We have been following the latest on the WannaCry ransomware attack that we first told you about over the weekend. Click here to read the latest from our colleague Cynthia Larose on our Privacy & Security Matters Blog.
Dianne Bourque is a Member in the firm and practices in the Boston office. She advises health care clients on issues including licensure, regulatory, contractual, risk management, and patient care matters as well as issues involving HIPAA and other medical privacy laws. Before joining Mintz Levin, Dianne was an associate staff attorney at the Lahey Clinic. She is also an adjunct professor at Stonehill College, where she teaches a course on health care law.
By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts
On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017). Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them. During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI
On January 18th, the U.S. Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule updating regulations for the protection of human research subjects, the so-called “Common Rule.” The original Common Rule had been in place for almost 30 years, with little change despite significant research and technology advances during that time. Further change is on the horizon for the Common Rule, as the 21st Century Cures Act (Cures) includes a mandate for HHS and the Food and Drug Administration (FDA) to harmonize long-standing differences between the Common Rule and FDA Human Subject Protection regulations. Continue Reading The Newly Updated Common Rule is Here – And On a Collision Course With the 21st Century Cures Act
On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing
Health care providers and other HIPAA-regulated entities should take note of the story on our companion blog, Employment Matters, regarding the augmented reality video game craze Pokémon Go. For those unfamiliar with the most downloaded smartphone video game ever, it involves players chasing adorable computer-generated characters that randomly appear in the player’s immediate surroundings. How could something as delightful as Pikachu present a security risk? When the game is played in camera mode, the player records the Pokémon character, as well as the player’s surroundings – think computer monitors, whiteboards, patients, providers, procedure suites . . .
As with all HIPAA security risks, the best approach is to learn about the risk and take proactive steps to mitigate harm. A great place to start is to read the Mintz Levin overview of Pokémon Go in the Workplace.
On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware
Federally-funded clinical trials conducted at multiple sites will move to a single Institutional Review Board (IRB) review scheme under a new National Institutes of Health (NIH) Policy. The NIH has finalized its policy to have a single IRB (sIRB) of record conduct the required ethics review for multi-site studies. The NIH cited “systemic inefficiencies” without any increased protection of human subjects under the current system in which a separate IRB conducts the ethics review for each site.
Who does this affect?
The sIRB policy covers NIH-funded non-exempt human subjects research, and applies to the domestic sites of multi-site studies conducting the same research protocol at each site. Foreign sites are not covered. Neither are career development, research training or fellowship awards. This policy does not necessarily apply to industry-sponsored trials or drug and device studies subject to FDA regulation only. Continue Reading NIH Signals “Paradigm Shift” with Policy on Multi-Site Studies
The Medicare Access and CHIP Reauthorization Act (MACRA) proposes a new approach, with new branding labels, to paying clinicians for the value and the quality of care that they provide by replacing a patchwork of existing quality-related programs, including the Electronic Health Records (EHRs) Incentive Programs, also known as “Meaningful Use.” Under MACRA’s Merit-Based Incentive Payment System (MIPS), Advancing Care Information is one of four performance measures. In our first blog on the proposed rule, CMS Releases Proposed Rule for MACRA Implementation and Merit Based Incentive Payment Systems (MIPS), we discussed MIPS more fully. Our final MACRA blog will discuss the Alternative Payment Models (APMs).
Advancing Care Information is a MIPS performance category focused on use of electronic health records (“EHR”). Clinicians will get to choose to report customizable measures that reflect how they use EHR technology in their day-to-day practice, with a particular emphasis on interoperability and information exchange. Clinicians would need to use technologies, standards, policies, and practices to assure that their EHR technology is interoperatble, compliant with Office of the National Coordinator for Health IT (ONC) standards (including allowing patients timely access to EHR information to view, download, and transmit) and that it allows for the exchange of structured health information with other health care providers (including unaffiliated providers) using different EHR vendors. Continue Reading CMS Proposes “Advancing Care Information” Program to Replace Meaningful Use
Earlier this month the Department of Health and Human Services Office for Civil Rights (OCR) released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.
The protocol covers the following subject areas:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.