On November 13, 2015, the Chief Administrative Law Judge (ALJ) for the Federal Trade Commission (FTC) issued an Initial Decision dismissing the FTC’s Complaint against LabMD, Inc. for lack of evidence. The FTC originally issued this Complaint against LabMD in 2013, alleging that the clinical testing laboratory failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks and that this conduct “caused or is likely to cause” substantial consumer injury.
The U.S. Department for Health & Human Services’ Office of Inspector General (OIG) has conducted two recent studies calling for tighter enforcement of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).
OCR Should Strengthen Its Oversight of Covered Entities’
Compliance With the HIPAA Privacy Standards
In the first study, the OIG recommends that the Office of Civil Rights (OCR), the government agency responsible for enforcing covered entities’ compliance with the HIPAA Privacy Standards, should strengthen its oversight of these privacy standards. The OIG reviewed a statistical sample of privacy cases investigated by the OCR from September 2009 through March 2011, surveyed and interviewed OCR staff, reviewed the OCR’s investigation policies, and surveyed providers’ compliance with five selected privacy standards.
Based upon this review, the OIG concluded that OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule. It criticized the OCR’s oversight as “primarily reactive” and suggested they be more Continue reading
On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.
The FTC Staff Report defines the Internet of Things (IoT) as “the ability of everyday objects to connect to the Internet and to send and receive data.” Examples of such objects are bracelets that track fitness activities and share the data with friends, cameras that post pictures online, RFID tags to monitor inventory, and home automation systems to monitor lights, temperature and security and report to homeowners when they are away. In health care, such objects include medical devices that monitor vital signs and other patient data, such as insulin pumps and blood pressure cuffs, and then share this data with physicians and caregivers. Basically, the IoT is “essentially any other Internet-connected device that isn’t a mobile phone, tablet, or traditional computer.”
The number of “things” connected to the Internet is greater than the number of people, and, as of this year, there will be 25 billion devices connected to the Internet. But this increased connectivity comes with increased privacy and security risks. First, financial and personal data stored on these devices can be stolen. Second, when the objects are connected to a network, security vulnerabilities in the objects may Continue reading
Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security risk analysis is a core objective in the meaningful use requirements of the Medicare and Medicaid electronic health record (“EHR”) incentive programs. These security risk analyses have been Continue reading
The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition). Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations. All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule. BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time. Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading