Privacy and Data Security
Subscribe to Privacy and Data Security's Posts

Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data transfers, EU/EEA businesses that are currently retaining UK service providers or data centres to handle or store personal data, or are planning to do so, would have to carefully re-evaluate this decision.

Read the full article here.




read more

HIPAA Privacy and Security Compliance for Group Health Plan Sponsors

Joanna Kerpen authored an article on final HIPAA rules for privacy enforcement and audit programs, particularly those with additional requirements aimed at group health plan sponsors. This report focuses on the final regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), in January 2013, HIPAA enforcement and audit programs, HIPAA-related additional requirements of group health plan sponsors, and the actions that must be taken by group health plan sponsors to ensure compliance with the final regulations and requirements and to prepare for potential audits and enforcement actions.

“The final HIPAA regulations made many changes to the existing HIPAA privacy and security rules that are applicable to covered entities,” Ms. Kerpen wrote, and she urged plan sponsors to conduct a comprehensive review of their compliance plans to prepare for audits or enforcement action.

Read the full article here.




read more

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

Read the full article here to learn about the indications of a ransomware attack, what do in the event of a ransomware attack and what circumstances constitute a HIPAA breach.




read more

Integration of Technology Into Health Care Delivery

The integration of technology into health care delivery is exploding throughout the health industry landscape. Commentators speculating on the implications of the information revolution’s penetration of the health care industry envision delivery models rivaling those imagined by celebrated science fiction authors, and claim that the integration of information technology into even the most basic health care delivery functions can reduce cost, increase access, improve quality and, in some instances, fundamentally change the way health care is delivered.

These visions are difficult to refute in the abstract; the technology exists or is being developed to achieve what just a few years ago seemed the idle speculation of futurists. But delivering this vision in an industry as regulated as health care is significantly harder than it may seem. While digital health models have existed for many years, the regulatory and reimbursement environment have stifled their evolution into fully integrated components of the health care delivery system.

(more…)




read more

Developing and Implementing an Effective Telemedicine Informed Consent Form

The search by consumers, payers and providers for more efficient, effective and convenient care delivery models has led to an explosion of technological innovation in the health care sector. This explosion has supported the increased use of telemedicine by providers to reach patients who were previously out of reach, and to provide more timely and cost-effective care.

With the use of telemedicine technologies comes a responsibility on the part of providers to educate and inform patients on the benefits, and more importantly, on the risks associated with receiving care via telemedicine. Like any other care setting, compliance with this responsibility serves the dual purpose of providing consumers with the information needed to make an informed decision about their care, but also mitigates the provider’s potential liability exposure from medical malpractice claims.

Read the full article.




read more

Phase 2 HIPAA Audits Are Underway

The US Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits for compliance with HIPAA privacy, security and breach notification standards as required by the HITECH Act. In this second phase, OCR will audit both covered entities and their business associates, unlike the pilot audits of 2011 and 2012, which focused on covered entities alone. This On the Subject details practical steps that covered entities, including employer-sponsored group health plans, and their business associates can take to prepare for a potential audit.

Read the full article.




read more

Webcast: Fiduciary Issues and Data Privacy

Webcast Details:
March 23, 2016
1:00 – 2:00 pm EDT / 12:00 – 1:00 pm CDT

REGISTER HERE

McDermott Will & Emery invites you to a webcast to hear how employers and third-party administrators protect the privacy of employee participants’ personal information. On March 23, 2016, Ann Killilea and Andrew Liazos will discuss complex issues faced by employers and the impact on employee benefit plan sponsors, and address the following topics related to managing data breaches:

  • Beyond HIPAA: Privacy and data security issues relevant to ERISA fiduciaries
  • Security threats to benefit plans
  • Fiduciary duties to protect regulated personal information

Ann Killilea is counsel in the law firm of McDermott Will & Emery LLP and brings to the Firm and to its Global Privacy and Data Protection Affinity Group more than 25 years of experience as senior in-house corporate counsel advising Hewlett-Packard Company (HP), and its predecessor companies Compaq Computer Corporation and Digital Equipment Corporation, all multinational companies in the information technology industry.

Andrew C. Liazos is a partner in the law firm of McDermott Will & Emery LLP and regularly represents Fortune 500 companies, public companies, large closely held businesses and compensation committees on all aspects of executive compensation; ERISA fiduciary and compensation plan governance; employee benefits in business transactions; initial public offerings and bankruptcy; international compensation planning and related litigation matters. He also counsels executives in employment agreement and joint-venture negotiations.

CLE credit for the live presentation of this program is pending in the states of California, Illinois, New York and Texas. A Uniform Certificate of Attendance will be made available to participants requesting CLE credit in all other states. Please be advised that CLE credit will not be approved for on-demand/recorded viewings of this program in the states listed above. Attendees seeking credit in other states should consult their state CLE accrediting agency to determine whether self-study credit can be earned for on demand/recorded viewing of this program.




read more

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022