Flu Shot Reminder Text Deemed "Health Care Message", TCPA Claim Dismissed

Flu Shot Reminder Text Deemed "Health Care Message", TCPA Claim Dismissed

By: Zuzana S. Ikels

The Second Circuit recently addressed a matter of first impression, interpreting the scope and effect of the FCC’s Healthcare Exception from violations of the Telephone Consumer Protection Act (“TCPA”) to healthcare providers for contacting patients about their care. In Latner v. Mt. Sinai Health Center, the patient came for a routine visit and signed a written consent form containing his contact information and granted consent to Mt. Sinai to use his health information “for payment, treatment and hospital operations purposes.” Ten years later, the patient received a single text message reminding him to get an immunization shot. The plaintiff sued, asserting it violated the TCPA.

Read More

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

By Zuzaka S. Ikels

In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.

The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.

Read More

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

By Jean Marie R. Pechette and Thomas Kiser

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two- year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.

Read More

Faxing Without Opt-Out Leads to $1.35M Payment to Get Out of TCPA Class Action

Faxing Without Opt-Out Leads to $1.35M Payment to Get Out of TCPA Class Action

By Amanda J. Katzenstein, Jean Marie R. Pechette, and Jarno J. Vanto

Florida-based radiology provider, SRA Ventures, and two units of Canada-based cardiology and imaging service provider, KMH Labs, have agreed to pay Medical & Chiropractic Clinic Inc. $1.35 million to settle a proposed class action lawsuit after the providers faxed nearly 5,600 advertisements that did not contain necessary opt-out language, allegedly in violation of the Telephone Consumer Protection Act (“TCPA”), as amended by the Junk Fax Prevention Act of 2005 (“JFPA”), and FCC regulations.

Read More

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

By Jean Marie R. Pechette

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced on April 24, 2017, a $2.5 Million settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), with CardioNet, Inc., based on its alleged impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  

Read More

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

Patients File Class Action Against MDLive Inc. Claiming it Wrongfully Collects and Shares Sensitive Health Information

By Jean Marie R. Pechette, Jarno J. Vanto, and Clif Ruch

A class action suit filed in the U.S. District Court of the Southern District of Florida has accused national telehealth provider and mobile application developer MDLive of designing the MDLive App that secretly captures patients’ sensitive health information and unbeknownst to the patients, transmits their health information to an off-shore third party tech company. The suit also alleges that contrary to MdLive’s representation that it respects and takes patient privacy “very seriously,” MDLive fails to restrict access to a patient’s health information only to the patient’s healthcare provider but instead grants broad access to its employees (including software developers), agents and third parties. The suit also alleges that MDLive breached its contract with the patients by failing to implement adequate security measures to ensure that access to their health information was appropriately restricted (such as through the use of encryption). 

Read More

Privacy and Data Security: 2017 Year in Preview

Privacy and Data Security:  2017 Year in Preview

Few issues keep executives awake at night more than Privacy and Data Security. New regulations and threats alike are plentiful, varied, and evolving. The rate of change for cybersecurity and information governance continues to increase, while corporate budgets to address them remain stretched.  

As your organization prepares for 2017, data security, privacy compliance, and new technological threats are sure to be on your list of priorities. This guide highlights some key Privacy and Data Security trends and expectations for the new year. Organizations that are well prepared to address the issues highlighted in this guide will be better positioned to mitigate risk and strengthen compliance efforts.

Read More

Don’t Stop At HIPAA: Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

Don’t Stop At HIPAA:  Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

By Lisa AcevedoLindsay R. Dailey, Erin Fleming Dunlap, and Daniel L. Farris

The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance last month for organizations that handle consumer health information (Joint Guidance).  This is one of several joint-agency guidance documents issued this year in a collaboration effort by HHS and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.  

Read More

OCR Provides New BA Guidance to Cloud Providers

OCR Provides New BA Guidance to Cloud Providers

By Lisa J. AcevedoLisa S. Katz, Rebecca Frigy Romine, Kathleen D. Kenney, and Lindsay R. Dailey, and Erin Fleming Dunlap

In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules).  Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs.  Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

Read More

The Rising Threat of Ransomware

The Rising Threat of Ransomware

By Maggie M. Arcaro

Targeted cyber “hold ups” are on the rise. Last week, Hollywood Presbyterian Medical Center in Los Angeles made headlines after choosing to make a ransom payment to end a ten-day lockdown of their computer system, including their electronic medical records system. A group of cyber attackers used ransomware, a type of malware that takes a computer system hostage by blocking access to the system until a ransom demand is paid, to force Hollywood Presbyterian to make the ransom payment. Some forms of ransomware also display an official-looking legal warning across your screen, claiming you’ve committed a crime and demanding you make a certain payment to avoid legal prosecution or jail.   

Read More