The EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus.  The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic:
Continue Reading Using Health Data in Europe During COVID-19

HHS recently announced that it will not impose penalties if business associates disclose protected health information relating to COVID-19 during the public health emergency period. This waiver, announced in a Notification of Enforcement Discretion, applies if the disclosure is for public health and health oversight activities. It will apply, the Office for Civil Rights at HHS explained, even if their business associate agreement with covered entities does not specifically allow for such disclosure if two things hold true. First, that the disclosure or use is made in “good faith” for public health activities and health oversight activities.  Second, that the BA informs the covered entity within ten days after the use or disclosure occurs.  Examples provided by HHS include BA notifications to public health authorities, such as the CDC, health departments and CMS.
Continue Reading HHS Relaxes Restrictions on Certain PHI Disclosures During COVID-19 Public Health Emergency

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.
Continue Reading EDPB Announces Scope of COVID-19 Guidance

The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of cross-border healthcare of patients as they move throughout the EU. To realize this goal, the Commission created the eHDSI, the system which enables the exchange of electronic patient data amongst member states. To clarify its role as the eHDSI creator and operator, the Commission sought the joint opinion of the EDPS and EDPS as to whether it was acting as a processor.
Continue Reading Processor or Controller? It Really Depends

The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.
Continue Reading HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability

On May 6, 2019, the U.S. Department of Health and Human Services announced that Touchstone Medical Imaging will pay $3 million to settle potential HIPAA violations associated with a breach that exposed more than 300,000 patients’ Protected Health Information. The breach occurred in May 2014. One of Touchstone’s servers allowed uncontrolled access to patients’ PHI. As a result, Touchstone patients’ PHI was visible on the Internet. During its investigation, HHS determined that Touchstone did not thoroughly investigate the breach until several months after it was informed of the breach by law enforcement. HHS also found that the company did not conduct an accurate analysis of potential risks to the confidentiality of its PHI and did not have business associate agreements in place with its vendors.
Continue Reading HHS Announces First HIPAA Breach Settlement of 2019; 300,000 Patients Affected

Community Health System, one of the largest health systems in the United States, has agreed to pay $4,500,000 to settle claims made against it arising from a 2014 data breach. The data breach, believed to be caused by malware installed by Chinese hackers on CHS’s computer system, exposed the names, dates of birth, addresses, telephone numbers, and Social Security numbers of approximately 4.5 million patients.
Continue Reading HIPAA Breach Results in a $4,500,000 Class Action Settlement

A Florida staffing agency which provides physicians to hospitals and nursing homes, has agreed to a $500,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights. The settlement comes after an investigation revealed that the company, Advanced Care Hospitalists, disclosed the protected health information of 9,255 people to a third-party billing company without having a business associate agreement in place. Specifically, patient names, date of births and social security numbers were provided to the billing company. The settlement followed a data breach at the billing company. Namely, the PHI was exposed on the billing company’s website.
Continue Reading Company’s Vendor Suffers Breach, No Business Associate Agreement, $500K OCR Settlement

Twelve state attorneys general have brought suit against two medical Information Technology companies. The AGs allege that the companies, Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, had poor security practices that led to medical data breaches. Those breaches impacting close to four million patients. This case is the first coordinated multistate attorney general Health Insurance Portability and Accountability Act related action. The AGs are accusing the companies of not taking adequate steps to protect information, and failing to timely notify patients of known breaches.
Continue Reading States Taking Actions Against Health IT Companies Over Data Breaches

The Food & Drug Administration has recently released for comment a draft expansion of guidance regarding Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Although the FDA issued existing guidance in 2014, the new guidance reflects concerns about the rapidly-changing nature of cybersecurity threats, and the potentially grave consequences of cybersecurity incidents involving healthcare and medical devices—particularly medical devices which connect to the internet, networks, or other devices. The draft guidance gives recommendations to medical device manufacturers about the device design, labeling, and documentation that the FDA expects to see in premarket submissions. It updates and expands beyond the prior guidance in several significant respects.
Continue Reading FDA Issues New Draft Cybersecurity Guidance for Medical Devices