Skip to main content
Keeping you afloat admidst the rising sea of regulations

Regulation from Across the Pond: GDPR’s Implications for United States Health Care Organizations

What’s New?In May 2018 - merely 14 months from now - the European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect. Organizations established in the European Economic Area (EEA) are subject to the GDPR and must abide by its rules with respect to the collection, processing, and transfer of personal data.

Substance Abuse Medical Record Privacy Rules Updated For The First Time in Nearly 30 Years

For the first time in nearly three decades, the Substance Abuse and Mental Health Services Administration (SAMHSA) has updated the regulations on the confidentiality of substance abuse treatment records found in 42 C.F.R. Part 2 (the Part 2 Regulations).

Your Money or Your Patients: Using IT Contracts to Protect Against Ransomware Attacks

An Austrian hotel was a recent victim of a “ransomware” computer attack that disabled its electronic room key system and locked up its own computers, and this follows ransomware attacks on hospitals. These attacks demonstrate that hospital administrators should be sure that IT agreements adequately address the risks of cyberattacks. Moreover, this important lesson applies to health care institutions as ransomware causes great harm because it locks up and makes patient and other records unavailable at the very time they are required for ongoing medical care.

Health Care Compliance Association (HCCA) Webinar: Navigating the Rest of the Iceberg - Privacy and Security Compliance Beyond HIPAA

Please join Arent Fox partners Sarah Bruno, Jade Kelly and Matthew Mills on Tuesday, February 21 from 1:00-2:30 PM Eastern for a Health Care Compliance Association webinar titled Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA. 

Life’s a Breach - Sitting on that HIPAA Breach Notification Could Burn You

What’s the News?On January 9, 2017, Presence Health agreed to settle with the U.S. Department of Health and Human Services (HHS) potential violations under the Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely.

FTC Arms Businesses and Consumers Against Ransomware

Ransomware is a living-nightmare for the health care industry, with attacks or threats of attacks increasing and the consequences potentially devastating to patients and businesses. The Federal Trade Commission recently issued guidance for both businesses and consumers on defending against ransomware, which Arent Fox attorneys Sarah Bruno, Eva Pulliam, and Lourdes Turrecha analyze in the article below.What’s the News?

Are Fitness Apps Fit for Privacy Protection?

* The following article was originally published by Healthcare Informatics. To read it on the Healthcare Informatics website, click here. Healthcare professionals who are in a position to recommend the use of fitness apps need to be aware that patients’ personal data can be used in ways that HIPAA would prohibit and that will surprise patients who are trying to be smart about fitness in a smartphone world.

Needing to Adjust: DOJ and HHS Announce Steep Increases to FCA, Stark Law, Anti-Kickback Statute, and EMTALA Penalties

Life science companies, health care providers, and government contractors will be at risk for significantly larger penalties due to substantial increases to False Claims Act (FCA) penalties and civil monetary penalties (CMPs). These penalty increases cover a broad range of health care violations, including the Stark Law, the Anti-Kickback Statute, the Emergency Medical Treatment and Labor Act (EMTALA) and the Health Insurance Portability and Accountability Act (HIPAA).

2016 Survey of Data Breach Notification Statutes

Every state and territory in the US, except Alabama, New Mexico, and South Dakota, have data breach notification statutes, and most of them apply to any person, business, or government agency that acquires, owns, or licenses computerized data that includes personal identifiable information of individuals who reside within that jurisdiction.This survey focuses on the data breach notification statutes of the states and territories within the US, and should be a useful tool and guide for data security planning and response purposes.