Lynn Sessions

Subscribe to all posts by Lynn Sessions

OCR Guidance on Use of Tracking Technologies Warrants Review of Website Tech

Photo of Aleksandra VoldPhoto of Lynn SessionsPhoto of Stefanie FerrariBy Aleksandra Vold, Lynn Sessions and Stefanie Ferrari on Posted in Information Governance, Information Security
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance regarding covered entities’ and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail below, the Guidance reveals OCR’s position that an IP address is not just an identifier but is itself individually identifiable health information (IIHI) … Continue Reading

Texas Passes Bill Allowing Public Listing of Data Breaches, Effective Sept. 1, 2021

Photo of Lynn SessionsPhoto of Jessica LoweryBy Lynn Sessions and Jessica Lowery on Posted in Data Breaches
On May 31, 2021, the Texas Legislature approved House Bill 3746, which amends the Texas Business and Commerce Code § 521.053 relating to certain notifications required following a data breach involving Texas residents. The bill includes the existing requirement that any business or entity notify the attorney general of a data breach within 60 days … Continue Reading

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

Photo of Sara GoldsteinPhoto of Jessica Captain NovickPhoto of Lynn SessionsBy Sara Goldstein, Jessica Captain Novick and Lynn Sessions on Posted in HHS, HIPAA/HITECH
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

The Destruction of Privilege and Work Product Protection for Data Breach Investigations?

Photo of Craig A. HoffmanPhoto of Theodore J. Kobus IIIPhoto of Lynn SessionsPhoto of Casie CollignonPhoto of David CarneyPhoto of Joseph L. BruemmerPhoto of Thomas HoganPhoto of Aleksandra VoldBy Craig A. Hoffman, Theodore J. Kobus III, Lynn Sessions, Casie Collignon, David Carney, Joseph L. Bruemmer, Thomas Hogan and Aleksandra Vold on Posted in Data Breaches
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading

DSIR Deeper Dive: Regulatory Investigation Landscape

Photo of Lynn SessionsPhoto of Patrick H. HaggertyPhoto of Kimberly GordyBy Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on Posted in Data Security Incident Response
HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties. State attorneys general have … Continue Reading

FERPA Disclosures in Response to COVID-19

Photo of Lynn SessionsPhoto of Benjamin WellsBy Lynn Sessions and Benjamin Wells on Posted in Education
The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued Frequently Asked Questions related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with. This FAQ document mirrors in large part the same line of advice found in ED’s prior Joint Guidance with Health … Continue Reading

Powerful Protection: The Healthcare Privacy and Compliance Team

Photo of Lynn SessionsBy Lynn Sessions on Posted in Healthcare
The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Asset and Data Management Practice Group. A prime example of BakerHostetler’s preeminence in the legal industry is on display in its latest Practice Group, Digital Asset and Data Management (DADM), which offers holistic, enterprise-wide risk … Continue Reading

Deeper Dive: The Landscape of Healthcare Data Breaches

Photo of Lynn SessionsPhoto of Patrick H. HaggertyPhoto of Kimberly GordyBy Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on Posted in HIPAA/HITECH, Medical Privacy
Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies. In 2018, health information alone was just behind Social Security numbers (which can also be … Continue Reading

HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices

Photo of Lynn SessionsPhoto of Alexandra RoyalBy Lynn Sessions and Alexandra Royal on Posted in Cybersecurity, HHS
Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG … Continue Reading

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

Photo of Lynn SessionsPhoto of Kathryn CareyBy Lynn Sessions and Kathryn Carey on Posted in HIPAA/HITECH
The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability … Continue Reading

Recent OCR Newsletter Highlights Growing Cyber Extortion Threat for Healthcare Organizations

Photo of Lynn SessionsPhoto of Kathryn CareyBy Lynn Sessions and Kathryn Carey on Posted in Cybersecurity
The OCR’s January 2018 newsletter details specific types of cyber extortion that healthcare organizations are currently encountering, including ransomware, denial of service attacks, distributed denial of service attacks and theft of protected health information (PHI). Each type of attack poses unique challenges that may affect an organization in different ways. However, all cyber extortion disrupts … Continue Reading

SAMHSA Updates Privacy Regulations to Reflect Advancements in Healthcare

Photo of Lynn SessionsPhoto of Kathryn CareyBy Lynn Sessions and Kathryn Carey on Posted in HIPAA/HITECH, Privacy Litigation
On Jan. 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued its final rule regarding the Confidentiality of Substance Use Disorder Patient Records Part 2. These changes become effective Feb. 2, 2018. As background, the Confidentiality of Substance Use Discover Patient Records Part 2 protects patient records maintained in connection with any … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in HIPAA/HITECH, Medical Privacy
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

OCR Clarifies “Reasonable, Cost-Based” Fee Calculations for Access to Medical Records

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Medical Privacy
By couching its position in an individual’s right to access protected health information (PHI), beginning on January 7, 2016, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) issued guidance to covered entities clarifying access to PHI set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). §45 … Continue Reading

Deeper Dive: The Changing Landscape of Healthcare Data Breaches

Photo of Lynn SessionsBy Lynn Sessions on Posted in HIPAA/HITECH, Incident Response, Medical Privacy
For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. This year’s Report provides insights generated from the review of more than 300 incidents that our attorneys advised on in 2015. The report confirms … Continue Reading

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in Medical Privacy
On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides … Continue Reading

ALJ Issues Sweeping Decision Dismissing FTC’s Action Against LabMD

Photo of Lynn SessionsBy Lynn Sessions and David M. Brown on Posted in Medical Privacy, Online Privacy
On November 13, 2015, the chief administrative law judge (“ALJ”) handling the Federal Trade Commission’s (“FTC” or “Commission”) complaint against LabMD Inc. (“LabMD”) dismissed the case in its entirety. As we previously reported, following two data security incidents involving the disclosure of personal information, the FTC brought an action against LabMD, a clinical testing laboratory, … Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders

Photo of Lynn SessionsBy Lynn Sessions and Suchismita Pahi on Posted in HIPAA/HITECH
The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell … Continue Reading

Deeper Dive: Healthcare Incidents Involving More Than 500 Individuals Are Investigated 100 Percent of the Time

Photo of Lynn SessionsBy Lynn Sessions on Posted in HIPAA/HITECH, Incident Response, Medical Privacy
We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act … Continue Reading

FAQs by Employers Regarding the Anthem Breach

Photo of Theodore J. Kobus IIIPhoto of Lynn SessionsBy Theodore J. Kobus III and Lynn Sessions on Posted in Data Breaches, HIPAA/HITECH, Medical Privacy, Workplace Privacy
Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan … Continue Reading

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

Photo of Lynn SessionsBy Lynn Sessions and Cory J. Fox on Posted in HIPAA/HITECH, Medical Privacy
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 … Continue Reading

Managing Your Health Information Risks Should Not Begin After a Breach Is Reported

Photo of Lynn SessionsBy Lynn Sessions on Posted in Cybersecurity
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services. Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

Photo of Lynn SessionsPhoto of M. Scott KollerBy Lynn Sessions and M. Scott Koller on Posted in Cybersecurity, HIPAA/HITECH, Medical Privacy
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act … Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

Photo of Lynn SessionsBy Lynn Sessions, Kimberly M. Wong and Cory J. Fox on Posted in Data Breaches, Enforcement, HIPAA/HITECH, Information Security, Medical Privacy
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief … Continue Reading
LexBlog