Latest Articles

A new outlook on the most prominent cybersecurity threats in the healthcare industry today and a series of corresponding, risk-prioritized cybersecurity best practices to combat these threats are now available from the Department of Health and Human Services (HHS).  More than 150 private sector healthcare and cybersecurity experts contributed to this guidance as part of the task force HHS established in response to The Cybersecurity Act of 2015.  Their goal, cost-effectively strengthening cybersecurity in the…
Cybersecurity awareness recently took center stage in the healthcare industry when the Department of Health and Human Services (HHS) issued comprehensive risk-prioritized cybersecurity best practices to combat top threats.  HHS mapped this guidance to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, cross-referencing 88 individual sub-practices for healthcare organizations of all sizes. The HHS guidance focuses on ten top-level cybersecurity best practices, coupled with a series of recommended procedure-strengthening “Threat Quick Tips,” to…
Google recently defeated claims that it violated Illinois’s Biometric Identification Privacy Act (“BIPA”) by collecting and retaining facial scans created from photographs uploaded by Google Photos users without obtaining consent and complying with other statutory requirements. The federal court ultimately held that plaintiffs failed to allege a concrete injury sufficient for Article III standing. Finding in Google’s favor, the court distinguished cases finding standing in BIPA cases because, unlike those cases, Google had not shared plaintiffs’…
The Food and Drug Administration (FDA) has recently issued several cybersecurity and medical device initiatives as part of the agency’s increased focus on digital health. These initiatives include draft cybersecurity guidance for medical devices, increased coordination with the Department of Homeland Security, and the promotion of artificial intelligence. Elliot Golding and Jennifer Tharp provided an overview of recent developments in a post on our sister blog, Triage Health Law. Digital Health Update: Recent FDA
The Food and Drug Administration (“FDA”) has greatly increased its activity around cybersecurity initiatives and medical devices. As we approach the end of the year, this is a great opportunity to review recent developments. FDA Medical Device Cybersecurity Guidance On October 18, 2018, the FDA published draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This draft replaces prior guidance from 2014, and the outlines recommendations for device design, data…
For the second time in as many years, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into settlement agreements with and levied hefty fines on three hospitals that allegedly impermissibly disclosed patients’ protected health information to ABC News in the course of filming a television network documentary series.  OCR announced on September 20 that Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital each reached agreements with HHS…
In the face of the ongoing opioid crisis in the United States, the Office of the National Coordinator for Health Information Technology (“ONC”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently released two fact sheets to clarify how the requirements of 42 CFR Part 2 apply in different provider contexts, including via electronic health information exchange (“HIE”). The Part 2 regulations were initially promulgated in 1975 to ensure the confidential treatment of…
Even the best laid plan for data security requires follow through. A cancer center was penalized $4.3 million by the government for failing to complete its encryption plan for devices.  The decision is instructive even for companies not specifically required to protect data under government regulation. Tom Zeno and Elliot Golding of Squire Patton Boggs discuss the case and its lesson. Go here for the article.  …
Let’s hope you don’t pay that much to encrypt electronic Protected Health Information (ePHI). How about a total of $4.3 million over two years? Well, that’s the total penalty for encryption violations assessed by Health and Human Services (HHS). An Administrative Law Judge found the penalty could have been much worse. The facts are sobering. The message is clear.…