Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws). It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA. In the event of a data breach, regulated entities must fulfill HIPAA’s breach notification requirements and the requirements of applicable state law. Large-scale data breaches, affecting individuals from multiple states, require the rapid analysis of multiple state laws along with HIPAA requirements. But don’t wait for a crisis to review the Matrix. HIPAA covered entities and business associates should use it to familiarize themselves with the breach notification requirements of the states in which they do business, and use the Matrix to inform incident response planning activities. The Matrix is also useful for monitoring patterns and trends among state laws in this area. For example, state data breach notification laws have historically been implicated by the loss of information that could be used for identity theft, such as name coupled with social security, debit or credit card numbers. However, many states now require breach notification when health care information is used or disclosed without authorization, even if it is not associated with a social security number and even if HIPAA does not apply. You can learn more about the Matrix and download a copy on our Privacy and Security Matters blog.
Dianne Bourque is a Member in the firm and practices in the Boston office. She advises health care clients on issues including licensure, regulatory, contractual, risk management, and patient care matters as well as issues involving HIPAA and other medical privacy laws. Before joining Mintz Levin, Dianne was an associate staff attorney at the Lahey Clinic. She is also an adjunct professor at Stonehill College, where she teaches a course on health care law.
As we look back on 2017, one message is clear: don’t be a Scrooge when it comes to HIPAA compliance. With ever-evolving security threats and unrelenting enforcement, regulated entities must maintain a spirit of compliance that lasts the whole year through. It is in that spirit – and with apologies to Charles Dickens – that our HIPAA year in review is brought to you by the ghosts of HIPAA Past, HIPAA Present and HIPAA Yet to Come.
The Ghost of HIPAA Past
2017 continued to be haunted by large-scale data breaches. As reported by our Privacy & Security colleagues, Equifax announced one of the largest breaches in US history in September, which involved highly sensitive information such as social security numbers and birth dates. The Equifax breach didn’t involve health information, but in July, OCR sent a clear message regarding the importance of health information security and ratcheted up the fear factor associated with its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach. Continue Reading Bah, Humbug! HIPAA Compliance Isn’t Getting Any Easier
A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year. Continue Reading Proposed Law Would Criminalize Failures to Report Data Breaches
Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk. This latest installment in our health app series will introduce some of these considerations, including approaches that developers can take to minimize their risk. Continue Reading Building a Health App? Part 6: HIPAA and Other Privacy and Security Considerations
Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.
The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate
By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts
On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017). Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them. During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI
On January 18th, the U.S. Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule updating regulations for the protection of human research subjects, the so-called “Common Rule.” The original Common Rule had been in place for almost 30 years, with little change despite significant research and technology advances during that time. Further change is on the horizon for the Common Rule, as the 21st Century Cures Act (Cures) includes a mandate for HHS and the Food and Drug Administration (FDA) to harmonize long-standing differences between the Common Rule and FDA Human Subject Protection regulations. Continue Reading The Newly Updated Common Rule is Here – And On a Collision Course With the 21st Century Cures Act
On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing