Blogs

HIPAA, HITECH and Health Information Technology Blog
Elizabeth contributes to this blog, which provides information regarding cutting-edge legal and practical developments that health care providers and businesses must consider with regard to the handling and sharing of health information, including through the use of electronic health records.
View Blog

Privacy Compliance & Data Security Blog
Privacy compliance and electronic data security affect almost every business. Data breach prevention is essential. Fox Rothschild's Privacy Compliance & Data Security Blog will help readers navigate through the policies and best practices of data breach response. The blog covers topics including compliance with data protection laws and regulatory enforcement, as well as litigation.
View Blog

Recent Blog Posts

  • The Blindfolded Business Associate: New HHS Guidance on HIPAA & Cloud Computing According to the latest HIPAA-related guidance (Guidance) published by the U.S. Department of Health and Human Services (HHS), a cloud service provider (CSP) maintaining a client’s protected health information (PHI) is a business associate even when the CSP can’t access or view the PHI. In other words, even where the PHI is encrypted and the CSP lacks the decryption key, the CSP is a business associate because it maintains the PHI and, therefore, has HIPAA-related obligations with respect to the... More
  • Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals).   The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents.  Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating... More
  • Small HIPAA Breaches, Big HIPAA Headaches What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals). Subscribers to the U.S. Department of... More
  • Happy HIPAA 20th Birthday! HIPAA turns 20 today.   A lot has changed in the two decades since its enactment.  When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain myspace.com had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of 1996 as a portable operating system solution).  In... More
  • “I Want My PHI”, Part 2 – OCR Audits Will Focus on Individual Access Rights We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights. In an email sent to listserv participants on July 12, 2016 from [email protected], the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk... More
  • Lack of Preparedness and Government Access Top Data Security Agenda The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP. “There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice. In its survey of cybersecurity professionals and risk experts across insurance, legal... More
  • Health Care Providers: Have You Considered HIPAA Compliance for Your Practice’s Group Health Plans? Contributed by Elizabeth R. Larkin and Jessica Forbes Olson Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered. What providers may not realize is that they may actually have two separate HIPAA covered entities. A provider that offers an employee group health plan (which includes a self-insured medical, dental,... More
  • Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony. HIPAA is, generally speaking, intended to protect our privacy when it comes to... More
  • I Want My PHI! HIPAA Access Rights, Authorizations and HHS Guidance Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security.  It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances.  Recent guidance published by the Department of Health and Human Services (HHS Guidance) emphasizes the need for covered entities to be able to respond to an individual who says “I want... More
  • There’s An App For That Health Information – But is it HIPAA-Covered? “Maybe” is the take-away from recent guidance posted on OCR’s mHealth Developer Portal, making me wonder whether the typical health app user will know when her health information is or is not subject to HIPAA protection. The guidance is clear and straightforward and contains no real surprises to those of us familiar with HIPAA, but it highlights the reality that HIPAA, originally enacted close to 20 years ago, often becomes murky in the context of today’s constantly developing technology. Here’s an... More
  • When Privacy Policies Should NOT Be Published – Two Easy Lessons From the FTC’s Nomi Technologies Case [Also posted at http://hipaahealthlaw.foxrothschild.com/] This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law.  In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading. The Federal Trade Commission (FTC) filed a complaint against Nomi Technologies, Inc., a retail tracking company that placed... More
  • New NJ Data Security Standard More Stringent than HIPAA New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring... More
  • Michael Kline’s “List of Considerations” for Indemnification Provisions in Business Associate Agreements I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing.  Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and yet not obvious considerations.  For example, will indemnification jeopardize a party’s cybersecurity or other liability coverage? Data use and confidentiality agreements used outside of the HIPAA context... More
  • HIPAA Does Not Preempt State Privacy Cause of Action But May Represent “Standard of Care”, Says Connecticut Supreme Court As if compliance with the various federal privacy and data security standards weren’t complicated enough, we may see state courts begin to import these standards into determinations of privacy actions brought under state laws.  Figuring out which federal privacy and data security standards apply, particularly if the standards conflict or obliquely overlap, becomes a veritable Rubik’s cube puzzle when state statutory and common law standards get thrown into the mix. A state court may look to standards applied by the Federal Communications Commission (“FCC”), the Federal Trade Commission (“FTC”), the Department of Health... More
  • Medical Device, “Heal Thyself” from Data Hacking Innovative health care-related technology and developing telemedicine products have the potential for dramatically changing the way in which health care is accessed.  The Federation of State Medical Boards (FSMB) grappled with some of the complexities that arise as information is communicated electronically in connection with the provision of medical care and issued a Model Policy in April of 2014 to guide state medical boards in deciding how to regulate the practice of “telemedicine”, a definition likely to become outdated as quickly as... More