach involving software upgrade to online application system leads to allegations of HIPAA privacy and security failures, and a $1.7 million settlement payment to HHS.… Continue Reading
Are you a "non-Exchange entity" with respect to the healthcare exchanges coming later this year? If so you may become subject to a one-hour breach notification mandate.… Continue Reading
University's $400,000 payment to HHS to settle HIPAA compliance allegations highlights critical role of risk assessments, and need for security policies and procedures.… Continue Reading
Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG) The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] … Continue Reading
As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement … Continue Reading
Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the … Continue Reading
HIPAA data breach affecting 441 patients leads to investigation resulting in $50K in penalties due to alleged lapses in security compliance.… Continue Reading
On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009. HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks … Continue Reading
HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate compliance should they find an OCR investigator knocking at the door.… Continue Reading