An Austrian hotel was a recent victim of a “ransomware” computer attack that disabled its electronic room key system and locked up its own computers, and this follows ransomware attacks on hospitals. These attacks demonstrate that hospital administrators should be sure that IT agreements adequately address the risks of cyberattacks. Moreover, this important lesson applies to health care institutions as ransomware causes great harm because it locks up and makes patient and other records unavailable at the very time they are required for ongoing medical care.
HIPAA / Health Privacy & Security
Arent Fox began advising clients in matters involving the privacy and security of health information long before the final promulgation of the Privacy and Security Standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In fact, we represented clients before Congress and HHS throughout the negotiations of the Administrative Simplifications Provisions of HIPAA and the crafting of the final regulations. We also developed a comprehensive model HIPAA compliance program that enables health care providers to implement the Federal Privacy Standards in a systematic and efficient manner.
Given the depth of our HIPAA experience, we are uniquely positioned to provide our clients with a comprehensive, cost-effective means to incorporate new HIPAA and HITECH requirements into existing compliance programs, assess their obligations under the new data breach notification requirements, and unravel the complex HIPAA issues that frequently arise in the context of clinical research. Clients facing a HIPAA enforcement action can turn to Arent Fox with confidence knowing that one of our attorneys was involved in the resolution of the largest HIPAA enforcement case to date.
What’s the News?
On January 9, 2017, Presence Health agreed to settle with the U.S. Department of Health and Human Services (HHS) potential violations under the Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely.
Ransomware is a living-nightmare for the health care industry, with attacks or threats of attacks increasing and the consequences potentially devastating to patients and businesses. The Federal Trade Commission recently issued guidance for both businesses and consumers on defending against ransomware, which Arent Fox attorneys Sarah Bruno, Eva Pulliam, and Lourdes Turrecha analyze in the article below.
What’s the News?
* The following article was originally published by Healthcare Informatics. To read it on the Healthcare Informatics website, click here.
Healthcare professionals who are in a position to recommend the use of fitness apps need to be aware that patients’ personal data can be used in ways that HIPAA would prohibit and that will surprise patients who are trying to be smart about fitness in a smartphone world.
Life science companies, health care providers, and government contractors will be at risk for significantly larger penalties due to substantial increases to False Claims Act (FCA) penalties and civil monetary penalties (CMPs). These penalty increases cover a broad range of health care violations, including the Stark Law, the Anti-Kickback Statute, the Emergency Medical Treatment and Labor Act (EMTALA) and the Health Insurance Portability and Accountability Act (HIPAA).
Every state and territory in the US, except Alabama, New Mexico, and South Dakota, have data breach notification statutes, and most of them apply to any person, business, or government agency that acquires, owns, or licenses computerized data that includes personal identifiable information of individuals who reside within that jurisdiction.
This survey focuses on the data breach notification statutes of the states and territories within the US, and should be a useful tool and guide for data security planning and response purposes.
The Federal Trade Commission asserted its data security authority in two recent back-to-back enforcement actions, only a day apart from each other.
Today, the US Department of Health & Human Services’ Office for Civil Rights (OCR) announced that Advocate Health Care Network (Illinois’ largest healthcare system) will pay a record $5.5 million settlement for violating HIPAA. The violations include failure to properly assess risks and limit access to electronic PHI (for example, an unencrypted laptop was left in an employee’s unlocked vehicle overnight); failure to have in place business associate agreements; and three data breaches, compromising the records of four million patients.
ABOUT ARENT FOX LLP
Arent Fox LLP, founded in 1942, is internationally recognized in core practice areas where business and government intersect. With more than 350 lawyers, the firm provides strategic legal counsel and multidisciplinary solutions to clients that range from Fortune 500 corporations to trade associations. The firm has offices in Los Angeles, New York, San Francisco, and Washington, DC.