Privacy and Data Security Archives - EMPLOYEE BENEFITS BLOG

Hospital Settles With OCR for $4.75 Million Over HIPAA Violations

by McDermott Will & Emery | Apr 17, 2024 | Health and Welfare Plans, Privacy and Data Security

The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).

According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.

Key Takeaways | How to Prepare for New State Health Privacy Laws

by Elliot R. Golding and Sam Siegfried | Apr 16, 2024 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

New state privacy laws regulating health data impose significant obligations and heightened litigation and regulatory risks. During this webinar, Elliot Golding and Sam Siegfried discussed how these laws apply, what they require, and practical tips to implement and operationalize compliance.

Access key takeaways and webinar replay.

Healthcare Payors and Providers and AI Companies Voluntarily Commit to AI Principles

by Jennifer S. Geetter, Purnima Boominathan and Jayda Greco | Jan 17, 2024 | Digital Health, Employee Benefits, Health and Welfare Plans, Privacy and Data Security

The Biden administration recently announced that 28 healthcare payors and providers intend to implement and adhere to voluntary commitments for the safe, secure and trustworthy development and deployment of artificial intelligence (AI) in healthcare. The signatory companies aligned around the FAVES principle—namely, that AI should lead to healthcare outcomes that are fair, appropriate, valid, effective and safe.

Read more here.

State Regulators Step Up Privacy Enforcement Relating to Employee Data

by Elliot R. Golding and Allison McSorley Tassel | Sep 5, 2023 | Privacy and Data Security

Regulators in California and Colorado recently announced enforcement sweeps under new and newly updated state privacy laws. Companies in Colorado (including nonprofits) and California should double-check their privacy notices, processes and documentation to comply with these laws, particularly the enforcement priorities identified in the notices.

Read more here.

Nevada and Connecticut Pass Consumer Health Data Laws

by David Saunders and Doris Yuen | Aug 3, 2023 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

Following in the footsteps of Washington State’s My Health My Data Act, the governors of Nevada and Connecticut recently approved Nevada SB 370 and Connecticut SB 3. These bills impose a number of new requirements on the processing of consumer health data. Nevada SB 370 will go into effect on March 31, 2024, while the consumer health data-related provisions of Connecticut SB 3 that amend the Connecticut Data Privacy Act will take effect on July 1, 2023.

Read more here.

How Dobbs Has Changed the Data Privacy Landscape

by Scott Weinstein | Jul 26, 2023 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.

Access the article.

Litigation Setback for Employers Under Illinois Biometric Information Privacy Act

by Daniel Campbell, David Saunders and Jonathan Ende | Mar 1, 2023 | Privacy and Data Security

The Illinois Supreme Court recently held that all causes of action brought under the Illinois Biometric Information Privacy Act (BIPA) are subject to a five-year statute of limitations. The Court’s holding is the latest disappointment for Illinois companies defending BIPA actions and means the scourge of BIPA litigation will continue.

Read more here.

HIPAA Challenges: State AGs Crack Down on Data Privacy

by McDermott Will & Emery | Feb 28, 2023 | Health and Welfare Plans, Privacy and Data Security

Unlike the European Union, the United States does not have a federal data privacy law like the General Data Protection Regulation. State attorneys general, however, are cracking down on data breaches at healthcare organizations, according to this For the Record article.

Access the article.

HHS Issues Guidance on Requirements Under HIPAA for Online Tracking Technologies, Addressing Privacy and Security Concerns Related to Health Information

by Jennifer S. Geetter, Elliot R. Golding, Amy C. Pimentel, Scott Weinstein, Edward G. Zacharias and Marine Margaryan | Dec 20, 2022 | Privacy and Data Security

On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies, such as cookies, web beacons and pixels. The Bulletin aims to provide further clarity on when identifiable information collected by such tracking technologies may also constitute protected health information (PHI) as defined and interpreted under the HIPAA Rules. In such instances, the Bulletin instructs that the technology vendor may be seen as providing a service to the regulated entity that would, in light of the use and disclosure of PHI, create a direct or downstream business associate relationship. Accordingly, the Bulletin states that the regulated entities would need to enter into a business associate agreement (BAA) with the vendor of the technology (and the vendor would, in turn, become a regulated entity) and meet other requirements under the HIPAA Rules. The Bulletin provides long-awaited guidance to help regulated entities review their positions and procedures concerning tracking technologies to ensure that the trackers they implement either do not collect PHI or meet the prerequisites outlined in the Bulletin.

Access the full article.

State Law Privacy Video Series | Employee Exemptions

by Fran P. Forte | Aug 30, 2022 | Employee Benefits, Employment, Privacy and Data Security

California, Virginia and Colorado have new privacy laws coming into effect in 2023. But now is the time to start preparing your business or organization for compliance. Throughout the State Law Privacy video series, we examine the different aspects of these laws and provide you the knowledge and tools you need for proper compliance.

In the next video of the series, Associate Fran Forte explores one of the notable exemptions under California’s law as it relates to employee data and how employee data is handled under Virginia and Colorado’s privacy laws.

Watch here.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS