OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
Sarah Beth S. Kuyers is an Associate in the Health Law Practice and is based in the firm’s Washington, DC office. She advises health care providers, pharmacy benefit managers, and laboratories on regulatory issues. Before joining the firm, Sarah Beth was a law clerk with the health staff of the Senate Committee on Finance, where her research focused on commercial insurance reform, health IT, Medicare, Medicaid, and the Affordable Care Act.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
On May 11, 2017, the Senate Health, Education, Labor and Pension (HELP) Committee voted in support of the FDA Reauthorization Act of 2017, or FDARA, now formally moving through the legislative process as S. 934. The committee voted almost unanimously to move the bipartisan bill forward, with only Senator Bernie Sanders (I-Vt.) and Senator Rand Paul (R-Ky.) voting against it. And in an interesting overlap of FDA-related news, the Agency’s brand-new Commissioner, Dr. Scott Gottlieb, was also sworn in on May 11th following a speedy (albeit politically controversial and party-line) confirmation process and Senate vote. With less than a week on the job, Dr. Gottlieb is already receiving pressure from varied stakeholders to ensure the user fee legislation is enacted in a timely manner in order to avoid disrupting the Agency’s work. Continue Reading FDA User Fee Legislation Moves Forward in Senate with Multiple Policy Riders On-Board
We recently updated our chart that tracks state biosimilar substitution laws to include new laws in Iowa and Montana. These new laws bring the total number of states with biosimilar substitution laws to 27, plus Puerto Rico. The latest version of our chart can be found here. As with the laws we’ve seen before, both the Iowa and Montana biosimilar amendments mirror the state’s existing generic drug substitution laws. More specifically, they amend state pharmacy laws to allow, and in some situations require, the substitution of interchangeable biosimilars. Continue Reading New State Substitution Laws, and a Busy Spring for Biosimilars
As we’ve previously discussed on Health Law and Policy Matters, agencies within the Department of Health and Human Services (DHHS) pushed through several final rules towards the end of the Obama Administration (see here and here). However, since taking office, President Trump has followed through on his campaign promise to significantly roll back Federal regulations and has taken several actions aimed at slowing and reversing agency regulatory processes, including processes at the DHHS sub-agencies CMS and FDA. These executive actions are creating a climate of uncertainty for regulated industries and their stakeholders. Continue Reading Trump Executive Orders Create Uncertainty for Health Care & Pharmaceutical Industries
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
On Tuesday, President Obama signed the 21st Century Cures Act (the “Act”) into law. The Act is a massive piece of legislation that has implications for many different aspects of the interconnected medical research, product development, and health care delivery enterprises. Our colleagues have previously discussed the Act’s many provisions that aim to speed up the process of bringing new drugs and devices to market. One of the Act’s most significant amendments to the Federal Food, Drug and Cosmetic Act will allow FDA to grant accelerated approval to regenerative medicine products, while also providing the Agency with wide discretion on creating new approaches to regenerative medicine. This legislative development is historic given increasing pressure from patients and other stakeholders to move regenerative medicine advancements more quickly from the lab into the clinic. Continue Reading President Obama Signs 21st Century Cures Act; Creates Accelerated Approval Pathway for Regenerative Medicine
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of. In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference. Continue Reading September Privacy and Security Updates