In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is
Health Information
Takeaways for Nonprofit Healthcare Systems From SEC Cybersecurity Disclosure Interpretations
When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and…
Ounce of Prevention: Do You Have Business Associate Agreements With Every Required Party?
Applicable Provider Types: All
Is Your Entity in Compliance?
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and…
Ounce of Prevention: Is It Time to Perform a Security Risk Assessment?
Applicable Provider Types: All
Is Your Entity in Compliance?
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under…
OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks. …
Continue Reading OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
Changes Coming to Rules for Handling Children’s Data
On Dec. 20, 2023, the Federal Trade Commission announced its intent to file a notice of proposed rulemaking related to the Children’s Online Privacy Protection Rule — the first proposed changes to the rule in 10 years.
What are some of the key proposed changes?
- Separate Opt-In for Targeted Advertising. Covered service operators are required
Illinois Supreme Court: Certain Collected Biometric Data Is Exempt From BIPA Protections
On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and…
Homeland Security and HHS Release Interactive Healthcare Cybersecurity Toolkit
In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.…
FTC Proposes Modifying Health Breach Notification Rule for Non-HIPAA Entities
Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is…
HHS Issues New HIPAA Guidance on Audio-Only Telehealth Services
During the pandemic, audio-only telehealth was a critical tool to provide care to populations that could not use video during telehealth sessions, due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.
New HHS guidance outlines steps covered entities should take to ensure that their audio-only telehealth practices are…