Tag Archives: healthcare

With New Enforcement Action, FTC Warns Against Health Information Being Used for Advertising Purposes

By Daniel Kaufman and Aleksandra Vold on March 16, 2023 Posted in FTC

If the Federal Trade Commission’s (FTC) recent pursuits did not make clear the agency’s deep concerns about the use of health information for advertising purposes, a new enforcement action brought by the FTC against BetterHelp – to the tune of $7.8 million – should leave no uncertainty. Factual Allegations BetterHelp provides online counseling services and … Continue Reading

OCR Announces Four Enforcement Actions

By Aleksandra Vold and Courtney Litchfield on April 20, 2022 Posted in Healthcare

On March 28, 2022, Health and Human Services, Office for Civil Rights (OCR) announced the resolution of four enforcement actions, three resolved in 2021 and one resolved in 2022. There are some interesting aspects of this group of covered entities. Three of the actions pertained to dental practices. One of those dental practices took the … Continue Reading

Why Everyone Is Talking About a Rarely Invoked Rule – the FTC’s Health Breach Notification Rule

By Daniel Kaufman on December 27, 2021 Posted in Advertising, Enforcement, FTC, HHS, HIPAA/HITECH, Privacy

Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an … Continue Reading

Ransomware, COVID-19 and Regulations: Healthcare Entities Confront a Triple Threat

By Eric A. Packel, Vimala Devassy and Courtney Litchfield on July 1, 2021 Posted in Healthcare

Given what the healthcare industry faced in 2020, the seventh edition of our Data Security Incident Response (DSIR) Report, “Disruption and Transformation,” is aptly titled. As if fighting the COVID-19 pandemic weren’t enough for the industry to tackle, it also faced a surge of ransomware attacks, evolving legal/regulatory considerations, and novel and complex issues presented … Continue Reading

CISA Updates Advisory on Large-Scale Impending and Credible Ransomware Threat to Healthcare to Include Additional IOCs

By Aleksandra Vold and Sara Goldstein on October 30, 2020 Posted in Healthcare, HHS

On Oct. 28, a joint cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health & Human Services. The advisory warned of an imminent cybercrime threat to U.S. hospitals and healthcare providers – specifically that a large-scale ransomware attack may be on the very near horizon. BakerHostetler’s coverage … Continue Reading

ONC Announces Delay of Information Blocking Provisions

By Vimala Devassy on October 29, 2020 Posted in Healthcare, HHS

The Department of Health and Human Services’ (HHS)’ Office of the National Coordinator (ONC) published an interim final rule today delaying several key compliance deadlines in the ONC 21st Century Cures Act final rule – including that of the information blocking provisions, which were slated to become effective on November 2, 2020 – until April 5, … Continue Reading

Warning of Cybersecurity Threat to Healthcare Sector – Imminent Threat of Ransomware

By Eric A. Packel on October 29, 2020 Posted in Healthcare

BakerHostetler is closely monitoring a Cybersecurity Advisory issued jointly by several government agencies including the United States Department of Health and Human Services (HHS) and the FBI, on October 28. The Advisory warns of an imminent cybercrime threat to U.S. hospitals and healthcare providers with the purpose of infecting systems with Ryuk ransomware for financial … Continue Reading

DSIR Deeper Dive: Regulatory Investigation Landscape

By Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on May 26, 2020 Posted in Data Security Incident Response

HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties. State attorneys general have … Continue Reading

CARES Act Significantly Revises Part 2 Rules to Better Align with HIPAA

By Kyle Gregory and Vimala Devassy on April 2, 2020 Posted in Healthcare, HIPAA/HITECH

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. While the focus of the CARES Act has been on direct financial aid to Americans, the Act also contains a number of material revisions to the Federal privacy provisions that govern the confidentiality of substance-use … Continue Reading

Healthcare Providers Remain Targets for Ransomware Attacks in the Midst of COVID-19 Pandemic

