Categories
Health Law Highlights

Healthcare Organizations at Risk of Data Breach Due to Insecure File Sharing Practices

Summary of article from HIT Consultant, by Fred Pennic:

A resent report highlights significant vulnerabilities in healthcare organizations’ data security practices, particularly concerning insecure file sharing. Key findings reveal that 25% of publicly shared files and 68% of externally shared private files contain Personally Identifiable Information (PII), while 77% of internally shared private files also include PII. Additionally, many organizations fail to update or remove access permissions, increasing security risks. The consequences of these practices include rising data breaches, substantial financial impacts from ransomware attacks, and potential compliance violations with HIPAA and GDPR regulations. The report also notes the risk to financial data, such as credit card information, stored in insecure files. To mitigate these risks, healthcare organizations must adopt robust data loss prevention (DLP) solutions and data security tools to ensure proper handling and sharing of sensitive information. Metomic emphasizes the need for these tools to prevent data leaks and protect both patient information and organizational integrity.

Categories
Health Law Highlights

Pharmacy Association and 40 Providers Sue Change Healthcare Over Cyberattack

Summary of article from The HIPAA Journal, by Steve Adler:

The National Community Pharmacists Association (NCPA) and over 40 healthcare providers from 22 states are suing Change Healthcare, Optum, and UnitedHealth Group following a February 2024 ransomware attack. This Blackcat ransomware incident resulted in significant disruptions, as Change Healthcare’s critical systems were taken offline, affecting claims processing and revenue management for numerous providers nationwide. The plaintiffs argue that the defendants failed to implement adequate security measures and did not provide timely guidance or support, exacerbating financial hardships for healthcare providers. The lawsuit, which spans 140 pages, includes claims of negligence, breach of contract, and violations of various state consumer protection laws. It seeks permanent injunctive relief, enhanced security measures, and various forms of damages.

Categories
Health Law Highlights

6 Steps to Release a Medical IoT Device

Summary of article from Edge Industry Review, by Gilad David Maayan:

Releasing a medical IoT device involves a detailed process to ensure its effectiveness, compliance, and market viability. The first step is conducting market research to assess demand, compare with competitors, and evaluate market size and acceptance, guiding stakeholders on investment decisions. Regulatory planning is crucial, requiring familiarity with laws like the EU MDR and FDA regulations to define the device’s use and ensure compliance.

Design controls must be documented throughout development, adhering to standards such as ISO 13485 to maintain product quality. Establishing a tailored Quality Management System (QMS) addresses design, risk, and supply chain management, ensuring compliance with relevant standards. Clinical evaluation demonstrates the device’s safety and efficacy through trials or literature review, summarizing risks and benefits.

Postmarket surveillance is essential for ongoing monitoring of the device’s performance, ensuring long-term safety and effectiveness, and complying with stringent regulations. Edge computing enhances medical IoT devices by enabling local data processing, which speeds up analysis and response times, reduces reliance on internet connectivity, and ensures functionality in remote areas. Key considerations include hardware capabilities, data security, interoperability, and processing speed, all vital for timely healthcare decisions.

The Internet of Medical Things (IoMT) is transforming healthcare by providing personalized, detailed treatment outside hospitals. Despite the complexity of development and regulatory approval, these devices offer significant potential for improved patient outcomes and profitability.

Categories
Health Law Highlights

Vanishing Texas Companies Linked to Millions in Fraudulent Medicare Billings

Summary of article from MSN, by Brian New:

CBS News Texas’ investigation into alleged Medicare fraud uncovered over $200 million in fraudulent activities linked to several companies, prompting numerous viewers to report their own experiences with Medicare fraud. A subsequent report identified 11 additional Texas-based medical supply companies potentially involved in fraudulent practices. Many of these companies, such as Lone Star Medlab Laboratories and Peak Health Diagnostics, were found to have vacated their offices and disconnected their contact numbers. Aids for Recovery faced numerous complaints for fraudulent billing and had abandoned their office, leaving behind unopened Medicare correspondence. The Centers for Medicare & Medicaid Services (CMS) confirmed ongoing investigations into these companies, suspected of nearly $3 billion in fraudulent catheter billing.

