What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is likely a byproduct of the fact that it would be hard to defend, given OCR’s well-settled advice on this issue. This case serves as a reminder to covered entities that, while electronic medical records and security rule violations are more the norm, they must still recognize paper records as a possible source of a breach.

Continue Reading

California’s Landmark Age-Appropriate Design Code Act: What You Need to Know

On Aug. 29, California’s Senate unanimously passed Assembly Bill 2273, known as the Age-Appropriate Design Code Act (the CA AADC or the Bill). The Bill, which is anticipated to be signed into law by Gov. Gavin Newsom, is aimed at promoting online safety and privacy for children under 18. The Bill was inspired by the UK’s Age-Appropriate Design Code (the UK AADC or the Children’s Code) and includes many similar requirements. If it is signed into law, covered businesses would need to come into compliance with the Bill’s core provisions by July 1, 2024. This blog explains who is covered, key provisions and how the CA AADC compares to its UK counterpart.

Continue Reading

CCPA Employee and B2B Exemptions Set to Expire on Jan. 1, 2023

Abstract background of wires and glowing particles

The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business Personal Information (PI) likely will not be extended. Aug. 31, 2022 was the last day for each house to pass bills, per the California Constitution (Art. IV, Sec 10(c) and the Joint Rules (J.R. 61(b)(18))), and no legislative proposals or amended bills made it to the floor. This means that on Jan. 1, 2023, full consumer rights will apply to the PI of workforce members[1] as well as to their PI collected on behalf of their employer in the context of “providing or receiving a product or service to or from” a business (B2B).

Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer look at recent updates to the privacy law compliance landscape in the United States.

Continue Reading

NYDFS Proposed Amendments to Its Cybersecurity Rules

technology smart city with network communication internet of thing.  Internet concept of global business in New york, USA

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of cybersecurity risk, additional requirements for incident response plans (IRPs), business continuity and training, risk assessments, and new technical requirements. The Draft Amendments can be found here. The 10-day pre-proposal comment period would have ended today, Aug. 8, 2022, but NYDFS has extended the comment period for an additional 10 days, with a new deadline of Aug. 18, 2022. The official proposed amendments will be published following the comment period.

Continue Reading

‘Unboxing’ the New NIST Guidance: NIST Publishes Significant Update to Healthcare Cybersecurity Guide

3d graph

Without question, healthcare providers and the companies that support them operate in an elevated cybersecurity risk environment. And when a cybersecurity incident occurs, the ensuing regulatory inquiries and/or litigation often focus on whether the entity followed recognized security practices. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has long been one of the most widely recognized sources of recommended security practices, even as some of its guidance has become outdated. This is especially true for its HIPAA security guidance, as the NIST publication “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” was published in 2008. Office for Civil Rights investigations now routinely ask for evidence that an organization has implemented “recognized security practices”, typically in alignment with the NIST Cybersecurity Framework. The challenges presented by aging NIST guidance cause frustration for many of our clients

But in a move that feels long overdue, NIST has finally published a draft update to its healthcare cybersecurity guide, Special Publication 800-66r1. We’re excited to share our “unboxing” of the updated compilation of guidance and references, useful to anyone interested in healthcare cybersecurity. The draft of 800-66r2, titled “Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide,” is open for public comment until Sept. 21, 2022. 

While remaining essentially true to the structure of the original 800-66 publication, the draft revision adds substantial details. The main body of the document contains significantly expanded guidance on risk assessments and risk management. The appendices have been largely reworked and feature extensive resources to aid in performing risk assessments, especially with regard to threat modeling. The update to the original “Security Rule Standards and Implementation Specifications Crosswalk” appendix combines the many NIST publications issued in the intervening years between the release of 800-66r1 and the draft of 800-66r2. 

Perhaps the most useful new feature in the revised draft, Appendix F – HIPAA Security Rule Resources (Informative) contains more than 10 pages of categorized and summarized links to other resources in 17 different categories. While these categories include several timeless and broad topics (Risk Assessment/Risk Management, Documentation Templates, Small Regulated Entities, Education, Training & Awareness, Protection of Organizational Resources and Data, Equipment and Data Loss, Contingency Planning, Supply Chain, Information Sharing, Access Control/Secure Remote Access, Cybersecurity Workforce), they also include more specific topics of particular relevance to the current security environment (Telehealth/Telemedicine Guidance, Mobile Device Security, Cloud Services, Ransomware & Phishing, Medical Device and Medical IoT Security, Telework). The revamped Appendix F essentially offers a guided tour to an extensive library of healthcare cybersecurity resources.  It’s worth noting, however, that digesting the content of these resources may prove to be a heavy lift for already overburdened healthcare information security teams. 

As in 800-66r1, the largest section of the revised draft is “Considerations When Implementing the HIPAA Security Rule,” which sets forth “Key Activities” with corresponding “Description” and “Sample Questions” in a tabular format. In several places, the draft adds updated material and references consistent with the way the cybersecurity landscape continues to develop. For example, in addressing authentication, the draft revision includes considerations regarding multifactor authentication and application programming interfaces (both absent from r1). 

Although this draft is intended to incorporate suggestions from the hundreds of pre-draft comments NIST received, healthcare entities have until Sept. 21, 2022 to provide additional feedback. Still, the draft of 800-66r2 offers a wealth of content and concrete guidance that anyone addressing healthcare cybersecurity should be able to use immediately—a welcome tool considering the security challenges the sector faces right now.

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms

Abstract colorful grid surrounded by glowing particles

We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the Act), which became effective on July 1.

Continue Reading

Recent FTC Post Commits to Protecting Sensitive Health Data After White House Issues Related Executive Order

Medical, medicine and Science

On July 8, 2022, following the Supreme Court’s decision in Dobbs, the president signed an executive order that called on a number of federal agencies to take steps to protect reproductive rights. He specifically asked the Federal Trade Commission (FTC) to “consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive health care services.” The FTC responded swiftly with a high-profile post authored by the acting director of the FTC’s Division of Privacy and Identity Protection.

Continue Reading

HHS OCR Guidance to 60,000 Retail Pharmacies: Refusal to Fill Rx Based on Potential Pregnancy Termination Concerns Is a Civil Rights Violation, Will Be Investigated

3D render of a cluster of linked colorful particles

On July 13, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued guidance to retail pharmacies that refusing to dispense a prescribed medication or making a determination on the suitability of that medication on the basis of the patient’s sex, pregnancy, or pregnancy-related conditions is discriminatory conduct in violation of federal law.[1] The guidance made clear that refusing to dispense or making suitability determinations on the basis of a patient’s pregnancy or related conditions, such as past pregnancy, potential or intended pregnancy, and medical conditions related to pregnancy or childbirth, is considered a form of sex discrimination.

Continue Reading

OCR Provides Guidance on the Privacy of Data Stored on Health Apps and Mobile Devices

Light blue molecule design with transparent look.

In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers.[1] As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance on multiple issues concerning the collection and sharing of personal health data. Recently, they issued guidance clarifying the extent to which information collected by cycle trackers and other health apps is protected. The OCR also provided tips for individuals wishing to protect the data stored on their personal devices or potentially shared with third parties.

Continue Reading