By Benjamin Wanger and Sara Goldstein on April 1, 2020 Posted in Ransomware

Although it was widely reported that several ransomware threat actor groups have pledged to not target healthcare providers until the COVID-19 pandemic is over, BakerHostetler’s Digital Assets and Data Management Practice Group and Healthcare Privacy and Compliance team continue to see ransomware attacks launched against healthcare providers. In order to combat the COVID-19 pandemic, healthcare … Continue Reading

Powerful Protection: The Healthcare Privacy and Compliance Team

By Lynn Sessions on February 13, 2020 Posted in Healthcare

The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Asset and Data Management Practice Group. A prime example of BakerHostetler’s preeminence in the legal industry is on display in its latest Practice Group, Digital Asset and Data Management (DADM), which offers holistic, enterprise-wide risk … Continue Reading

Risk Management Strategies to Reduce Risk Associated with Telehealth

By Paulette Thomas on September 11, 2019 Posted in HHS, Medical Privacy

The use of technology to provide healthcare has existed for decades; however, recent advances in technology and changes in reimbursement have increased the prevalence of telehealth for diagnosing and treating patients. Telehealth is an emerging and promising method of providing healthcare in areas where healthcare may be limited or unavailable. Telehealth provides quality, cost-effective healthcare … Continue Reading

Deter Workforce Snooping in Electronic Medical Records Through Education and Training

By Paulette Thomas on April 4, 2019 Posted in HIPAA/HITECH

On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) … Continue Reading

Trojan Malware Reclaims the Top Spot as the Greatest Cyber Threat to the Healthcare Sector

By BakerHostetler on March 5, 2019 Posted in Cybersecurity, HIPAA/HITECH

Cybersecurity threats continued to plague the healthcare sector in 2018. Healthcare organizations notified twice as many individuals under HIPAA and other notification statutes in 2018 as compared with 2017. According to a new report from Malwarebytes Labs, 2019 State of Malware Report, trojan malware was the greatest threat to the healthcare sector in 2018.[1] Specifically, … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Insider-Caused Data Loss

By Aleksandra Vold and BakerHostetler on March 1, 2019 Posted in HHS, HIPAA/HITECH, Medical Privacy

This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. While any security incident may cause an entity heartburn, when the incident is traced back to an … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices

By Aleksandra Vold and BakerHostetler on February 18, 2019 Posted in HHS, HIPAA/HITECH

This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) weighs in on one of the issues many entities find … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Ransomware Prevention

By Aleksandra Vold and BakerHostetler on February 8, 2019 Posted in HHS, HIPAA/HITECH, Phishing, Ransomware

This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) is not the first time HHS has discussed the prevalent … Continue Reading

What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

By Eric A. Packel on February 4, 2019 Posted in HHS, HIPAA/HITECH

In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights. But the pain doesn’t end there. … Continue Reading

HHS Issues Cybersecurity Guidance for Healthcare Organizations

By Aleksandra Vold and BakerHostetler on January 7, 2019 Posted in Cybersecurity, HHS

BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report. Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses … Continue Reading

FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents

By Paulette Thomas on October 18, 2018 Posted in Cybersecurity, Medical Privacy

Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including … Continue Reading

SAMHSA Updates Privacy Regulations to Reflect Advancements in Healthcare

By Lynn Sessions and BakerHostetler on January 31, 2018 Posted in HIPAA/HITECH, Privacy Litigation

On Jan. 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued its final rule regarding the Confidentiality of Substance Use Disorder Patient Records Part 2. These changes become effective Feb. 2, 2018. As background, the Confidentiality of Substance Use Discover Patient Records Part 2 protects patient records maintained in connection with any … Continue Reading

Deeper Dive: Frequency and Severity

By Erich Falke on April 18, 2017 Posted in Cybersecurity, Data Breaches

All industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type. Industry Type As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents … Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

By Lynn Sessions and Suchismita Pahi on July 7, 2016 Posted in HIPAA/HITECH, Medical Privacy

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that … Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program

By Paulette Thomas on May 24, 2016 Posted in HIPAA/HITECH

The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for health care services. Prior to implementation of the Affordable Care Act, physicians more often were independent practitioners who held medical staff privileges to care for … Continue Reading