Tag Archives: HIPAA

Harden Your Organization’s Domain Name System (DNS) Security To Protect Against Damaging Data Loss and Insider Threat

The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and other valuable information from the intended recipient to the malicious actor. Indeed, as recent attacks on DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders may also abuse DNS as a side channel to covertly exfiltrate the organization’s most sensitive proprietary information avoiding Data Loss Prevention (DLP) countermeasures that may operate at different layers of the communication process. The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.

Read more

Read full article

OCR Requests Comments on Ways to Modify HIPAA

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

Read more

Read full article

OCR and ONC Update Their Security Risk Assessment Tool

On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool.  According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule.  ONC states that the updated tool includes additional features such as:

Read more

Read full article

Is there room for Blockchain in Health Care?

In the tech world, blockchain technology appears to be the panacea to all problems.  As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow reaction to technological advances.

Read more

Read full article

How Will the New California Consumer Privacy Act of 2018 Will Affect Your Business?

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a breach of personal information, the California Privacy Act provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.  Therefore, the California Privacy Act will have a significant impact on businesses, including the healthcare sector.

Read more

Read full article

Representation and Warranty Insurance in Health Care Transactions: A Useful Tool in a Sellers’ Market

The pace of health care transactions is robust, purchase price multiples are increasing, and many health care businesses are taking advantage of a sellers’ market.  Recently, our clients have increasingly turned to representation and warranty (“R&W”) insurance, finding a market more amenable to the nuances of health care deals than in the past. In the right deal, R&W insurance can limit risk to both seller and buyer and increase value to a seller by allowing for “walk-away” or “naked” deals.  R&W insurance may also be used as a tool by a buyer to increase the attractiveness of its offer in a competitive environment.

Read more

Read full article
ILN Today Post

OCR’s HIPAA breach “wall of shame” breaks 2,000

The list of reported Health Insurance Portability and Accountability Act (HIPAA) breaches has broken a new record. More than 2,000 breaches affecting 500 or more individuals have now been reported to the Department of Health and Human Services Office for Civil Rights (OCR) since 2009. It took nearly five years for the “wall of shame” to reach 1,000 breaches affecting 500 or more individuals and reporting has since increased due in part to OCR’s ramped up enforcement efforts, which seek to hold covered entities responsible for failure to report a breach within 60 days of discovery.

With the increase of sophisticated hacking and ransomware incidents in recent years, it is anticipated that the number of reported breaches will continue to rise at an accelerated rate. In 2017 it is anticipated that OCR will receive be the most breaches reports to date within a single calendar year.

Read More

Read full article

OCR Pronouncement on Ransomware Breach Notification May Make You “Wanna Cry”

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

Read full article

Sharing Cyber Threat Information

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities. Therefore, in advising their companies’ management, general counsel and others might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Read full article
ILN Today Post

Who is HIPAA business associate?

A wide range of vendors and contractors that perform services or other functions for health care providers or health plans face substantial obligations and potential liabilities as business associates under the Privacy, Security and Breach Notification Rules (HIPAA Rules) issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Therefore, it is crucial for covered entities, as well as anyone performing services or functions involving protected health information (PHI) for covered entities or business associates, to identify all of their business associate relationships so they can take appropriate actions to comply with the HIPAA Rules. As we will discuss in this white paper, whether a service provider is a business associate under the HIPAA Rules will depend on the relationship of the parties, the nature of the services and whether the activities involve the use, disclosure, transmission, or maintenance of PHI.

Read More

Read full article