The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: HIPAA

  • From Vol. 4 No.37 (Nov. 7, 2018)

    How to Improve Risk Analysis in the Wake of the Anthem’s Record Settlement

    In the wake of the largest U.S. health care data breach in history, Anthem, Inc., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights, a record settlement for alleged HIPAA violations. In addition to the monetary payment, Anthem agreed to conduct a thorough and accurate risk analysis – a challenge for many organizations. In this article, we discuss the Anthem breach and provide expert insight about avoiding common risk analysis pitfalls, identifying steps organizations in all sectors should take to conduct an effective and compliant assessment, and how to use the assessment report to mitigate risk. See also “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 4 No.29 (Sep. 12, 2018)

    Colorado’s Revised Cybersecurity Law Clarifies and Strengthens Existing Requirements

    Colorado’s amended and restated consumer data privacy statute, which took effect on September 1, 2018, defines key terms, tightens breach notification requirements and adds security and data disposal requirements. This article details the changes, with insights from David M. Stauss, a partner at Ballard Spahr, who worked as an outside expert with the Colorado Attorney General and the bill sponsors after the bill was introduced in the Colorado Assembly. Colorado “is taking the lead on these types of laws,” he said. See “Synthesizing New York and Colorado’s Trailblazing Data Security Regulations for Financial Firms” (Jul. 12, 2017) and “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).

    Read Full Article …
  • From Vol. 4 No.24 (Aug. 8, 2018)

    Essential Cyber, Tech and Privacy M&A Due Diligence Considerations

    Evolving threats, regulatory focus and innovation require every transaction to now include some technology, privacy and cybersecurity due diligence. A target’s problems in these areas can manifest themselves in painful ways, whereas a robust infrastructure can dramatically improve value. This article covers a recent ACA Aponix program that detailed key issues to consider when reviewing cybersecurity, information technology and regulatory compliance at target and portfolio companies. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.20 (Jul. 11, 2018)

    Is Encryption Obligatory? HHS Upholds Texas Hospital $4.3M HIPPA Fine 

    In an appeal that marks the first time the Health and Human Services department has considered the amount of the penalty in addition to the merits of the ruling, HHS has affirmed an OCR order imposing a $4.3 million penalty on the University of Texas MD Anderson Cancer Center (MD Anderson) for HIPAA violations. MD Anderson told The Cybersecurity Law Report that it plans to appeal the ruling. We analyze the case, the penalty, which one expert called “exceptional,” and what companies can learn from it. See also “Lessons From the Continued Uptick in HIPAA Enforcements” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Lessons From the Continued Uptick in HIPAA Enforcements 

    The U.S. Department of Health and Human Services’ Office for Civil Rights has had an active start to 2017. The agency announced resolution agreements with MAPFRE Life Insurance of Puerto Rico and Presence Health as well as a final determination against Children’s Medical Center of Dallas that includes a $3.2 million civil monetary penalty. The actions highlight the need for companies to issue timely breach notifications, complete promised actions, and take swift remedial action to address known vulnerabilities. This article explains the three actions, provides advice on working with HHS, and examines 2017 regulatory expectations. “One thing that’s evident from these and other settlements is that once OCR is doing an investigation, it is not going to look only at the issue in question. It will open the door to a wider assessment of your HIPAA policies and procedures and practices. Once you’re in the spotlight, expect the spotlight to shine more broadly.” Lisa Sotto, a partner at Hunton & Williams, told The Cybersecurity Law Report. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part One of Two)

    Along with many industries, healthcare companies are developing an increasing number of devices with internet and network connectivity. Bringing a medical device to market requires a greater level of scrutiny than other connected products, however, because a cybersecurity breach to one of these devices may be life-threatening. “When we look at the product lifecycle management process, privacy and cybersecurity have to be an essential step that is addressed as an integral product feature,” Abhishek Agarwal, chief privacy officer for legal and compliance at Baxter International, told The Cybersecurity Law Report. With input from outside counsel, in-house counsel and regulators, the first article in this series discusses the development and risks of connected devices and recommends pre-market steps companies should take, including questions to ask during a risk assessment and relevant laws and FDA guidance to consider. The second article will explore post-market considerations including breach response, adding connectivity to existing devices, the new proposed FDA post-market guidance and operational best practices. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).
    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    HIPAA Privacy Rule Permits Disclosures to Firearm Background Check System

