Tag: Data Privacy

Categories
Health Law Highlights

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

From Bradley Arant Boult Cummings LLP, by Alexis Buese, Eric Setterlund

The healthcare sector has seen a significant increase in cyber-threats, especially hacking and ransomware, with a 256% rise in hacking-related breaches and a 264% surge in ransomware incidents in the last five years. In 2023, these breaches affected over 134 million individuals, a 141% increase from the previous year.

The OCR recommends proactive measures to mitigate these threats, including securing partnerships with vendors, conducting regular risk assessments, establishing robust audit controls, and adopting multi-factor authentication.

The OCR’s two Congressional Reports on HIPAA compliance and enforcement highlight the need for healthcare systems to address potential HIPAA compliance issues before breaches occur. The reports reveal common vulnerabilities and suggest areas for improvement tied to specific HIPAA Security Rule standards, including the security management process standard, audit controls standard, and response and reporting requirements.

Despite the sophistication of some cyber-attacks, the majority of incidents could be prevented or significantly lessened if healthcare entities adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods like phishing emails, exploiting existing vulnerabilities, and using weak authentication measures. In case of a successful breach, attackers often encrypt or steal electronic Protected Health Information (ePHI) for ransom or future malicious activities.

Categories
Health Law Highlights

New PCI DSS 4.0 Will Impact the Digital Health, Healthcare Industries

From McDermott Will & Emery, by Mark E. Schreiber, Brian Long, Jonathan Ende:

The healthcare industry, particularly digital health, is increasingly adopting an e-commerce model, accepting direct payments from consumers. This necessitates compliance with the Payment Card Industry Data Security Standard (PCI DSS), even if payment card processing is outsourced. 

The new version of PCI DSS (4.0) will be mandatory from March 31, 2024, introducing more rigorous requirements. Entities that offer these services and accept payment cards must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) annually.

PCI DSS 4.0 brings new requirements, focusing on targeted risk analysis, organizational maturity, and governance. It makes PCI DSS compliance a continuous effort, rather than an annual task, and allows businesses to implement alternative controls that meet the customized approach objective.

Some significant changes in PCI DSS 4.0 include increased requirements for yearly diligence for merchants and service providers, introduction of a customized approach for controls, expanded risk analysis guidance, and clarifications to the “significant change” standard.

Failure to comply with PCI DSS 4.0 may lead to investigations, fines, penalties, and assessments by card brands and acquirers. It may also lead to legal risks, as the new version requires more security documentation and risk analysis, exposing the company’s security posture to greater scrutiny. Therefore, businesses should promptly begin addressing and validating compliance.

Categories
Health Law Highlights

US Department of Human Services vs Hospital & Tech Sector Showdown

From Telehealth.org, by Marlene Maheu, PhD:

Recent developments in digital privacy ethics in the healthcare sector have led to a lawsuit against the US Department of Health and Human Services (HHS) by the American Hospital Association (AHA), with support from hospitals, health centers, other hospital associations, and the tech sector. The issue stems from the widespread practice of sharing online patient information with technology companies for marketing purposes.

The HHS has been actively investigating the use of tracking technologies and has issued fines and penalties to companies improperly handling sensitive data. As far back as 2022, HHS issued a guidance in 2022, emphasizing the obligations of HIPAA covered entities when using online tracking technologies.

A recent study revealed that 98.6% of US hospitals might still be involved in sharing patient information, highlighting the extent of data dissemination within the healthcare industry. This has led to increased interest in preventing or responding to HIPAA violations.

The legal challenge underscores the tension between the need for digital marketing tools in healthcare and the necessity to safeguard patient privacy and will significantly affect how healthcare entities use technology for marketing.

Categories
Health Law Highlights

Confidentiality of Substance Use Disorder Patient Records: What to Know About Updates to Part 2

From Orrick, Herrington & Sutcliffe LLP, by Thora Johnson, Kyle Kessler, Cosmas Robless:

The U.S. Department of Health & Human Services (HHS) has updated the Confidentiality of Substance Use Disorder Patient Records regulations (Part 2) to align with HIPAA and HITECH, aiming to improve care coordination while protecting patient privacy. Notably, patient consent for disclosure of SUD treatment records has been simplified, allowing a single consent for all future uses and disclosures related to treatment, payment, and health care operations.

The Rule permits redisclosure of SUD records by HIPAA-covered entities without additional patient consent, promoting coordinated care. The Rule also introduces a definition for SUD counseling notes, mirroring the HIPAA protections for psychotherapy notes, which require separate written consent for use or disclosure.

The Rule establishes two new patient rights: the right to receive an accounting of any disclosures of their SUD records in the three years prior to their request, and the right to request restrictions on disclosures of their records for treatment, payment, and health care operations.

The Rule expands patient privacy in legal proceedings, extending the prohibition of the use and disclosure of SUD records to all criminal, civil, administrative, and legislative proceedings against a patient. It also authorizes civil penalties, in addition to criminal ones, for Part 2 violations, aligning with the value of civil penalties under HIPAA.

The Rule applies the same requirements as the HIPAA Breach Notification Rule to breaches of patient records subject to Part Providers must notify affected individuals, the Secretary of HHS, and in some cases the media in the event of a breach. The Rule will become effective 60 days after its publication in the Federal Register on February 16, 2024, with compliance required by February 16, 202

Categories
Alert

NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.

Categories
Health Law Highlights

HTI-1 Final Rule in Effect

From The HIPAA Journal, by Steve Adler:

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule, issued by the HHS’ Office of the National Coordinator for Health Information Technology (ONC), took effect on February 8, 2024. It implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new standards for AI systems.

The Final Rule is designed to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization. It aims to improve patient outcomes and reduce healthcare costs by promoting the safe, secure, and trustworthy development of AI.

The Final Rule introduces new transparency requirements for AI and other predictive algorithms within ONC-certified health IT. It allows clinical users to access a consistent set of information about the algorithms and assess them for fairness, validity, effectiveness, and safety.

It adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. Developers of certified health IT have until January 1, 2026, to transition to USCDI v3.

The Final Rule introduces new information blocking requirements and definitions, adds a new exception to support information sharing, and introduces new interoperability-focused reporting metrics. It is crucial that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure compliance with these new requirements.

Categories
Health Law Highlights

Data Broker Allegedly Selling De-Anonymized Info to Face FTC Lawsuit After All

From Ars Technica, by Ashley Belanger:

The Federal Trade Commission (FTC) has succeeded in keeping its case against geolocation data broker Kochava alive, alleging that the company has been selling vast amounts of data in violation of the FTC Act. The FTC accuses Kochava of selling data obtained from millions of mobile devices across the world, combining precise geolocation data with sensitive and identifying information without users’ informed consent.

The FTC claims Kochava’s data sales allow customers to create highly detailed profiles of individuals, which invades their privacy and increases the risk of secondary harms such as stigma, discrimination, and emotional distress. The FTC cited specific examples of consumers who have been harmed by such data sharing practices, including a Catholic priest who resigned after being tracked using mobile geolocation data.

Kochava argues that the examples of consumer harm in the FTC’s complaint are disconnected from its activities and has accused the FTC of making knowingly false allegations. However, the court found no evidence to support Kochava’s claims and refused to dismiss the FTC’s case. Kochava CEO Charles Manning maintains that the company has always complied with all rules and laws, including those specific to privacy.

The FTC has proposed that Kochava could implement safeguards to protect consumer privacy, such as blacklisting sensitive locations or removing sensitive characteristics from its data. Kochava has introduced a new feature, Privacy Block, which blocks geolocation data near sensitive locations, although this was implemented after the FTC initiated its investigation.

The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent. If the FTC wins the case against Kochava, it could trigger a wave of class-action complaints from consumers and set a precedent for future actions against data brokers.

Categories
Health Law Highlights

2024 Privacy Compliance: Are You Ready For It?

From InfoLawGroup LLP, by Justine Young Gottshall:

  • New State Privacy Laws: In 2024, Texas, Oregon, Florida, and Montana will implement new privacy laws, requiring businesses to update their policies, intake forms, and responses, and obtain opt-in consent for sensitive data collection. Similar laws will take effect in Delaware, New Hampshire, New Jersey, and Tennessee in 2025.
  • Compliance with Existing State Privacy Laws: Companies should ensure compliance with Privacy Impact Assessments (PIAs), Data Processing Agreements, Universal Opt-Out mechanisms, Web Accessibility Compliance, and conduct annual biometric reviews, especially in areas involving online advertising, use of AI, and handling of sensitive data.
  • New Health Data Laws: Washington and Nevada will introduce laws affecting companies collecting health data, requiring comprehensive compliance measures and specific authorizations. Florida’s law will apply to limited businesses with specific revenue and operational criteria.
  • Machine Learning and AI Use: The FTC is increasing scrutiny on the use of personal data in AI tools. Companies should review vendor agreements, create internal policies, and ensure responsible use of data, particularly sensitive data.
  • Data Collection from Minors: New laws and regulations affecting data collection from minors are expected. Companies should ensure compliance with existing laws and prepare for upcoming ones in Connecticut, Utah, Louisiana, and Florida. The FTC is also proposing updates to the COPPA Rule.
Categories
Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Categories
Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.