During the pandemic, audio-only telehealth was a critical tool to provide care to populations that could not use video during telehealth sessions, due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.

New HHS guidance outlines steps covered entities should take to ensure that their audio-only telehealth practices are compliant with HIPAA following the expiration of the PHE.

Read on for steps covered entities should take to ensure compliance with HIPAA and a description of the recent expansion of reimbursement for audio-only telehealth.

On July 8, 2022, the U.S. Department of Justice announced a $9 million
settlement with federal government contractor Aerojet Rocketdyne, Inc. for
alleged violations of the False Claims Act in a case pending in the Eastern
District of California. The settlement results from alleged false
statements by Aerojet related to compliance with Department of Defense
cybersecurity requirements described in DoD Federal Acquisition Regulation
Supplement clause 252.204-7012 and National Aeronautics and Space
Administration Federal Acquisition Regulation Supplement clause
1852.204-76. The settlement further underscores DOJ’s commitment to FCA
enforcement actions involving cybersecurity considerations related to its
Civil Cyber-Fraud Initiative announced in October 2021. The settlement
serves as a clear reminder to contractors that DOJ and the plaintiffs’ qui tam bar are taking the Cyber-Fraud Initiative seriously.

Read on to learn why a close understanding of and adherence to federal
agency contractual cybersecurity requirements are important mandates for
the government contracting community broadly and the defense industrial
base in particular.

In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services now seeks public comment on what should be considered a recognized cybersecurity practice.

Covered entities and business associates should update their HIPAA compliance plans to incorporate the recognized cybersecurity practices, implement the identified security practices and ensure they have been actively and consistently used over the prior 12-month period of time to reduce the risk of HIPAA audits and fines.

See our recent alert for more details about this request for public comments, which are due June 6.

On May 25, the Federal Trade Commission announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement with the FTC in which Twitter promised to protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses.

Read on for details about the alleged violations and the corrective actions required in the FTC’s new order.

Reflecting its determination to monitor the crypto markets, the U.S. Securities and Exchange Commission announced today that it was renaming the Cyber Unit the “Crypto Assets and Cyber Unit” and nearly doubling its size, from 30 to 50 members. The additional permanent positions will include investigative staff attorneys, trial lawyers and fraud analysts, who will target the full panoply of hot topics in the crypto world.

Read on for details about this development and implications for crypto market participants.

Federal courts in recent Telephone Consumer Protection Act cases served up two victories and one disappointment for the defense. Siding with the defense, the 7th U.S. Circuit Court of Appeals ruled that defendants do not carry the burden of proof at class certification, and the 8th Circuit joined other courts in maintaining a narrow autodialer definition. Defendants were less pleased when the U.S. Supreme Court denied a petition that would have resolved the enforceability of the autodialer prohibitions.

Read our alert to learn more about these developments and their implications for businesses defending against TCPA claims and class actions.

cybersecurity-blue-lock

The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws. Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes

On Feb. 9, U.S. Senators Bill Cassidy and Tammy Baldwin introduced a bill that would create a Commission on Health Data Use and Privacy Protection to study the potential modernization of HIPAA. Introduction of the bill follows a recent trend of increased attention to data privacy at the federal level, both for covered entities and for non-covered entities, including the Department of Health and Human Services’ proposed modifications to HIPAA and HITECH and the Federal Trade Commission’s Health Breach Notification Rule.

Read on to learn more about the proposed commission.

In February, the Financial Industry Regulatory Authority released the 2022 Report on FINRA’s Examinations and Risk Monitoring Program, providing guidance to the broker-dealer industry.

Read on for a discussion of key topics addressed in this year’s report.

On March 9, the U.S. Securities and Exchange Commission proposed new rules that would fundamentally change how public companies treat the reporting and management of cybersecurity incidents and risk.

Read on for details about these proposed rules, which build significantly upon prior guidance by creating express, mandatory disclosure obligations.