On April 22, 2024, the Office for Civil Rights (OCR) for the United States Department of Health and Human Services issued a Final Rule amending the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, which goes into effect on June 25, 2024, promulgates
Privacy Law
HHS Publishes Roadmap of New Strategy for Cybersecurity in the Healthcare Sector
The U.S. Department of Health and Human Services (HHS) recently issued a strategy paper highlighting key aspects of its plan to revamp cybersecurity requirements in the healthcare industry. Citing a 93% increase in large data breaches in healthcare from 2018 to 2022 and a rapid increase in ransomware attacks against…
Another Resolution by DOJ Pursuant to its Civil Cyber-Fraud Initiative Highlights Continued Efforts to Hold Companies Accountable for Ensuring Data are Secured
By Matthew J. Westbrook & Ryan P. Blaney on
We previously wrote about the United States Department of Justice’s (“DOJ”) Civil Cyber-Fraud Initiative (“CCFI”), which “aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” In that post, we summarized DOJ’s first two False Claims Act (“FCA”) resolutions pursuant to the CCFI, which amounted to more than $9 million in recoveries.
FTC’s One-Two Punch on Data Tracking and Health Privacy
By Ryan P. Blaney on
On March 2, 2023, the Federal Trade Commission (FTC) announced that it had reached a $7.8 million settlement with mental health and online counseling platform, BetterHelp, Inc. (“BetterHelp”). The FTC alleged that BetterHelp shared consumers’ sensitive health data combined with other personal information (PI) with third party advertising platforms without…
FTC Blog Post Highlights Regulatory Focus on Collection of Location and Health Data
By Jeffrey Neuburger on
On July 11, 2022, the Federal Trade Commission (FTC) published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog. The blog post is likely related to an Executive Order (the “EO”)…
Privacy Post-Dobbs
By Whitney Phelps & Angela Gichinga on
Fifty years of legal precedent established by Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southern Pa. v. Casey, 505 U.S. 833 (1992), were overturned in Dobbs v. Jackson Women’s Health Organization, holding that the Constitution does not confer a right to abortion and leaving…
HHS Issues HIPAA Guidance on Remote Communication Technologies for Audio-Only Telehealth
By Ryan P. Blaney on
The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services. This guidance is a direct response to a December 2021 Executive Order that tasked HHS with developing HIPAA guidance for telehealth services, with the stated goals of improving “patient experience and convenience” as the COVID-19 public health emergency subsides. HHS has issued this guidance in anticipation of the national public health emergency ending, at which time OCR’s Telehealth Notification loses effect.
The new HIPAA guidance affects covered entities in four key ways.
Department of Health and Human Services Issues Request for Information on Cybersecurity Standards
By Ryan P. Blaney & Vincent J. Tennant on
The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6,…