Photo of Dianne Bourque

Dianne Bourque is a Member in the firm and practices in the Boston office. She advises health care clients on issues including licensure, regulatory, contractual, risk management, and patient care matters as well as issues involving HIPAA and other medical privacy laws. Before joining Mintz Levin, Dianne was an associate staff attorney at the Lahey Clinic. She is also an adjunct professor at Stonehill College, where she teaches a course on health care law.

Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk. This latest installment in our health app series will introduce some of these considerations, including approaches that developers can take to minimize their risk. Continue Reading Building a Health App? Part 6: HIPAA and Other Privacy and Security Considerations

Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate

By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid.  Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts

On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017).  Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them.   During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI

On January 18th, the U.S. Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule updating regulations for the protection of human research subjects, the so-called “Common Rule.”  The original Common Rule had been in place for almost 30 years, with little change despite significant research and technology advances during that time.  Further change is on the horizon for the Common Rule, as the 21st Century Cures Act (Cures) includes a mandate for HHS and the Food and Drug Administration (FDA) to harmonize long-standing differences between the Common Rule and FDA Human Subject Protection regulations.    Continue Reading The Newly Updated Common Rule is Here – And On a Collision Course With the 21st Century Cures Act

On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing

Health care providers and other HIPAA-regulated entities should take note of the story on our companion blog, Employment Matters, regarding the augmented reality video game craze Pokémon Go.  For those unfamiliar with the most downloaded smartphone video game ever, it involves players chasing adorable computer-generated characters that randomly appear in the player’s immediate surroundings.  How could something as delightful as Pikachu present a security risk?  When the game is played in camera mode, the player records the Pokémon character, as well as the player’s surroundings – think computer monitors, whiteboards, patients, providers, procedure suites . . .

As with all HIPAA security risks, the best approach is to learn about the risk and take proactive steps to mitigate harm.  A great place to start is to read the Mintz Levin overview of Pokémon Go in the Workplace.

On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes.  Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.”   Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA.  A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach.  As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware

Federally-funded clinical trials conducted at multiple sites will move to a single Institutional Review Board (IRB) review scheme under a new National Institutes of Health (NIH) Policy. The NIH has finalized its policy to have a single IRB (sIRB) of record conduct the required ethics review for multi-site studies. The NIH cited “systemic inefficiencies” without any increased protection of human subjects under the current system in which a separate IRB conducts the ethics review for each site.

Who does this affect?

The sIRB policy covers NIH-funded non-exempt human subjects research, and applies to the domestic sites of multi-site studies conducting the same research protocol at each site. Foreign sites are not covered. Neither are career development, research training or fellowship awards. This policy does not necessarily apply to industry-sponsored trials or drug and device studies subject to FDA regulation only.  Continue Reading NIH Signals “Paradigm Shift” with Policy on Multi-Site Studies