Blogs

HIPAA & Health Information Technology Blog
Elizabeth contributes to this blog, which provides information regarding cutting-edge legal and practical developments that health care providers and businesses must consider with regard to the handling and sharing of health information, including through the use of electronic health records.
View Blog

Privacy Compliance & Data Security Blog
Privacy compliance and electronic data security affect almost every business. Data breach prevention is essential. Fox Rothschild's Privacy Compliance & Data Security Blog will help readers navigate through the policies and best practices of data breach response. The blog covers topics including compliance with data protection laws and regulatory enforcement, as well as litigation.
View Blog

Recent Blog Posts

  • Time To Update Your Data Breach Notification Practices Strong data encryption is a best practice, but according to new guidance from the UK’s data protection authority, it may not exempt you from General Data Protection Regulation (GDPR) notification requirements if you suffer a breach. That’s a significant departure from most U.S. federal and state data privacy rules. Our Privacy & Data Security team explains the steps you should take now to stay in compliance with both sets of regulations in this new alert.... More
  • To BAA or Not to BAA? The Question a Florida Provider Should Have Asked in 2011 Results in a Half Million Dollar Payment in 2018 Yesterday’s listserv announcement from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) brought to mind this question. The post announces the agreement by a Florida company, Advanced Care Hospitalists PL (ACH), to pay $500,000 and adopt a “substantial corrective action plan”. The first alleged HIPAA violation? Patient information, including name, date of birth, and social security number was viewable on the website of ACH’s medical billing vendor, and reported to ACH by... More
  • New Apple Watch May Mark Time To Rethink HIPAA The new Apple Watch Series 4® is one of the more recent and sophisticated consumer health engagement tools. It includes a sensor that lets wearers take an electrocardiogram (ECG) reading and detect irregular heart rhythms. The U.S. Food & Drug Administration (FDA) recently approved these functions as Class II medical devices, which generally means that they have a high to moderate risk to the user. The FDA approval letters describe the Apple Watch Series 4 functions as intended for over-the-counter... More
  • The Heavy Hit of HIPAA: Violations May Send You to Jail The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result... More
  • When HIPAA Compliance Is Not Enough: The Territorial Scope of GDPR The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Whereas HIPAA applies to particular types or classes of data creators, recipients, maintainers or transmitters (U.S. covered entities and their business associates and subcontractors), GDPR applies much more generally – it applies to personal data itself. Granted, it doesn’t apply to personal data that has absolutely no nexus to the EU, but assuming it doesn’t apply to your U.S.-based entity simply because you don’t have... More
  • The Cost for a Copy of Medical Records? It May Depend Who’s Asking The Report to Congressional Committees of the U.S. Government Accountability Office (“GAO Report”), required under the 21st Century Cures Act, came out about a month earlier than required, but this early bird failed to catch what continues to be a wriggling worm – what can a covered entity charge for these copies? As discussed in our February 2017 blog post, the Office for Civil Rights issued guidance (“OCR Guidance”) over 2 years ago attempting to clarify that HIPAA charge limits (to... More
  • The President Can Tweet, But Can a Doctor Text? Text messaging is a convenient way for busy doctors to communicate, but for years, the question has remained: are doctors allowed to convey sensitive health information with other members of their provider team over SMS? The answer is now “yes,” thanks to a memo published last week by the U.S. Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).   The memo clarifies that “texting patient information among members of the health care team is permissible... More
  • Top 5 Common HIPAA Mistakes to Avoid in 2018 Heading into its 22nd year, HIPAA continues to be misunderstood and misapplied by many, including health care industry professionals who strive for (or at least claim the mantle of) HIPAA compliance. Here is my “top 5” list of the most frequent, and most frustrating, HIPAA misperceptions seen during 2017: “If I’m using or disclosing protected health information (PHI) for health care operations purposes, I don’t need a Business Associate Agreement.” Yes, HIPAA allows PHI to be used or disclosed for treatment, payment and... More
  • Equifax Breach Checker – Curiosity May Have a Cost (But it’s Refundable) Individuals who have received notice of a HIPAA breach are often offered free credit monitoring services for some period of time, particularly if the protected health information involved included social security numbers.  I have not (yet) received such a notice, but was concerned when I learned about the massive Equifax breach (see here to view a post on this topic on our Privacy Compliance and Data Security blog). The Federal Trade Commission’s Consumer Information page sums it up well: If you have... More
  • Electronic Health Records and HIPAA Security: A Design Problem Fixable With Blockchain Technology?   In some respects, HIPAA has had a design problem from its inception. HIPAA is well known today as the federal law that requires protection of individually identifiable health information (and, though lesser-known, individual access to health information), but privacy and security were practically after-thoughts when HIPAA was enacted back in 1996. HIPAA (the Health Information Portability and Accountability Act) was originally described as an act: To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance... More
  • Upcoming Webinar: Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.” This webinar is a comprehensive review of information privacy and data security training, with an emphasis on... More
  • Where’s Your Wallet? The Ongoing Saga of FTC v. LabMD (Part 2 of 2) It was the wallet comment in the response brief filed by the Federal Trade Commission (FTC) in the U.S. Court of Appeals for the 11th Circuit that prompted me to write this post. In its February 9, 2017 filing, the FTC argues that the likelihood of harm to individuals (patients who used LabMD’s laboratory testing services) whose information was exposed by LabMD roughly a decade ago is high because the “file was exposed to millions of users who easily could... More
  • When Privacy Policies Should NOT Be Published – Two Easy Lessons From the FTC’s Nomi Technologies Case [Also posted at http://hipaahealthlaw.foxrothschild.com/] This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law.  In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading. The Federal Trade Commission (FTC) filed a complaint against Nomi Technologies, Inc., a retail tracking company that placed... More
  • New NJ Data Security Standard More Stringent than HIPAA New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring... More
  • Michael Kline’s “List of Considerations” for Indemnification Provisions in Business Associate Agreements I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s “List of Considerations” before signing.  Michael’s list, included in an article he wrote that was recently published in the American Health Lawyers Association’s “AHLA Weekly” and available here, highlights practical and yet not obvious considerations.  For example, will indemnification jeopardize a party’s cybersecurity or other liability coverage? Data use and confidentiality agreements used outside of the HIPAA context... More