Categories
Health Law Highlights

Balancing Act: Industry Concerns Over CISA’s Proposed Cyber Incident Reporting Rule

Summary of article from Bradley Arant Boult Cummings LLP, by Sinan Pismisoglu, Eric Setterlund:

The proposed cyber incident reporting rule by the Cybersecurity and Infrastructure Security Agency (CISA) aims to enhance national cyber defenses but has raised concerns about its broad scope and potential overreporting, which could overwhelm CISA with low-value data. Industry groups, particularly in manufacturing and healthcare, worry about the rule’s impact, citing increased compliance burdens and potential disruptions. Recommendations to address these issues include narrowing the rule’s scope, harmonizing reporting mechanisms, providing support to smaller entities, and tailoring requirements to specific industry needs. The debate highlights the need for a balanced approach that strengthens cybersecurity while ensuring practical compliance for businesses. Collaboration between CISA and industry stakeholders is essential to refine the rule and achieve this balance.

Categories
Health Law Highlights

HSBC Venture Healthcare Report: 1H 2024

Summary of article from Foley & Lardner LLP, by Antoinette F. Konski:

Key findings include a reversal of the 2023 decline in Healthtech investments, stable Med Device investments driven by first-financing deals, and a notable 35% increase in Biopharma investments with significant private deals. The Dx/Tools sector saw a decline in first-financing deals but benefited from growth investors for companies nearing commercialization. Overall, the report highlights increased investment activity across all sectors, with heightened IPO interest and significant private M&A deals in Biopharma.

Categories
Health Law Highlights

The TDPSA: A New Sheriff in Town for Texas Data Controllers and Processors

Summary of article from  Vinson & Elkins LLP, by Maggie Eller, Briana Falcon, Jeffrey Johnston, Michael Kurzer:

The Texas Data Privacy and Security Act (TDPSA), effective from July 1, 2024, mandates compliance from businesses operating in Texas or providing products/services to Texas residents, excluding small businesses and specific entities like state agencies and nonprofits. It defines consumer rights, responsibilities for data controllers and processors, and includes stringent requirements for handling personal and sensitive data. Sensitive data encompasses information such as race, health diagnoses, and biometric data, while certain healthcare and employment-related data are exempt. Organizations must conduct data protection assessments, update privacy policies, and establish systems for consumer rights compliance. Ensuring data security through administrative, technical, and physical measures is also emphasized.

Categories
Health Law Highlights

Does HIPAA Apply to Veterinarians?

Summary of article from The HIPAA Journal, by Steve Adler:

HIPAA does not apply to veterinarians because they do not conduct electronic healthcare transactions for which the Department of Health and Human Services has adopted standards, thus not qualifying as HIPAA covered entities. However, veterinarians are subject to various state-level data privacy and breach notification laws that resemble HIPAA regulations. For instance, California law prohibits the unauthorized disclosure of information concerning animal patients and their owners, with specific exceptions. Additionally, veterinarians handling data of EU citizens must comply with the GDPR. The American Veterinary Medical Association (AVMA) provides guidelines to help veterinarians navigate these diverse data privacy regulations.

Categories
Health Law Highlights

The Impact of the EU AI Act on the Healthcare Sector

Summary of article from DataGuidance, by Michael Borrelli:

The EU AI Act aims to regulate AI systems within the EU, categorizing them by risk levels and imposing stringent requirements on high-risk systems, particularly in healthcare. This legislation emphasizes transparency, accountability, and ethical considerations to ensure AI technologies are safe and trustworthy. High-risk AI systems in healthcare must meet rigorous standards for risk management, data quality, transparency, human oversight, and post-market monitoring. While compliance presents challenges, the Act fosters innovation and aims to improve healthcare outcomes and patient safety. Overall, the EU AI Act is pivotal in shaping the ethical deployment of AI in healthcare.

Categories
Health Law Highlights

No Surprises Act Implementation Faces Challenges

Summary of article from Proskauer Rose LLP, by D. Austin Rettew, Vinay Kohli:

Two district courts have issued conflicting rulings on the enforceability of arbitration awards under the No Surprises Act (NSA), highlighting ongoing challenges in its implementation. The NSA, enacted in 2020, aims to protect patients from unexpected medical bills by capping out-of-network charges at median in-network rates and establishing a mandatory dispute resolution process. The New Jersey District Court ruled that the Federal Arbitration Act (FAA) applies to enforce NSA awards, while the Texas District Court concluded that the FAA does not provide such a mechanism. The Texas ruling is being appealed, and additional NSA-related regulations and legal challenges are pending. Health care providers should seek expert legal advice to navigate this complex and evolving regulatory landscape.