Health Information

Subscribe to Health Information

There are many laws at the state and federal level that regulate the processing of genetic information.  There may soon be one more.

Earlier this month, the California Senate took up consideration of SB 980, the Genetic Information Privacy Act (“GIPA”), which “would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.”  As the bill itself acknowledges, the California Consumer Privacy Act of 2018 (the “CCPA”) already regulates the processing of biometric information, including DNA.  Other laws such as the federal Genetic Information Nondiscrimination Act of 2008 (“GINA”) and its California counterpart (“CalGINA”) prohibit genetic discrimination.  However, there are four key differences in how the GIPA would treat genetic information as compared to the CCPA: (1) the GIPA would create a requirement to obtain written opt-in consent for any disclosure of genetic information to a third party; (2) limit the use of genetic information to the purpose specifically authorized by the individual to whom it pertains; (3) require destruction of the information as soon as this purpose is achieved; and (4) depending on the circumstances, impose criminal as well as civil liability for violations.Continue Reading The California Genetic Information Privacy Act: How This Proposed Legislation Fits in the California Privacy Regulation Framework

A recent letter from researchers at the Mayo Clinic to the editor of The New England Journal of Medicine outlined a new challenge in de-identifying, or preserving the de-identified nature of, research and medical records.[1]  The Mayo Clinic researchers described their successful use of commercially available facial recognition software to match the digitally reconstructed images of research subjects’ faces from cranial magnetic resonance imaging (“MRI”) scans with photographs of the subjects.[2]  MRI scans, often considered non-identifiable once metadata (e.g., names and other scan identifiers) are removed, are frequently made publicly available in published studies and databases.  For example, administrators of a national study called the Alzheimer’s Disease Neuroimaging Initiative estimate other researchers have downloaded millions of MRI scans collected in connection with their study.[3]  The Mayo Clinic researchers assert that the digitally reconstructed facial images, paired with individuals’ photographs, could allow the linkage of other private information associated with the scans (e.g., cognitive scores, genetic data, biomarkers, other imaging results and participation in certain studies or trials) to these now-identifiable individuals.[4]
Continue Reading Technology Continues to Outflank Health Information Anonymization

In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.
Continue Reading Unencrypted Mobile Devices Cost Medical Center $3 Million In HIPAA Settlement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe.
Continue Reading Jackson Health System Slammed With $2.15 Million Penalty for Privacy Breaches

Social media posts have become so common and reflexive that people often fire off posts without appropriately considering the consequences.  This can be costly on multiple fronts.  In the health care context, beyond the risk of losing patients (and the revenue they bring), inappropriate posts can result in Health Insurance Portability and Accountability Act (HIPAA) violations.  Indeed, as the Director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has stated, “Social media is not the place for providers to discuss a patient’s care… [doctors] and dentists must think carefully about patient privacy before responding to online reviews.”  Of course, this warning is not limited to dentists; all health care providers should take heed. 
Continue Reading From Yelp to YIKES! Dental Practice’s Social Media Posts Result in $10,000 HIPAA Settlement

In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided a variety of guidance to address the importance of honoring the right of patients to have access to their medical information and not to be over-charged for exercising that right.

Earlier this week, the OCR announced an enforcement action and settlement under its Right of Access Initiative against Bayfront Health St. Petersburg (Bayfront) in Florida. This settlement, the first of its kind under OCR’s initiative to enforce patients’ rights to promptly receive copies of their medical records without being overcharged, has cost Bayfront $85,000. The 480-bed hospital is also required to undertake a corrective action plan that includes a one-year period of monitoring by OCR.
Continue Reading OCR Proves it is Serious About HIPAA’s Right of Access

On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year.
Continue Reading HHS Lowers Annual Caps on Most HIPAA CMPs

The Office for Civil Rights (OCR) recently released a Fact Sheet regarding “Direct Liability of Business Associates.” In this Fact Sheet, OCR reminds entities that, as of 2009, HIPAA business associates have been directly liable for certain violations of the HIPAA rules. By way of background, business associates are various entities that require “protected health information” to support HIPAA “covered entities” (health care providers, health care insurers, and health care clearinghouses) or other business associates in carrying out various functions.
Continue Reading OCR Issues Fact Sheet On HIPAA Business Associate Liability

The Department of Health and Human Services (HHS) recently released a report titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” HHS details the following notable statistics to underscore the need for continuing improvement in cybersecurity for those in the healthcare industry: (1) in the United States, four out of five physicians have reported experiencing some form of cyberattack; (2) ninety percent of small businesses do not use any data protection for customer information (including the healthcare industry), (3) fifty-eight percent of malware attack victims are small businesses, and (4) healthcare has the highest data breach cost per record of any industry — almost double of the second highest industry, the financial sector.  These statistics underscore the need for a robust cybersecurity plan for anyone in the healthcare industry, especially smaller companies or providers who may have traditionally ignored cybersecurity protection measures due to the associated costs.
Continue Reading HHS Issues Voluntary Cybersecurity Guidance for the Healthcare Industry

The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.
Continue Reading Don’t Neglect Physical Safeguards as Part of HIPAA Security Compliance