    The current firearm background check system just became a little stronger thanks to the Department of Health and Human Services. The Department issued a Final Rule amending the HIPAA Privacy Rule to allow certain covered entities to disclose PHI about individuals prohibited from possessing or receiving firearms to the National Instant Background Check System without the individual’s prior consent. Lynn Sessions, a BakerHostetler partner, spoke with The Cybersecurity Law Report about the Final Rule, its implications and processes covered entities should put in place to mitigate risk. The Final Rule became effective February 6, 2016. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS

    The Department of Health and Human Services’ Office for Civil Rights recently entered into two significant settlements, one with a healthcare insurance company and the other with a hospital, to resolve HIPAA charges.  Triple-S Management Corporation and its relevant subsidiaries agreed to pay a $3.5 million fine and take a series of corrective steps following several breaches involving protected health information.  Lahey Clinic Hospital, Inc. agreed to pay $850,000 and adhere to an action plan following the theft of a device that contained patient electronic protected health information.  Although there are still “a relatively small number of [OCR settlements] each year . . . the penalties have been steadily rising and I expect they will continue to do so,” Robert Belfort, a partner at Manatt, told The Cybersecurity Law Report.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    What Companies Can Learn from Cybersecurity Resources in Pittsburgh

    Cyber crime is a serious threat – it cripples companies, damages economies, funds terrorism, launders drug money and bleeds the assets of individuals, according to the DOJ.  Often this cyber war is waged from shadows overseas (and often in the form of corporate cyber espionage).  Companies should be using a broad array of tools to prevent and mitigate the effect of international and domestic cyber crime, such as information sharing, sufficient cyber insurance as well as a thorough breach response plan that includes proper notification and preservation of evidence for future actions.  As K&L Gates attorneys Mark A. Rush and Joseph A. Valenti describe in a guest article, one place where law enforcement and the private sector have come together is Pittsburgh, where a string of major cyber crime cases has recently been prosecuted.  Developments there can serve as a model for cybersecurity measures across the country and across industries.  Rush and Valenti describe cybersecurity best practices before, during and after a breach, as well as some unique ways government officials as well as companies in Pittsburgh specifically are handling cyber crime.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part Two of Two)

    Companies in the life sciences and health information technology industry face unique data privacy and security concerns based on the highly sensitive personal health information that they handle.  In our continued coverage of a recent health sector data privacy and security webinar, WilmerHale partners Barry Hurewitz and Jonathan Cedarbaum address HIPAA’s nuances, including requirements for business associates and its applicability in medical research.  They also highlight the latest regulatory guidance regarding medical and mobile devices, and move beyond HIPAA to examine current state and international regulations.  In part one, Hurewitz discussed security issues specific to life science and health information technology companies and provided a federal regulatory overview.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part One of Two)

    The health sector is faced with a web of complex regulations due to the particular sensitivity of the information it handles.  During a recent webinar, WilmerHale partners discussed special health data regulatory considerations at state, federal and international levels and how health care companies can navigate them.  In this article, the first in a two-part series, Barry Hurewitz examines the security issues specific to life sciences and health information technology companies, and provides an overview of the applicable regulatory standards at the federal levels, with a focus on HIPAA.  The second article will feature Hurewitz and Jonathan Cedarbaum’s coverage of the regulatory landscape as it relates to business associate agreements, medical research and recent developments regarding mobile devices, as well as special considerations of health data privacy regulation at the state and international levels.  See “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    FTC Weighs In on the Security of Health Care Data on the Cloud

    Like many industries, the health care sector is relying more heavily on new technology to provide digital medical records that are often stored on cloud-based servers and transmitted electronically.  With the technological advances come privacy and security concerns that the FTC is watching closely.  Cora Han, a senior attorney in the Division of Privacy and Identity Protection at the FTC, recently spoke at a meeting of the Health Care Cloud Coalition, a not-for-profit representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector.  Han addressed the FTC’s expectations and enforcement efforts for privacy and security related to cloud-based mobile technology companies in the health care industry.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Steps to Take Following a Healthcare Data Breach

    The prevalence, size and cost of healthcare breaches is skyrocketing, with hackers gaining sophistication and regulators becoming more active.  It is a rare covered entity that has not had to report a data breach to patients/members and the U.S. Department of Health & Human Services Office for Civil Rights since the Health Information Technology and Economic Clinical Health Act became effective in 2009.  To assist healthcare companies in understanding and responding to data breaches in this regulatory environment, in a guest article, BakerHostetler partner Lynn Sessions discusses: the enforcement climate; the legal definition of a healthcare breach; strategies for handling unsecured personal health information; notification requirements and best notification procedures; activating a breach response team; mitigating the impact of a breach; and what’s next in cybersecurity for the healthcare industry.

    Read Full Article …