Health Insurance Portability and Accountability Act
Subscribe to Health Insurance Portability and Accountability Act's Posts

Next Generation of Patient Care: Balancing Digital Engagement with Patient and Consumer Privacy

Jennifer Geetter and Lisa Schmitz Mazur wrote this bylined article on the regulatory implications of technology-supported devices, resources, and solutions that facilitate health patient-provider interaction. "Health industry regulators are struggling with how to apply the existing privacy regulatory regime, and the permitted uses and disclosures for which they provide, in this new world of healthcare innovation," the authors wrote. Continue reading.

Continue Reading

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws. The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI,...

Continue Reading

With No Federal Law in Sight, States Continue to Refine Their Own Data Privacy Laws

With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies.  Two states recently passed updated data privacy laws with significant changes. Rhode Island The Rhode Island Identity Theft Protection Act (Rhode Island Data Law), an update to Rhode Island’s already-existing data security and breach notification law, introduces several new requirements for companies that store, collect, process, use or license personal identifying information (PII) about Rhode Island residents. A few of these provisions are particularly noteworthy.  First, the new law requires entities to “implement and maintain a risk-based information security program which contains reasonable security procedures and practices,” scaled to the size of the entity and the type of personal information in its possession.  Second, the Rhode Island Data...

Continue Reading

States Respond to Recent Breaches with Encryption Legislation

In the wake of recent breaches of personally identifiable information (PII) suffered by health insurance companies located in their states, the New Jersey Legislature passed, and the Connecticut General Assembly will consider legislation that requires health insurance companies offering health benefits within these states to encrypt certain types of PII, including social security numbers, addresses and health information.  New Jersey joins a growing number of states (including California (e.g., 1798.81.5), Massachusetts (e.g., 17.03) and Nevada (e.g., 603A.215)) that require organizations that store and transmit PII to implement data security safeguards.   Massachusetts’ data security law, for example, requires any person or entity that owns or licenses certain PII about a resident of the Commonwealth to, if “technically feasible” (i.e., a reasonable technological means is available), encrypt information stored on laptops and other portable devices and...

Continue Reading

Pressure Points: OCR Enforcement Activity in 2014

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs. Security risk assessment is key. OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough...

Continue Reading

When Seeking Cyber Coverage, Preparation is Key

In 2014, major data breaches were reported at retailers, restaurants, online marketplaces, software companies, financial institutions and a government agency, among others.  According to the nonprofit Privacy Rights Clearinghouse, 567 million records have been compromised since 2006.  Companies with data at risk should consider purchasing so-called cybersecurity insurance to help them weather storms created by assaults on their information infrastructure.  A company’s insurance broker and insurance lawyer can be of significant help in procuring insurance that meets a company’s need. As an additional benefit, preparation for the cybersecurity insurance underwriting process itself likely will decrease the risk of a debilitating cyber incident.  The underwriting process for cybersecurity insurance is focused on the system that a company employs to protect its sensitive data, and can be detailed and exhaustive.  Like other insurance carriers, cybersecurity...

Continue Reading

New Data Disposal Law in Delaware Requires Action by Impacted Businesses

While the federal government continues its inaction on data security bills pending in Congress, some U.S. states have been busy at work on this issue over the summer.  A new Delaware law H.B. 295, signed into law on July 1, 2014 and effective January 1, 2015, provides for a private right of action in which a court may order up to triple damages in the event a business improperly destroys personal identifying information at the end of its life cycle.  In addition to this private right of action, the Delaware Attorney General may file suit or bring an administrative enforcement proceeding against the offending business if it is in the public interest. Under the law, personal identifying information is defined as: A consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: his or her signature, full date of birth, social...

Continue Reading

Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin

Cybersecurity has become a dominant topic of the day.  The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected.  Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable. In many respects, however, the concept of cybersecurity is not new.  Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls.  Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and...

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES