CMS Confirms Policy on Texting Patient Information among Healthcare Providers

Share

The Centers for Medicare & Medicaid Services (CMS) recently issued a State Survey & Certification Memorandum effective immediately in order to clarify its position on texting patient information among health care providers.

Although CMS acknowledges that the use of texting to communicate with other members of a patient’s health care team has become a common and invaluable practice, it acknowledges that such practice risks noncompliance with the Medicare Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).  In order to text and comply with the CoPs or CfCs, CMS requires providers to use, maintain, and routinely assess secure, encrypted systems or platforms and minimize the risks to patient privacy and confidentiality per the Health Insurance Portability and Accountability Act and other requirements under the CoPs or CfCs.

Continue reading “CMS Confirms Policy on Texting Patient Information among Healthcare Providers”

Oncology Services Provider Reaches $2.3 Million Settlement with HHS for Data Breach

Share

21st Century Oncology, Inc. (21CO), a Florida-based oncology services provider, has agreed to pay $2.3 million in a no-fault resolution to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential civil money penalties stemming from a 2015 cyberattack on its network SQL database.  The Federal Bureau of Investigation (FBI) was first to detect that an unauthorized third party illegally obtained patient information from 21CO in October 2015.  Upon further investigation by 21CO and OCR, it was determined that 21CO:

  • Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.   
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).   
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.   
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.   
  • Disclosed protected health information to  third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.

Continue reading “Oncology Services Provider Reaches $2.3 Million Settlement with HHS for Data Breach”

Recent OCR Action Provides HIPAA Guidance Related to Opioid Crisis and Privacy Rule in Research

Share

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently released several new tools and guidance to ensure that patients and their family members can gain access to information needed to prevent and address opioid abuse and overdose, as well as mental health crises. The materials are focused on the Health Insurance Portability and Accountability Act (HIPAA) and also serve to fulfill certain clarification requirements on HIPAA and research under the 21st Century Cures Act (the “Cures Act”).  The Cures Act was passed by Congress in 2016 and requires, in part, that “health care providers, professionals, patients and their families, and others involved in mental [health] or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information (PHI) under . . . [HIPAA].”

Continue reading “Recent OCR Action Provides HIPAA Guidance Related to Opioid Crisis and Privacy Rule in Research”

EU May Soon Decide “Adequate” Status for Japan

Share

The European Union (EU) may soon decide whether Japan will have “adequate” status for transfers of personal data from the EU.  Reuters reported on December 15, 2017 that the European Union is aiming to finalize a data transfer agreement with Japan by early 2018.

Set to be implemented in May 2018, the EU’s General Data Protection Regulation (GDPR) will require that EU citizens’ personal data be transferred to only countries  with an adequate data protection status, forbidding companies from storing EU citizens’ personal data in foreign countries deemed to have an “inadequate” level of privacy protection.

Under the EU’s privacy framework, the European Commission has the power to determine, based on Article 25(6) of Directive 94/46/EC, whether a foreign country has an “adequate” level of data protection under that country’s domestic laws or international commitments.  If a foreign country is deemed adequate, personal data can flow from the 28 EU countries (and three EEA member countries of Norway, Liechtenstein, and Iceland) to the foreign country without further safeguards.

The commission has so far deemed only 12 countries – Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United States (under the EU-US Privacy Shield), and Uruguay – as providing adequate protection.  The EU does not include the United States among its adequate protection countries. But Decision 2016/1250 on the adequacy of protection of the EU-US Privacy shield, commonly known as the EU-US Privacy Shield, was designed as a program whereby participating US companies or companies doing business in the US are deemed to have adequate protection.

An adequacy determination for Japan would be monumental for Japanese companies and companies doing business in Japan, with EU Justice Commissioner Vera Jourova recently stating that”[a]n adequacy decision would be great news for business as it would allow for the transfer of personal data from the EU to Japan without the need for extra authorisations.”

First Annual Joint Review of EU – U.S. Privacy Shield Addresses Six Areas of Concern

Share

In relation to the first annual Joint Review of the EU-U.S. Privacy Shield Framework, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, issued its findings on November 28, 2017.

The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU Law.  As we discussed in a previous blog post, the framework is based on a certification system whereby U.S. companies commit to adhere to a set of Privacy Shield Principles. Other mechanisms for transferring personal data to the U.S. from the EU are through binding corporate rules, model contracts, or use of one of a number of derogations to the EU’s restrictions on cross-border data transfers.

The report reflects the Working Party’s views in relation to the first annual joint review of the Privacy Shield program. It acknowledges both the progress and the efforts to implement Privacy Shield, but it raises a number of concerns and calls on the European Commission and U.S. authorities to restart discussions to address those concerns by May 25, 2018, which is the date the General Data Protection Regulation (GDPR) takes effect.

Continue reading “First Annual Joint Review of EU – U.S. Privacy Shield Addresses Six Areas of Concern”

Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech

Share

On Friday, December 1, the Federal Trade Commission and the Department of Education hosted a workshop examining student privacy in the burgeoning field of “EdTech.” Both agencies regulate certain educational technology aimed at K-12 students. However, FTC rules implementing the Children’s Online Privacy Protection Act (“COPPA”) are not identical to ED regulations implementing the Family Educational Rights and Privacy Act (“FERPA”). To better understand how both rules interact in practice, the agencies solicited public comment and convened panels of experts and stakeholders – including vendors, schools, parents, and regulators.

The workshop explored several key issues, including when a school may provide consent on behalf of participating students; how record retention (and deletion) should be noticed and executed; and what limits to impose on vendors collecting personal student information. In closing, both agencies expressed a desire to provide clear, workable regulatory oversight while meaningfully protecting student privacy.

Continue reading “Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy