Categories
Health Law Highlights

Comprehensive Federal Privacy Bill May Open Backdoor for HIPAA Private Right of Action

Summary of article from Fox Rothschild, by Elizabeth Litten:

The American Privacy Rights Act of 2024 (APRA) is a significant data privacy bill that aims to establish national data privacy rights and protections, superseding existing state data privacy laws. The Federal Trade Commission, states, and impacted individuals will enforce it. The bill includes a provision for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), stipulating they must comply with HIPAA’s data privacy and security requirements. However, the bill leaves room for non-compliant entities to be subject to APRA’s robust enforcement mechanisms, including the right for individuals to sue for alleged HIPAA violations. Given the complexity and evolving nature of HIPAA compliance requirements, the stability of APRA’s HIPAA provisions may be uncertain.

Categories
Health Law Highlights

Healthcare Still Underprepared for Scope of Cyber Threats, Says Report

Summary of article from Healthcare IT News, by Andrea Fox:

A new report from Kroll reveals a discrepancy between healthcare organizations’ self-assessment of their cybersecurity maturity and the reality of their readiness. Despite healthcare being among the most breached sectors, many organizations in this industry believe their cybersecurity processes are “very mature”. The report also identified remote access as a key vulnerability, with ransomware groups increasingly gaining initial access through external remote services. Kroll warns of increased scrutiny and accountability for C-suite executives in overseeing cybersecurity defenses. The report concludes that healthcare organizations must close the ‘self-diagnosis gap’ and enhance their security measures to protect against cyber threats.

Categories
Health Law Highlights

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Summary of article from The HIPAA Journal, by Steve Adler:

Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.

Categories
Alert

Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million

Cerebral, Inc., a telehealth company, has agreed to settle Federal Trade Commission (FTC) charges over its failure to secure and protect sensitive consumer health data. The settlement includes a $7 million fine for disclosing consumers’ personal health information to third parties for advertising purposes and failing to uphold its cancellation policies. The FTC claimed that Cerebral violated privacy rights by revealing sensitive mental health conditions across the internet and in the mail. The proposed order will restrict Cerebral’s use and disclosure of sensitive consumer data and require the company to implement a comprehensive privacy and data security program. The order, which must be approved by a court, also mandates that Cerebral provide an easy way for consumers to cancel services.

Categories
Health Law Highlights

Bogus Botox Poisoning Outbreak Spreads to 9 States, CDC Says

Summary of article from Ars Technica, by Beth Mole:

The Centers for Disease Control and Prevention (CDC) reported that 19 women across nine US states have been poisoned by counterfeit Botox injections. Almost half of these cases resulted in hospitalization, with four individuals treated with botulinum anti-toxin. The Food and Drug Administration (FDA) reported these fake products were administered by unlicensed or untrained individuals in non-medical or unlicensed settings.The FDA and CDC noted symptoms from the counterfeit injections similar to botulism, including blurred vision, difficulty swallowing, dry mouth, constipation, and muscle weakness. They advised anyone experiencing these symptoms to seek immediate medical attention.The counterfeit Botox was primarily used for cosmetic purposes by women aged between 25 and 59. Exposure to the counterfeit product can lead to botulism or similar illnesses, potentially resulting in muscle paralysis or even death.

Categories
Health Law Highlights

PE-Owned Health Care Saw Surge in 2023 Bankruptcies, Report Says

Summary of article from Mergers & Acquisitions, by Bloomberg News:

Private equity (PE)-backed businesses accounted for about 20% of the 80 bankruptcies in the healthcare sector in 2023, according to the Private Equity Stakeholder Project. Additionally, venture-capital backed companies made up another 15% of these filings. The report predicts this trend of healthcare bankruptcies will continue in 2024, especially among companies owned by PE firms. Two of the largest bankruptcies in 2023 were KKR Group’s Envision Healthcare Corp. and GenesisCare. The report also highlighted that increased regulation, high expenses, and the impact of the pandemic have contributed to the distress in the healthcare sector.

Categories
Alert

Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.

Categories
Health Law Highlights

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

From Ars Technica, by Andy Greenberg and Matt Burgess:

Change Healthcare, a prominent healthcare company in the U.S., has been embroiled in a significant ransomware debacle, initially victimized by the group AlphV, which encrypted the company’s network and received a $22 million ransom payment. Now, a new ransomware group, RansomHub, claims to possess 4 terabytes of Change Healthcare’s stolen data and is demanding its own ransom. While the origins of RansomHub’s data are unclear, security analysts suggest that the threat may be legitimate. This situation highlights the risk of re-extortion in ransomware attacks and the untrustworthiness of cybercriminals, even after ransoms are paid. The ongoing attack has caused severe disruptions across U.S. medical practices, with 80% of clinicians reporting revenue loss and many facing potential bankruptcy.

Categories
Health Law Highlights

CMS Issues Hospice Proposed Payment Rule

From King & Spalding, by Kate Karpenko:

The CMS has issued a proposed rule for fiscal year 2025 to update Medicare hospice payments and aggregate cap amount, which includes a 2.6% increase in payments and an updated aggregate cap of $34,364.85. The proposal also introduces changes to the Hospice Quality Reporting Program (HQRP), including the addition of two new measures and the use of the Hospice Outcomes and Patient Evaluation (HOPE) tool for patient data collection. It also suggests changes to the Hospice Consumer Assessment of Healthcare Providers and Systems (CAHPS) Survey, including a web-mail mode and a simplified survey. Technical changes are proposed to the Conditions of Participation (CoPs) to clarify language around the roles of a medical director and physician designee. Stakeholders are encouraged to submit comments on the proposed rule by May 28, 2024.

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.