Deadline Approaching to Revise HIPAA Policies

November 21, 2024November 22, 2024 Wyatt Data Privacy & Security, HIPAA cybersecurity, data privacy, final rule, health care law, health care providers, HIPAA Compliance, ocr guidelines, privacy, privacy practices, protected health information (PHI), regulatory changes, reproductive health

By: Margaret Young Levi

The December 23, 2024 deadline is fast approaching for HIPAA covered entities, including health care providers and health plans, to revise their HIPAA policies and procedures relating to reproductive health.

Earlier this year, the Office for Civil Rights (OCR) issued a Final Rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. This will require HIPAA covered entities to amend their policies and procedures, as well as their Notice of Privacy Practices (NPP). While updates to policies and procedures must be completed by December 23, 2024, the new NPP requirements will not go into effect until February 16, 2026. Some covered entities will need to amend their business associate agreements if the agreements permit an activity no longer permitted under the revised Privacy Rule.

For additional information about this Final Rule, please check out our previous article on this topic.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Kentucky Enacts New Consumer Data Privacy Act

June 5, 2024June 13, 2024 Wyatt Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws ad trackers, consumer online privacy, cybersecurity, data privacy, geolocation data, KCDPA, privacy, security, technology

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

January 30, 2017January 30, 2017 Margaret Young Levi Data Privacy & Security, HIPAA, Privacy & Security data breach, data privacy, Federal Law Resources, OCR, protected health information

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading →

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

February 29, 2016February 29, 2016 Kathie McDonald-McClure Data Privacy & Security, FTC Enforcement, Health Information Technology data privacy, data security, FTC Enforcement, mHealth, mobile apps, wearable technology

On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time. ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties. ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading →