On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks.
Continue Reading OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches

On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and

In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.

Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is

During the pandemic, audio-only telehealth was a critical tool to provide care to populations that could not use video during telehealth sessions, due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.

New HHS guidance outlines steps covered entities should take to ensure that their audio-only telehealth practices are

In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human

On Sept. 15, the Federal Trade Commission issued a policy statement emphasizing that developers of health apps and other connected devices and their service providers must meet breach notification requirements under the Health Breach Notification Rule, including a rapid 10-day notice period to the FTC and a 60-day notice period to individuals and the media.

On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended on May 6, 2021, and HHS received almost 1500 comments from interested stakeholders. If finalized, these proposals will require HIPAA-covered entities and business associates to implement many changes, including updates to their policies, procedures, security standards, notices of privacy practices, authorization and disclosure forms, and business associate agreements. In the age of digital targeting and ransomware, possibly the most important of these is a change to security standards.
Continue Reading As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance

On March 9, the Department of Health and Human Services announced it was extending until May 6, 2021, the comment period for proposed changes to regulations implementing the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.

Read our complete alert to learn